CodeIgniter escape query

Source: Internet
Author: User
The CodeIgniter framework provides the ActiveRecord mode to operate databases. you also prefer this mode, because the database operating system automatically performs escape filtering on data in this mode, this helps us perform secure database operations.

The CodeIgniter framework provides the Active Record mode to operate databases. you also prefer this method, because the database operating system automatically performs escape filtering on data in this mode, this helps us perform secure database operations.

However, in terms of data query, Active Record does not directly write SQL statements on its own, but does not use its own SQL statements to query the system. by default, it does not perform security operations on data, we need to manually perform some security filtering operations, then we need to use the escape query.

It is a good security practice to escape data and submit it to your database. CodeIgniter provides three functions to help you complete this task.

1. The $ this-> db-> escape () function determines the data type to escape only string-type data. In addition, it will automatically enclose data in single quotes, so you do not need to manually add single quotes

The usage is as follows:


$sql = "INSERT INTO table (title) VALUES(".$this->db->escape($title).")";
View the function Source code:


function escape($str){if (is_string($str)){$str = "'".$this->escape_str($str)."'";}elseif (is_bool($str)){$str = ($str === FALSE) ? 0 : 1;}elseif (is_null($str)){$str = 'NULL';}return $str;}

2. $ this-> db-> escape_str () this function will escape incoming data regardless of the data type. More often, you will use the above function instead of this function.

The usage of this function is as follows:

$sql = "INSERT INTO table (title) VALUES('".$this->db->escape_str($title)."')";
View the function Source code:
/** * Escape String * * @accesspublic * @paramstring * @paramboolwhether or not the string will be used in a LIKE condition * @returnstring */function escape_str($str, $like = FALSE){if (is_array($str)){foreach ($str as $key => $val){$str[$key] = $this->escape_str($val, $like);}return $str;}if (function_exists('mysql_real_escape_string') AND is_resource($this->conn_id)){$str = mysql_real_escape_string($str, $this->conn_id);}elseif (function_exists('mysql_escape_string')){$str = mysql_escape_string($str);}else{$str = addslashes($str);}// escape LIKE condition wildcardsif ($like === TRUE){$str = str_replace(array('%', '_'), array('\\%', '\\_'), $str);}return $str;}
3. $ this-> db-> escape_like_str () This method shocould be used when strings are to be used in LIKE conditions so that LIKE wildcards ('% ','_') in the string are also properly escaped.

Example:

$search = '20% raise';$sql = "SELECT id FROM table WHERE column LIKE '%".$this->db->escape_like_str($search)."%'";
View source code:
function escape_like_str($str){return $this->escape_str($str, TRUE);}
We can see that both the first and third methods actually call the second method.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.