Prevent SQL Injection in Codeigniter

This tutorial will show you how to prevent SQL injection using Codeigniter. It is very important to escape the variable you pass by when using to the database query because in web application security SQL injections play an important role. We usually use mysql_real_escape_string() function to prevent SQL injections, but we do not need to use this function in case of Codeigniter. In Codeigniter we have different ways such as Escaping Queries, Query Binding and Active Record to prevent SQL injections.

The following reference has been taken from Codeigniter documentation.

Escaping Queries

It’s a very good security practice to escape your data before submitting it into your database. CodeIgniter has three methods that help you do this:

   $this->db->escape() This function determines the data type so that it can escape only string data. It also automatically adds single quotes around the data so you don’t have to:

    $this->db->escape_str() This function escapes the data passed to it, regardless of type. Most of the time you’ll use the above function rather than this one. Use the function like this:

    $this->db->escape_like_str() This method should be used when strings are to be used in LIKE conditions so that LIKE wildcards (‘%’, ‘_’) in the string are also properly escaped.


The escape_like_str() method uses ‘!’ (exclamation mark) to escape special characters for LIKE conditions. Because this method escapes partial strings that you would wrap in quotes yourself, it cannot automatically add the ESCAPE ‘!’ condition for you, and so you’ll have to manually do that.

Query Bindings

Bindings enable you to simplify your query syntax by letting the system put the queries together for you. Consider the following example:

The question marks in the query are automatically replaced with the values in the array in the second parameter of the query function.

Binding also work with arrays, which will be transformed to IN sets:

The resulting query will be:

The secondary benefit of using binds is that the values are automatically escaped, producing safer queries. You don’t have to remember to manually escape data; the engine does it automatically for you.

Inserting Data using Active Record


Generates an insert string based on the data you supply, and runs the query. You can either pass an array or an object to the function.

All values are escaped automatically producing safer queries.


Netbeans 8.1
XAMPP in Windows
Codeigniter 3.0.6

Configure XAMPP and Netbeans

From Netbeans IDE go to Tools->Options. Click on PHP. Now on tab “General” browse the file for “PHP 5 Interpreter”. The php interpreter file generally placed inside the <physical drive in Windows OS>:\xampp\php\php.exe

Configure Codeigniter and Netbeans

Create a new PHP project in Netbeans. Then remove the index.php file from the newly created project. Now copy the extracted files from Codeigniter 3.0.6 to the newly created project directory.

Step 1. Now modify <root directory>/application/config/autoload.php file for auto-loading html, url, file, form and session

Step 2. Now modify <root directory>/application/config/config.php file to define some captcha config

Step 3. Now modify <root directory>/application/config/database.php file to add database config

Step 4. Now create captcha table in codeigniter database

Step 5. Create a view file add_blog.php under <root directory>/application/views which will be used to save new blog

Step 6. Create a Controller class under <root directory>/application/controllers for handling client’s request and response

Step 7. Now create a model class for interacting with database

Step 8. Now modify <root directory>/application/config/routes.php file for pointing the default controller class

Step 9. Now if everything is fine run the application.

Thanks for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.