CodeIgniter escape query

The CodeIgniter framework provides the ActiveRecord mode to operate databases. you also prefer this mode, because the database operating system automatically performs escape filtering on data in this mode, this helps us perform secure database operations.

The CodeIgniter framework provides the Active Record mode to operate databases. you also prefer this method, because the database operating system automatically performs escape filtering on data in this mode, this helps us perform secure database operations.

However, in terms of data query, Active Record does not directly write SQL statements on its own, but does not use its own SQL statements to query the system. by default, it does not perform security operations on data, we need to manually perform some security filtering operations, then we need to use the escape query.

It is a good security practice to escape data and submit it to your database. CodeIgniter provides three functions to help you complete this task.

1. The $ this-> db-> escape () function determines the data type to escape only string-type data. In addition, it will automatically enclose data in single quotes, so you do not need to manually add single quotes

The usage is as follows:

$sql = "INSERT INTO table (title) VALUES(".$this->db->escape($title).")";

View the function Source code:

function escape($str){if (is_string($str)){$str = "'".$this->escape_str($str)."'";}elseif (is_bool($str)){$str = ($str === FALSE) ? 0 : 1;}elseif (is_null($str)){$str = 'NULL';}return $str;}

2. $ this-> db-> escape_str () this function will escape incoming data regardless of the data type. More often, you will use the above function instead of this function.

The usage of this function is as follows:

$sql = "INSERT INTO table (title) VALUES('".$this->db->escape_str($title)."')";

View the function Source code:

/** * Escape String * * @accesspublic * @paramstring * @paramboolwhether or not the string will be used in a LIKE condition * @returnstring */function escape_str($str, $like = FALSE){if (is_array($str)){foreach ($str as $key => $val){$str[$key] = $this->escape_str($val, $like);}return $str;}if (function_exists('mysql_real_escape_string') AND is_resource($this->conn_id)){$str = mysql_real_escape_string($str, $this->conn_id);}elseif (function_exists('mysql_escape_string')){$str = mysql_escape_string($str);}else{$str = addslashes($str);}// escape LIKE condition wildcardsif ($like === TRUE){$str = str_replace(array('%', '_'), array('\\%', '\\_'), $str);}return $str;}

3. $ this-> db-> escape_like_str () This method shocould be used when strings are to be used in LIKE conditions so that LIKE wildcards ('% ','_') in the string are also properly escaped.

Example:

$search = '20% raise';$sql = "SELECT id FROM table WHERE column LIKE '%".$this->db->escape_like_str($search)."%'";

View source code:

function escape_like_str($str){return $this->escape_str($str, TRUE);}

We can see that both the first and third methods actually call the second method.