mysql_real_escape_string(): Access denied in codeigniter

Question

I am using Codeigniter.i want to use string in $_POST value from search form which may contain special characters such as apostrophe('),(;) etc .How can my mysql query ignore these characters so that i could select from/save my $_POST['search'] values into the database?

Whenever i use the mysql_real_escape_string() function.it give me: mysql_real_escape_string(): Access denied error.

My code looks like this:

$query = "SELECT * FROM products WHERE  
product_name='".mysql_real_escape_string($_POST['search'])."'";

$this->db->query($query);

How can deal with this problem in codeigniter? Thanks

Answer 1

Never use user input directly into your queries. Read more about "sql injection" and "xss" . For codeIgnitor,do this :

1. Do not use $_POST, use the input class instead. $this->input->post

2. Use query binding , mysql_real_escape_string is not needed. eg.

    $sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?"; $this->db->query($sql, array(3, 'live', 'Rick')); 

Answer 2

Best way to do it would be:

$query = "SELECT * FROM products WHERE product_name=?";
$this->db->query($query, array($this->input->post('search'));

Have a look at the docs here: http://codeigniter.com/user_guide/database/queries.html

If you really want to do it with escaping, look at the Escaping Queries. But it would be better to do it with binding (as my example above)