CodeIgniter Forums
DB - Active Record issue with escaping - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: DB - Active Record issue with escaping (/showthread.php?tid=15351)



DB - Active Record issue with escaping - El Forum - 02-02-2009

[eluser]hendrik[/eluser]
In CI 1.6 I used the following code which worked fine:

Code:
$this->db->select('lists.*, properties.createdAt');
$this->db->join('lists', 'lists.id = properties.id');
$query = $this->db->get('properties');

After upgrading to CI 1.7 it doesn't work anymore and gives me the error:

Code:
A Database Error Occurred

Error Number: 1054

Unknown column 'dc_lists.*' in 'field list'

SELECT `dc_lists`.`*`, `dc_properties`.`createdAt` FROM (`dc_properties`) JOIN `dc_lists` ON `dc_lists`.`id` = `dc_properties`.`id`

I've tried passing the 2nd parameter 'FALSE'

Code:
$this->db->select('lists.*, properties.createdAt');

which fixes the problem but I'm concerned that the call isn't as secure anymore as the resulting query is (without escapes):

Code:
SELECT dc_lists.*, dc_properties.createdAt FROM (dc_properties) JOIN dc_lists ON dc_lists.id = dc_properties.id

Any ideas?

Thanks


DB - Active Record issue with escaping - El Forum - 02-02-2009

[eluser]davidbehler[/eluser]
This has been reported before, guess it will be fixed in CI 1.7.1:

e.g.
http://ellislab.com/forums/viewthread/94808/
http://ellislab.com/forums/viewthread/103430/

As far as security is concerned I guess you won't have much of a problem as you are not using any variables in your query (so no way to inject sql code) and your table/column names don't look like they might conflict with any reserverd words in mysql.


DB - Active Record issue with escaping - El Forum - 02-02-2009

[eluser]hendrik[/eluser]
Thanks