The ActiveRecord style of querying with CodeIgniter escapes parameters, but not query().

使用 CodeIgniter 进行查询的 ActiveRecord 样式会转义参数，但不会转义 query()。

You can use active record in this manner:

您可以通过以下方式使用活动记录：

$someAge = 25;
$this->db->select('names, age');
$query = $this->db->get_where('people', array('age' => '>' . $someAge));

Read more about it here: https://www.codeigniter.com/userguide2/database/active_record.html

在此处阅读更多相关信息：https: //www.codeigniter.com/userguide2/database/active_record.html

No, db->query() is not SQL Injection protected by default, you got few options. Use Query Bindings

不，db->query() 默认不受 SQL 注入保护，您几乎没有选择。使用查询绑定

$sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?"; 
$this->db->query($sql, array(3, 'live', 'Rick'));

For more complex quires where you have to build the query as you go on, use compile_bind() to get chunk of SQL.

对于更复杂的查询，您必须在继续时构建查询，请使用 compile_bind() 获取 SQL 块。

$sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?"; 
$safe_sql  = $this->db->compile_bind($sql, array(3, 'live', 'Rick'));

etc.

等等。

Or use escape $this->db->escape() on parameters

或者在参数上使用转义 $this->db->e​​scape()

$sql = "INSERT INTO table (title) VALUES(".$this->db->escape($title).")";

It's always best practise to use form validation first and include things like xss_clear, max_length etc either way in combination with one of the above.

首先使用表单验证并包括 xss_clear、max_length 等任何一种方式与上述之一结合始终是最佳实践。