I just inherited a project because the last developer left. The project is built off of Code Igniter. I've never worked with Code Igniter before.
I took a quick look at the code and I see database calls in the controller like this:
$dbResult = $this->db->query("SELECT * FROM users WHERE username = '".$_POST['user_name']."'");
or calls like this:
$dbResult = $this->db->query("SELECT * FROM users WHERE username = '".$this->input->post('username')."'");
Does code igniter automatically sanitize these queries to prevent sql injection?
CodeIgniter DOES ESCAPE the variables you pass by when using the $this->db->query
method. But ONLY when you pass the variables as binds, here's an example:
$dbResult = $this->db->query("SELECT * FROM users WHERE username = ?", array($this->input->post('username')));
Also remember that $_POST
shouldn't be preferred over $this->input->post
since what it does is check if the variables exists to prevent errors.