I am new to the codeigniter framework and im makeing a few queries my question is what is the best way to keep my queries safe. Should I use mysql_real_escape_string or is there some better way.
I use the following code for my inserts:
function createCustomer($data){
$this->firstname = $data['firstname'];
$this->lastname = $data['surname1'].' '.$data['surname2'];
$this->address = $data['adres'];
$this->zipcode = $data['zipcode'];
$this->mail = $data['mail'];
$this->phonenumber = $data['phonenumber'];
$this->db->insert('Klant',$this);
//Check if the change was succesfull
return ($this->db->affected_rows() != 1) ? false : true;
}
And the following code for gets:
function getUserByName($firstname, $lastname){
$query = $this->db->get_where('Customer', array('firstname' => $firstname, 'lastname' => $lastname));
return $query->result();
}
What would be the best way to prevent sql injection? Any tips are welcome.
The best way to do is Open the file config.php file location application/config
make the following code to true
|--------------------------------------------------------------------------
| Global XSS Filtering
|--------------------------------------------------------------------------
|
| Determines whether the XSS filter is always active when GET, POST or
| COOKIE data is encountered
|
*/
$config['global_xss_filtering'] = FALSE;to
|--------------------------------------------------------------------------
| Global XSS Filtering
|--------------------------------------------------------------------------
|
| Determines whether the XSS filter is always active when GET, POST or
| COOKIE data is encountered
|
*/
$config['global_xss_filtering'] = TRUE;You do not to do anything more for prevent sql injection and cross site scripting.