This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.
The active forums are here.
September 06, 2013 10:15pm
Subscribe [5]#1 / Sep 06, 2013 10:15pm
Hi,
I am writing SQL queries in CodeIgniter that use variables from URL. So, example:
URL/page/id
SELECT *
FROM table
WHERE id=$idAs a test I put a ’ escape character in my URL and CodeIgniter gives message “The URI you submitted has disallowed characters.”.
So I am wondering, do I really need to escape these variables? CodeIgniter seems to be handling this already. Thank you.
#2 / Sep 07, 2013 12:07am
for security reasons codeigniter have disallowed some characters, check the config.php file with this option
$config['permitted_uri_chars']you can append the character which is required for you
#3 / Sep 07, 2013 12:25pm
Actually, I prefer if CodeIgniter disallows these character. I am wondering if I need if I still need to escape the variables in the SQL query with $this->db->escape($id) since CodeIgniter is already forbidding harmful characters from passing through the URL.
Thanks.
#4 / Sep 07, 2013 12:45pm
If you use Active Record, they get escaped going in.
#5 / Sep 07, 2013 8:06pm
I’m writing straight SQL requires with $query = $this->db->query(’ SELECT ...’). It seems I don’t need to escape variables since apostrophes can’t pass through URLs. Not sure if there is a way for a hacker to circumvent it.
#6 / Sep 07, 2013 9:18pm
If you’re not using active record, you should manually escape all input.
#7 / Sep 08, 2013 7:50am
Read up on this article.. maybe it helps you with making such decisions in the future.
#8 / Sep 11, 2013 8:13am
I’m writing straight SQL requires with $query = $this->db->query(’ SELECT ...’). It seems I don’t need to escape variables since apostrophes can’t pass through URLs. Not sure if there is a way for a hacker to circumvent it.
Using straight SQL without escaping input is a really bad idea. Typically when someone tries an SQL injection they will submit special strings through forms, such as a login or search form. Apostrophes can pass through URL’s, when someone submits a form with name=“D’ni” it is encoded as part of the URL, then decoded by CI so putting a ’ in the URL bar doesn’t simulate an injection attempt.
If you don’t sanitize your input, eventually a bot will find you. When it does, your only option will be to take down your site and manually fix every single DB query that is not escaped.
CI makes parametrized queries easy- even if you don’t want to use Active Record or an ORM.
Here’s an example:
$sql = "
SELECT
c.*,
s.name AS state_name,
cs.name AS country_name
FROM
clients c
LEFT JOIN states s ON c.state_id = s.id
LEFT JOIN countries cs ON c.country_id = cs.id
WHERE
c.id = ?
";
$query = $this->db->query( $sql, array( $client_id ) )->row_array( );
return $query;