Security

Through the development cycle of a web application, you are going to write hundreds if not thousands of queries for each specific thing you want your application to do. That means for each query you write you will have to wrap it with functions that make it safe so that SQL injection and other malicious things cannot take place. Now say if you write 1000 queries through he course of your development and you forget to properly escape them 1% of the time (very very conservative). You will have 10 possible places for your malicious users to bring down your system.

If you had used Active Record you wouldn’t have had that happen. Active Record doesn’t forget to escape and filter those queries. You wouldn’t have a client calling you at 3am because their pride and joy is displaying porn ads or even worse that their customer’s personal information has been leaked to hackers.

Performance

One of his concerns was the performance impact that the Active Record class imposed. Coming from someone who uses the AR class every day in my 9-5, I have never noticed a significant performance impact on any of the queries I write. I dont know the exact benchmarks of it but I would think the most it adds to any query would by around .0001 seconds. I think the small impact it has on your application is well worth the peace of mind that all of your queries are secure from the few malicious users you are bound to cross paths with.

Complex Queries

The Active Record class does a pretty good job at 99% of the queries you are most likely to run. It powers through insert/update/select/delete queries with no problem at all. However it is not perfect. If your application demands a few complex queries you can very easily switch back to straight SQL with $this->db->query(); . This way you get the best of both worlds. You can be secure in your cookie cutter queries that you write all the time but when you have to do something that is a little more complicated you have the ability to switch very easily.

In my opinion there isn’t a real reason not to use CodeIgniter’s Active Record. The benefits it provides far outweigh the downsides. Unless of course your someone who never makes a mistake in programming, in that case forget everything I have told you.

Ever since I started using CodeIgniter about a year and a half ago, I feel that my coding style has drastically improved as well as the speed, security, and reliability of my applications. This is mostly due to CodeIgniter’s MVC approach to the structure of the application. It separates your code into three stages:

• Model – Used to interact with your database or data source and return the data back to your application
• View – Holds all of the display logic such as html, css and javascript
• Controller – Sort of the middleman, used to coordinate all the actions from Models and Libraries into a View to display to the user’s browser

CRUD

CRUD (Create, read, update and delete) is a way of structuring your code that interfaces with your database. Those four actions handle 99% of the actions you will do with the data in your database so why should we duplicate functionality every time we need to do something? For my examples I will be using the Active Record Class in CodeIgniter but it would be just as easy for you to use simple SQL statements in your PHP code.

Ok that’s enough of the vocabulary lesson, lets get into some code.

Start of the Model

All we are doing here is declaring the model as “Blog_model” and we will save this code in blog_model.php in the models folder in Codeigniter.

Create

Creating data is pretty simple, especially in codeigniter. You should only need a single function to create data for each table in your database. This is how i structure my insert functions.

Now what the code above is actually doing is this. When i call $this->whatever_model->insert_blog_post($data); , i pass a $data variable which is actually just an array with the index names matching to the database field names. If you are familiar with CodeIgniter’s Active Record Class this approach is nothing new to you.

Read

Reading information from a database is nothing new. You send a select query to a database and it returns results, how could it get any simpler? Well what usually ends up happening over the development of an application is that the developer will create multiple functions that essentially do the same thing. One function will query the database based on the Unique ID # of an item. Another will query checking to see if a particular title in that blog post already exists. So how can these be combined? Well you can create a single function that actually interacts with the database. It is passed a few parameters that tell it what query to run and it does just that. This function is called by other functions that pass those specific parameters. Here is an example.

Update

Now updating an row (or many rows) in the database is just as easy as adding a row. The first parameter is your where statement which includes the conditions that the rows must have to be updates. The second parameter is the data that will be inserted into those selected rows.

Pretty simple right? Now all you have to do from anywhere in your application to update a row in blog_posts is $this->blog_model->update_blog_post(array(‘ID’ => 5), array(‘title’ => ‘Getting Started with CRUD’));

Delete

Just as you might suspect, deleting a post is just as simple as adding or updating a post.

Now just run the command $this->blog_model->delete_blog_post(array(‘ID’ => ’223′));

Thats it!

If you have any questions or comments be sure to leave them below!