CodeIgniter Forums

Full Version: ODBC SELECT - no value escape ?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

El Forum

Hi there,

i need to migrate a MSSQL DB to a new DB. In the MSSQL DB, there is no numeric key used for datasets, only strings/names. So, if I foreach the results and try to query other reference tables, i fail on names within a single quote in it:

Quote:[Microsoft][ODBC SQL Server Driver][SQL Server]Zeile 3: Falsche Syntax in der Nähe von 'Andrea'.

SELECT * FROM sysop.SD_Model_Locations WHERE SMLC_SM_Model = 'D'Andrea, Firstname'

Filename: C:\xampp\htdocs\system\database\DB_driver.php

Is it a bug within the CI ODBC driver ?

El Forum

That's a rather ... complicated one. It's as much intended as it is a bug.

Due to the very nature of ODBC - you can use pretty much any database platform without CodeIgniter having a way of knowing which one it is. And different databases have different escape characters and rules, so it's really up to you to do such kind of escaping.

El Forum

For MSSQL sepcifically, you would add another ' to it. So 'D'Andrea, First' would become 'D''Andrea, First'.

So for example to make this work you would have to do a str_replace("'","''",$dbRecord) before using that value in a where clause or insert value etc.

Hopefully this helps, as I just had the same issue last week.