What are the ways to prevent SQL injection for a CodeIgniter based website?

To prevent SQL injections in PHP, we usually use mysql_real_escape_string() function in mysql queries

In CI there are three methods to prevent SQL injections
1) Escaping Queries
2) Query Binding
3) Active Record Class

Preventing SQL injection in Codeigniter using Escaping Query Method

$sql = ‘SELECT * FROM product WHERE product_name=’.$this->db->escape($name);
$this->db->query($sql ;

Here $this->db->escape() determines the data type so that it can escape only string data.

Preventing SQL injection in CI using Query Binding Method
db->query($sql, array(‘active’, ‘mobile’));
In Query Binding Method, you don’t have to escape the values manually as it will automatically do that for you.

Preventing SQL injection in Codeigniter using Active Record Class

Using Active Records, query syntax is generated by each database adapter. It also allows for safer queries, since the values are escaped automatically by the system.
db->get_where(‘product’,array(‘status’ => ‘active’,’sellerId’ => ’10’));

What is the difference between $message and $$message?

$message is a variable and $$message is a variable of another variable.

$Message = “A”;
$A= “B”;

echo $message //Output:- A
echo $$message //output :-B

That is, a variable name which can be set and used dynamically.

We can echo above strings like

echo $Message.$A;

This weill print we “AB”

Note : variable’s value can be act as variable

Send array in Ajax with PHP

On js page
dataString =  // your array
var jsonString = JSON.stringify(dataString);
        type: "POST",
        url: "script.php",
        data: {data : jsonString}, 
        cache: false,

        success: function(){

On php  page 
$data = json_decode(stripslashes($_POST['data']));

// it will return array