In my project I use $this->input->(get|post) to pass data to models. In models I always use active records. Is this enough to prevent sql inje开发者_如何学运维ctions ?
No, it isn't. Edit: Yes it is...didn't see your comment about you using active records. You either need to escape your inputs manually using PHP's or CodeIgniter's escaping functions or you should be using CodeIgniter's query bindings or you can use CodeIgniter's Active Record class. I prefer to do the query bindings as it a) makes my queries look nicer and b) ensures that all of my inputs are cleansed prior to being run in MySQL.
http://ellislab.com/codeigniter/user_guide/database/queries.html
This works like this:
$qStr = "SELECT * FROM students WHERE id=?";
$q = $this->db->query($qStr, array($id);
CodeIgniter will recognize what type of data your variable is, and wrap it accordingly. That is, if it's a string, it will put ' and ' around the escaped value in the SQL, which is what you need to ensure that users can't inject anything malicious.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论