CodeIgniter Forums

Full Version: ActiveRecord set/update/select not escaping
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

El Forum

[eluser]phazei[/eluser]
I’m using CI1.7.1 and both
$data = array(.....)
->set($data) and ->update(‘table’,$data)
do not escape the col names with backticks.

Is this just me or has anyone else noticed this?

I noticed because I have a new table with a column named `limit`.



There is also a strange issue with select.
I have a model that has:
$this->db->select('limit');
in a method.

This is what happens if I call it twice, it echos last_query() in the model:

Starting First Call
SELECT `limit` FROM (`user_profile`) WHERE `user_id` = '1'
Starting Second Call
A Database Error Occurred

Error Number: 1064

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'limit FROM (user_profile) WHERE `user_id` = '1'' at line 1

SELECT limit FROM (user_profile) WHERE `user_id` = '1'

El Forum

[eluser]DODMax[/eluser]
It happens to me too (CI 1.7.2)
I did not tested more than that but it seems in some case CI is only escaping the identifiers during the first query. May come from the driver (MySQL in my case) as it seems the escape_str() function is loaded dynamically according to the driver.

My solution was to change the columns name, however this looks like a huge security risk.
Haven't found much more resources on that Sad

El Forum

[eluser]phazei[/eluser]
ah, yeah, I fixed this too a long time ago.

my solution was YiiFramework.com

El Forum

[eluser]Jaketoolson[/eluser]
Have you updated your CI to the latest release? I had this problem for a bit and then I upgraded my version.