不，不是 。 修改：是，它没有看到您对使用有效记录的评论。你需要使用PHP或CodeIgniter的转义函数手动转义你的输入，或者你应该使用CodeIgniter的查询绑定或者你可以使用CodeIgniter的Active Record类。我喜欢做查询绑定，因为它a）使我的查询看起来更好，b）确保我的所有输入在MySQL中运行之前被清除。

No, it isn't. Edit: Yes it is...didn't see your comment about you using active records. You either need to escape your inputs manually using PHP's or CodeIgniter's escaping functions or you should be using CodeIgniter's query bindings or you can use CodeIgniter's Active Record class. I prefer to do the query bindings as it a) makes my queries look nicer and b) ensures that all of my inputs are cleansed prior to being run in MySQL.

a href =http://ellislab.com/codeigniter/user_guide/database/queries.html =nofollow> http://ellislab.com/codeigniter/user_guide/database/queries.html

http://ellislab.com/codeigniter/user_guide/database/queries.html

这样工作：

$qStr = "SELECT * FROM students WHERE id=?";
$q = $this->db->query($qStr, array($id);

b $ b

CodeIgniter会识别你的变量是什么类型的数据，并且相应地包装它。也就是说，如果它是一个字符串，它会把' c $ c>'在SQL中的转义值，这是你需要确保用户不能注入任何恶意。

CodeIgniter will recognize what type of data your variable is, and wrap it accordingly. That is, if it's a string, it will put ' and ' around the escaped value in the SQL, which is what you need to ensure that users can't inject anything malicious.