问题描述
我刚刚继承了一个项目,因为最后一个开发人员离开了.该项目是基于 Code Igniter 构建的.我以前从未使用过 Code Igniter.
I just inherited a project because the last developer left. The project is built off of Code Igniter. I've never worked with Code Igniter before.
我快速浏览了代码,我看到控制器中的数据库调用如下:
I took a quick look at the code and I see database calls in the controller like this:
$dbResult = $this->db->query("SELECT * FROM users WHERE username = '".$_POST['user_name']."'");
或者像这样调用:
$dbResult = $this->db->query("SELECT * FROM users WHERE username = '".$this->input->post('username')."'");
代码点火器是否会自动清理这些查询以防止 sql 注入?
Does code igniter automatically sanitize these queries to prevent sql injection?
推荐答案
CodeIgniter DOES ESCAPE 您在使用 $this->db->query
方法时传递的变量.但仅当您将变量作为绑定传递时,这里是一个示例:
CodeIgniter DOES ESCAPE the variables you pass by when using the $this->db->query
method. But ONLY when you pass the variables as binds, here's an example:
$dbResult = $this->db->query("SELECT * FROM users WHERE username = ?", array($this->input->post('username')));
还要记住 $_POST
不应该比 $this->input->post
更受欢迎,因为它的作用是检查变量是否存在以防止错误.
Also remember that $_POST
shouldn't be preferred over $this->input->post
since what it does is check if the variables exists to prevent errors.
这篇关于CodeIgniter 是否会自动防止 SQL 注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!