CodeIgniter中防止SQLInjection的最佳方法

Question

我是codeigniter框架的新手，我做了几个查询我的问题是保持我的查询安全的最佳方式是什么。我应该使用mysql_real_escape_string还是有一些更好的方法。 我用我的插入下面的代码：

function createCustomer($data){ 
    $this->firstname = $data['firstname']; 
    $this->lastname  = $data['surname1'].' '.$data['surname2']; 
    $this->address  = $data['adres']; 
    $this->zipcode  = $data['zipcode']; 
    $this->mail   = $data['mail']; 
    $this->phonenumber = $data['phonenumber']; 

    $this->db->insert('Klant',$this); 

    //Check if the change was succesfull 
    return ($this->db->affected_rows() != 1) ? false : true; 
} 

而下面的代码得到：

function getUserByName($firstname, $lastname){ 
     $query = $this->db->get_where('Customer', array('firstname' => $firstname, 'lastname' => $lastname)); 
    return $query->result(); 
} 

什么是防止SQL注入的最佳方式？任何提示都欢迎。

Answer 1

的最好的办法就是 打开文件的config.php文件 位置的application/config

使下面的代码为true

|-------------------------------------------------------------------------- 
 
    | Global XSS Filtering 
 
    |-------------------------------------------------------------------------- 
 
    | 
 
    | Determines whether the XSS filter is always active when GET, POST or 
 
    | COOKIE data is encountered 
 
    | 
 
*/ 
 
$config['global_xss_filtering'] = FALSE;

到

|-------------------------------------------------------------------------- 
 
    | Global XSS Filtering 
 
    |-------------------------------------------------------------------------- 
 
    | 
 
    | Determines whether the XSS filter is always active when GET, POST or 
 
    | COOKIE data is encountered 
 
    | 
 
*/ 
 
$config['global_xss_filtering'] = TRUE;

对于防止sql注入和跨站点脚本，您不要再做任何事情。