Fix SQL Injection (Legacy & Modern) in CodeIgniter
SQLi in CodeIgniter isn't dead; it's just evolving. Whether you're stuck in CI3 legacy debt or spinning up CI4, manual string concatenation is a one-way ticket to a leaked database. To secure your app, you must abandon raw query concatenation and leverage the built-in Query Builder or Parameter Binding which utilize prepared statements under the hood.
The Vulnerable Pattern
// LEGACY/BAD PRACTICE
// Input is directly concatenated into the query string
$id = $this->request->getGet('id');
$sql = "SELECT * FROM users WHERE id = '" . $id . "' AND status = 'active'";
$query = $this->db->query($sql);
// Payload: ?id=1' OR '1'='1The Secure Implementation
The vulnerable code fails because it treats user input as executable SQL logic. By injecting a single quote, an attacker breaks the data context. The secure versions use Parameterized Queries. When using Query Builder or the '?' placeholder (Bindings), the database driver sends the SQL template and the data in separate packets. The DB engine never evaluates the data as code, rendering injection payloads like 'OR 1=1' harmless strings.
// MODERN/SECURE APPROACH (CI4) // 1. Using Query Builder (Auto-escaping) $id = $this->request->getGet('id'); $user = $this->db->table('users') ->where('id', $id) ->where('status', 'active') ->get() ->getRow();
// 2. Using Manual Bindings (For complex raw queries) $sql = “SELECT * FROM users WHERE id = ? AND status = ?”; $this->db->query($sql, [$id, ‘active’]);
Your CodeIgniter API
might be exposed to SQL Injection (Legacy & Modern)
74% of CodeIgniter apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.