This question already has an answer here:
I am new to the codeigniter framework and im makeing a few queries my question is what is the best way to keep my queries safe. Should I use mysql_real_escape_string or is there some better way.
I use the following code for my inserts:
function createCustomer($data){
$this->firstname = $data['firstname'];
$this->lastname = $data['surname1'].' '.$data['surname2'];
$this->address = $data['adres'];
$this->zipcode = $data['zipcode'];
$this->mail = $data['mail'];
$this->phonenumber = $data['phonenumber'];
$this->db->insert('Klant',$this);
//Check if the change was succesfull
return ($this->db->affected_rows() != 1) ? false : true;
}
And the following code for gets:
function getUserByName($firstname, $lastname){
$query = $this->db->get_where('Customer', array('firstname' => $firstname, 'lastname' => $lastname));
return $query->result();
}
What would be the best way to prevent sql injection? Any tips are welcome.
</div>
