CodeIgniter中防止SQLInjection的最佳方法

Question

我是codeigniter框架的新手，我做了幾個查詢我的問題是保持我的查詢安全的最佳方式是什麼。我應該使用mysql_real_escape_string還是有一些更好的方法。 我用我的插入下面的代碼：

function createCustomer($data){ 
    $this->firstname = $data['firstname']; 
    $this->lastname  = $data['surname1'].' '.$data['surname2']; 
    $this->address  = $data['adres']; 
    $this->zipcode  = $data['zipcode']; 
    $this->mail   = $data['mail']; 
    $this->phonenumber = $data['phonenumber']; 

    $this->db->insert('Klant',$this); 

    //Check if the change was succesfull 
    return ($this->db->affected_rows() != 1) ? false : true; 
} 

而下面的代碼得到：

function getUserByName($firstname, $lastname){ 
     $query = $this->db->get_where('Customer', array('firstname' => $firstname, 'lastname' => $lastname)); 
    return $query->result(); 
} 

什麼是防止SQL注入的最佳方式？任何提示都歡迎。

Answer 1

的最好的辦法就是 打開文件的config.php文件 位置的application/config

使下面的代碼爲true

|-------------------------------------------------------------------------- 
 
    | Global XSS Filtering 
 
    |-------------------------------------------------------------------------- 
 
    | 
 
    | Determines whether the XSS filter is always active when GET, POST or 
 
    | COOKIE data is encountered 
 
    | 
 
*/ 
 
$config['global_xss_filtering'] = FALSE;

到

|-------------------------------------------------------------------------- 
 
    | Global XSS Filtering 
 
    |-------------------------------------------------------------------------- 
 
    | 
 
    | Determines whether the XSS filter is always active when GET, POST or 
 
    | COOKIE data is encountered 
 
    | 
 
*/ 
 
$config['global_xss_filtering'] = TRUE;

對於防止sql注入和跨站點腳本，您不要再做任何事情。