Another very important part of general application security is that of your database. Ensuring that your queries are all correct, that all data has been escaped before you use it in a query, and never ever trusting any user input will all help with safeguarding your database.
We have already been over the methods that CodeIgniter uses to escape your data, at the start of this chapter. This time around we'll go over how to escape the different parts of a query without CodeIgniter, as this is a skill that every developer should have.
Firstly, all database table names and field names should be escaped by using backticks (`). This will also avoid any issues where the name is a reserved word. This is especially useful when using a WHERE
clause that uses the primary key id
field. Here's an example:
SELECT * FROM `users` WHERE `username` = '$username' AND `id` = '$id'
Secondly, all variables that are included in a query should be properly escaped by using one of the...