Are Codeigniter - Active Records Vulnerable to SQL Injections?

Question

Just read this on Stack overflow and thus left me wondering if SQL injection is possible through active records in CI.

At most of the places in my project, for user regi

Answer 1

There are 2 safety features already provided by CodeIgniter for your case.

1. XSS filtering for your user input : Input Class has second boolean parameter for its methods, which lets you run the input through a XSS filter in case you do not have global xss filter on.

2. For SQL injections, using binded queries and Active records is safe, it will save you from SQL injections as the framework does all of the work of escaping vulnerable user input. There are few vulnerabilities with Active records, that are reported by users, they are however fixed quickly in suqsequent releases by the CodeIgnitor team ( EllisLabs)

Answer 2

CodeIgniter is strip slashing the quotes and vulnerable scripts when using active records rather than running direct SQL queries.. So no wories for using Active records...

mysql_real_escape_string and some checks are done internally when its generating the SQL query to run..