如何使用codeigniter阻止sql注入

时间:2013-05-07 21:02:32

标签: php mysql code-injection

我想阻止我的注释声明,但我对活动记录和查询绑定感到困惑。

这是我当前的mysql查询,名为results。

$results = $this->EE->db->query("SELECT t.transactionid, t.transactiontime, t.created, ct.title, cd.field_id_6, cd.field_id_5, cd.field_id_7, t.pricebefordiscount, t.priceafterdiscount, t.error, t.cardid, em.email, emd.m_field_id_2, emd.m_field_id_6, emd.m_field_id_5, emd.m_field_id_7, emd.m_field_id_4, t.restaurant_id
FROM exp_members as em
   INNER JOIN transactions as t on (em.member_id = t.cardid-10000000)
   INNER JOIN exp_channel_titles as ct on (t.restaurant_id = ct.entry_id)
   INNER JOIN exp_channel_data as cd on (ct.entry_id = cd.entry_id)
   INNER join exp_member_data as emd on em.member_id = emd.member_id
WHERE em.member_id = '".($_GET['cardid']-10000000)."'");

这就是我试图阻止mysql注入的方法。这样安全吗?

$results = $this->EE->db->query("SELECT t.transactionid, t.transactiontime, t.created, ct.title, cd.field_id_6, cd.field_id_5, cd.field_id_7, t.pricebefordiscount, t.priceafterdiscount, t.error, t.cardid, em.email, emd.m_field_id_2, emd.m_field_id_6, emd.m_field_id_5, emd.m_field_id_7, emd.m_field_id_4, t.restaurant_id
FROM exp_members as em
   INNER JOIN transactions as t on (em.member_id = t.cardid-10000000)
   INNER JOIN exp_channel_titles as ct on (t.restaurant_id = ct.entry_id)
   INNER JOIN exp_channel_data as cd on (ct.entry_id = cd.entry_id)
   INNER join exp_member_data as emd on em.member_id = emd.member_id
WHERE em.member_id = '".$this->db->escape(($_GET['cardid']-10000000))."'");

但这也是一个选项还是?

$this->load->database();
$this->load->library('table');

$this->db->select(' t.transactionid, t.transactiontime, t.created, ct.title, cd.field_id_6, cd.field_id_5, cd.field_id_7, t.pricebefordiscount, t.priceafterdiscount, t.error, t.cardid, em.email, emd.m_field_id_2, emd.m_field_id_6, emd.m_field_id_5, emd.m_field_id_7, emd.m_field_id_4, t.restaurant_id');
$this->db->from('exp_members'); 
$this->db->join('transactions', 'exp_members.member_id = transactions.cardid-10000000', 'inner');
$this->db->join('exp_channel_titles', 'transactions.restaurant_id = exp_channel_titles.entry_id', 'inner');
$this->db->join('exp_channel_data', 'exp_channel_titles.entry_id = exp_channel_data.entry_id', 'inner');
$this->db->join('exp_member_data', 'exp_members.member_id = exp_member_data.member_id', 'inner');
$this->db->where('exp_members.member_id', $this->db->escape(($_GET['cardid']-10000000))); 
$query = $this->db->get();
echo $query;

这是安全的还是正确的方法还是我错过了什么。

1 个答案:

答案 0 :(得分:1)

最后两种方法是正确的,以避免SQL注入。在最后一段代码中,使用Active Record,您不需要调用escape,因为CodeIgniter会自动执行。

相关问题
最新问题