I am working with "Rest API's/web services" in codeigniter,And i want to make Api secure
So for this purpose i am using following query (for example)
$sql = "INSERT INTO table (title) VALUES(".$this->db->escape($title).")";
I want to know that above way is enough for prevent sql injection using codeigniter or there should be something more ?
Your Problem is perfectly solvable with Codeigniters query builder.
In your case it would look like
$arrData = [
'title' => $title
];
$this->db->insert('table', $arrData);
As mentioned Codeigniter comes with a built in query builder. I strongly suggest to use it because it makes your life much easier. If you use it you are protected against sql injections.
Take a look at their documentation and study it carefully - here is the link.
Related
Sorry to ask such a stupid question. I'm new to Codeigniter. I found that Codeigniter doesn't support prepared statements. I know that if you don't use prepared statements, you can easily get sql injected. Im here just to ask experienced user with Codeigniter. How do you write your queries? Inside my model i got the following code that works.
public function get_credentials($userid){
$query = $this->db->query("SELECT * FROM users WHERE id = ?", array($userid));
return $query;
}
I think my website is safe while i'm using the bind parameter above. But i still need some advice to do this as secure as possible. I never access my models from my views folder. I only access them from my controllers and pass the data to my pages. If there is something more that i need to know please give me advice, thank you for your time.
Is it safe to load data into the model via load() method?
In $model there is only name and email properties, that have only "string" validator.
if ($model->load(Yii::$app->request->post() && $model->save()){
}
When i do something like shown above, is it safe against sql injection?
Yes it is! (sorry I couldn't resist the joke).
Actually the model is an abstraction from the database, so it does not care about what DB your are using and/or what problems could occur. Usually, in Yii2 most of the DB operations occur via ActiveRecord, that uses PDO prepared statements
that prevent SQL injection atacks.
If you won't be using ActiveRecord though, I recommend you to read this.
Im looking over inherited code with the following (partial) class:
class Model_UserGenre extends Zend_Db_Table_Abstract {...
$select = $this->select()->from(array('ug' => $this->_name), array('user_id'))
->where('genre_id IN (?)', $genreID)
->orwhere('sub_genre_id IN(?)', $genreID)
->group(array('ug.user_id'));
$result = $this->fetchAll($select);
return $result;
...}
This is just a sample code. I am unfamiliar with Zend and have tried to read up on the zend db methods cursorily but to me it seems unnecessarily complicated vs just putting in the query string when I am not using a fully dynamic query
Does zend, especially in this case, present some kind of dynamic capability or efficiency that a direct mysqli or PDO query does not?
Thanks and sorry for the noobish question.
The query builder is just there as a usability layer on top of a PDO. It provides some convenient functionality a PDO does not, like dealing with IN statements. It is also there to implement the adapter design pattern, where your database driver can be very easily swapped out.
Essentially, A PDO will still require you to write raw SQL whereas the query builder will do that for you. Any SQL generated by the query builder will be valid for any SQL adapter the query builder supports (eg. PostgreSQL, MySQL, SQLite).
I have heard, (thanks to SO) that mysql_* family of functions is vulnerable to SQL injections, so it is always recommended to use mysqli_* OR PDO approach.
So, I tried to trace out which of these approaches is used in Codeigniter as I have been using CI since 4 months. But I could not get it out.
Can anybody tell me which of these or any other approach is used in CI?
Thanks in advance.
CodeIgniter uses whichever method you choose, based on your config/database.php file. For example, if you choose mysqli as your driver, it will use the mysqli family of functions. If you choose mysql, it will use the mysql family, and so on.
There is a PDO driver, but it's not the most stable thing in the world in the current releases.
If you're using the "active record" functions in CodeIgniter (which should really be called "query builder" functions, since they don't follow the Active Record pattern), then all of your data is automatically sanitized with the appropriate functions. If you say, for example, $this->db->where('field', $value), and you're using the mysqli driver, CodeIgniter will automatically call mysqli_real_escape_string on the $value input you pass to it, rendering the query safe.
I should also note that this automatic sanitization only applies to the active record helper functions, like $this->db->get and the like. If you try to run your own query using $this->db->query("SELECT * FROM table WHERE field = '" . $field . "'") then you need to take care to protect yourself, since you're bypassing CodeIgniter's security mechanisms. Running a query directly with the query() method is like saying "don't worry, I know what I'm doing." You need to specifically ask CodeIgniter to sanitize certain values for you by calling $this->db->escape() or its related functions. If you just concatenate variables into your query, then you're going to open yourself up to SQL injections.
I was wondering if when using the database library in Codeigniter there was a way to automatically escape all the inputs to prevent injection. I know I can use mysql_real_escape_string() to do it, but I wondered it this was already setup to do this automatically, if not are there any frameworks that have this included?
Thanks!
In order to use prepared statements, you can simply use query bindings with CodeIgniter.
$query = 'SELECT id, name FROM user WHERE name = ?';
$bind = array('Jake');
$this->db->query($query, $bind);
More info found here.
CakePHP runs all model queries through its own methods, if you use the model methods it automatically sanitizes any data passed to the query for you. i.e
$options['conditions'] = array('Product.status'=>$status);
$this->Product->find('first',$options);
Right, pretty much all frameworks that implement any sort of database abstraction/ORM layer will automatically mysql_real_espace your queries. If you don't want to use an entire framework, consider a generic ORM library like Propel or Doctrine. Alternatively, look into prepared statements.