Prevent SQL Injection in Codeigniter


This tutorial will show you how to prevent SQL injection in Codeigniter application.

SQL injection is:

  • a malicious code injection technique that may destroy your database.
  • one of the most common web hacking techniques.
  • the placement of malicious code in SQL statements, via input fields in web page.

It is very important to escape the variable you pass by when using to the database query because in web application security SQL injections play an important role.

We usually use mysql_real_escape_string() function to prevent SQL injections, but we do not need to use this function in case of Codeigniter. In Codeigniter we have different ways such as Escaping Queries, Query Binding and Active Record to prevent SQL injection in Codeigniter.

Preventing SQL Injection

The following reference has been taken from Codeigniter documentation. There are three ways to prevent SQL injection using Codeigniter framework.

Escaping Queries

It’s a very good security practice to escape your data before submitting it into your database. CodeIgniter has three methods that help you do this:


This function determines the data type so that it can escape only string data. It also automatically adds single quotes around the data so you don’t have to:

$sql = "INSERT INTO table (title) VALUES(".$this->db->escape($title).")";


This function escapes the data passed to it, regardless of type. Most of the time you’ll use the above function rather than this one. Use the function like this:

$sql = "INSERT INTO table (title) VALUES('".$this->db->escape_str($title)."')";


This method should be used when strings are to be used in LIKE conditions so that LIKE wildcards (‘%’, ‘_’) in the string are also properly escaped.

$search = '20% raise';
$sql = "SELECT id FROM table WHERE column LIKE '%" .
    $this->db->escape_like_str($search)."%' ESCAPE '!'";


The escape_like_str() method uses ‘!’ (exclamation mark) to escape special characters for LIKE conditions. Because this method escapes partial strings that you would wrap in quotes yourself, it cannot automatically add the ESCAPE ‘!’ condition for you, and so you’ll have to manually do that.

Query Bindings

Bindings enable you to simplify your query syntax by letting the system put the queries together for you. Consider the following example:

$sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?";
$this->db->query($sql, array(3, 'live', 'Rick'));

The question marks in the query are automatically replaced with the values in the array in the second parameter of the query function.

Binding also work with arrays, which will be transformed to IN sets:

$sql = "SELECT * FROM some_table WHERE id IN ? AND status = ? AND author = ?";
$this->db->query($sql, array(array(3, 6), 'live', 'Rick'));

The resulting query will be:

SELECT * FROM some_table WHERE id IN (3,6) AND status = 'live' AND author = 'Rick'

The secondary benefit of using binds is that the values are automatically escaped, producing safer queries. You don’t have to remember to manually escape data; the engine does it automatically for you.

Active Record

$this->db->insert()Generates an insert string based on the data you supply, and runs the query. You can either pass an array or an object to the function.

All values are escaped automatically producing safer queries.


Netbeans 8.1
XAMPP in Windows
Codeigniter 3.0.6, PHP 5.6

Example with Source Code

Here we will see how to create example to prevent SQL injection in
Codeigniter application.

Configuring XAMPP and Netbeans

From Netbeans IDE go to Tools->Options. Click on PHP. Now on tab “General” browse the file for “PHP 5 Interpreter”. The php interpreter file generally placed inside the <physical drive in Windows OS>:\xampp\php\php.exe

Configuring Codeigniter and Netbeans

Create a new PHP project in Netbeans. Then remove the index.php file from the newly created project. Now copy the extracted files from Codeigniter 3.0.6 to the newly created project directory.

Creating Example

Step 1. Now modify <root directory>/application/config/autoload.php file for auto-loading html, url, file, form and session.

The auto-load is required for few helper functions, library classes that are used frequently throughout the application to avoid loading each time we want to use everywhere.

$autoload['helper'] = array('html', 'url', 'file', 'form');
$autoload['libraries'] = array('database', 'session');

Step 2. Now modify <root directory>/application/config/config.php file to define some captcha config.

Th below encryption key is required whenever you want to use session in your Codeigniter application. If you do not want to use session then you can omit such encryption key and also make sure you do not load session library.

$config['encryption_key'] = '2d8+e6]K0?ocWp7&`K)>6Ky"|.x|%nuwafC~S/+6_mZI9/17y=sKKG.;Tt}k';

Step 3. Now modify <root directory>/application/config/database.php file to add database config.

$db['default'] = array(
    'dsn' => '',
    'hostname' => 'localhost',
    'username' => 'root',
    'password' => '',
    'database' => 'codeigniter',
    'dbdriver' => 'mysqli',
    'dbprefix' => '',

Step 4. Now create blogs table in codeigniter database. We want to maintain blogs in database so we need a table to store the blogs.

CREATE TABLE `blogs` (
  `blog_id` int(10) unsigned NOT NULL AUTO_INCREMENT,
  `blog_title` varchar(255) COLLATE utf8_unicode_ci NOT NULL,
  `blog_content` text COLLATE utf8_unicode_ci NOT NULL,
  `blog_date` datetime NOT NULL,
  PRIMARY KEY (`blog_id`)

Step 5. Create a view file add_blog.php under <root directory>/application/views which will be used to save new blog.

This view file is responsible for getting input for a new blog from the end user and this page is also responsible for showing the appropriate message while new blog saved successfully or if any error occurred during saving the new blog.

<!DOCTYPE html>
        <meta charset="UTF-8">
        <title>Codeigniter Database Escape</title>
        <style type="text/css">

            ::selection { background-color: #E13300; color: white; }
            ::-moz-selection { background-color: #E13300; color: white; }

            body {
                background-color: #fff;
                margin: 40px;
                font: 13px/20px normal Helvetica, Arial, sans-serif;
                color: #4F5155;

            #body {
                margin: 0 15px 0 15px;

            #container {
                margin: 10px;
                border: 1px solid #D0D0D0;
                box-shadow: 0 0 8px #D0D0D0;

            h1 {
                margin-left: 15px;

            .error {
                color: #E13300;

            .success {
                color: darkgreen;
        <div id="container">
            <h1>CodeIgniter Database Escape</h1>            
            <div id="body">
                if (isset($success) && strlen($success)) {
                    echo '<div class="success">';
                    echo '<p>' . $success . '</p>';
                    echo '</div>';
                if (validation_errors()) {
                    echo validation_errors('<div class="error">', '</div>');
                $attributes = array('name' => 'add_blog_form', 'id' => 'add_blog_form');
                echo form_open($this->uri->uri_string(), $attributes);
                <p>Title : <input type="text" name="title" id="title" size="54"/></p>
                <p>Content : <textarea id="content" name="content" rows="10" cols="50"></textarea></p>
                <p><input name="add_blog" value="Add Blog" type="submit" /></p>
                echo form_close();


Step 6. Create a Controller class under <root directory>/application/controllers for handling client’s request and response.

This controller class also communicated with the model layer and finally perform the database activities in the model class to save the new blog.

This class also validates and required fields according to the rules set to the input fields.


defined('BASEPATH') OR exit('No direct script access allowed');

 * Description of Blog
 * @author
class Blog extends CI_Controller {

    function __construct() {

    public function index() {
        $data = array();
        if ($this->input->post('add_blog')) {
            $this->form_validation->set_rules('title', 'Title', 'required');
            $this->form_validation->set_rules('content', 'Content', 'required');
            if ($this->form_validation->run()) {
                $title = $this->input->post('title');
                $content = $this->input->post('content');
                $result = $this->blogmodel->save_new_blog($title, $content);
                $data['success'] = 'Blog successfully added';
        $this->load->view('add_blog', $data);


Step 7. Now create a model class for interacting with database.

Here in this model class we are performing database operations in order to save the new blog. We are also escaping the input values sent from the end user in order to prevent SQL injection in Codeigniter.

Look carefully how we have used three types of methods to prevent SQL injection in Codeigniter.


defined('BASEPATH') OR exit('No direct script access allowed');

 * Description of BlogModel
 * @author
class BlogModel extends CI_Model {

    private $blogs = 'blogs';   // blog table

    function __construct() {

    //save new blog
    function save_new_blog($title, $content) {
        //Escaping Query
        $sql = "INSERT INTO " . $this->blogs . "(blog_title,blog_content,blog_date)"
                . " VALUES(" . $this->db->escape($title) . "," . $this->db->escape($content) .
                "," . $this->db->escape(date('Y-m-d H:i:s')) . ")";
        //Query Binding
        $sql = $sql = "INSERT INTO " . $this->blogs . "(blog_title,blog_content,blog_date)"
                . " VALUES(?,?,?)";
        $this->db->query($sql, array($title, $content, date('Y-m-d H:i:s')));
        //Active Record
        $data = array(
            'blog_title' => $title,
            'blog_content' => $content,
            'blog_date' => date('Y-m-d H:i:s')
        $this->db->insert($this->blogs, $data);


Step 8. We want to open the page with default controller so we need to point to our own controller we have created above. Now modify <root directory>/application/config/routes.php file for pointing the default controller class.

$route['default_controller'] = 'blog';

Step 9. Now if everything is fine run the application and you should get the desired output.

Thanks for reading.

Related posts

2 Thoughts to “Prevent SQL Injection in Codeigniter”

  1. BusyWitch

    Hi! Nice tutorial, but this inserts not one blog post at a time, but three blog posts. Any idea what is causing this to occur?

    1. Notice in the save_new_blog($title, $content) function, there are three ways to save blog. You need to use any one of them.

Leave a Comment