how to avoid sql injection in codeigniter

Question

In CodeIgniter, how can I avoid sql injection? Is there any method to set in config file to avoid sql injection? I am using this code for selecting values:

Answer 1

You should try to avoid writing your queries directly into a string and then passing them to the query function. A better option would be to use the Active Record class which will build your queries for you and escape the values. http://codeigniter.com/user_guide/database/active_record.html

If you want to avoid using the Active Record class for whatever reason then you can view the Codeigniter documentation for the database class which has an escape method for escaping your values before passing them to the query method. http://www.codeignitor.com/user_guide/database/queries.html

Ben