CodeIgniter Forums
ActiveRecord set/update/select not escaping - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: ActiveRecord set/update/select not escaping (/showthread.php?tid=17115)



ActiveRecord set/update/select not escaping - El Forum - 03-25-2009

[eluser]phazei[/eluser]
I’m using CI1.7.1 and both
$data = array(.....)
->set($data) and ->update(‘table’,$data)
do not escape the col names with backticks.

Is this just me or has anyone else noticed this?

I noticed because I have a new table with a column named `limit`.



There is also a strange issue with select.
I have a model that has:
$this->db->select('limit');
in a method.

This is what happens if I call it twice, it echos last_query() in the model:

Starting First Call
SELECT `limit` FROM (`user_profile`) WHERE `user_id` = '1'
Starting Second Call
A Database Error Occurred

Error Number: 1064

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'limit FROM (user_profile) WHERE `user_id` = '1'' at line 1

SELECT limit FROM (user_profile) WHERE `user_id` = '1'


ActiveRecord set/update/select not escaping - El Forum - 02-25-2011

[eluser]DODMax[/eluser]
It happens to me too (CI 1.7.2)
I did not tested more than that but it seems in some case CI is only escaping the identifiers during the first query. May come from the driver (MySQL in my case) as it seems the escape_str() function is loaded dynamically according to the driver.

My solution was to change the columns name, however this looks like a huge security risk.
Haven't found much more resources on that Sad


ActiveRecord set/update/select not escaping - El Forum - 02-25-2011

[eluser]phazei[/eluser]
ah, yeah, I fixed this too a long time ago.

my solution was YiiFramework.com


ActiveRecord set/update/select not escaping - El Forum - 02-25-2011

[eluser]Jaketoolson[/eluser]
Have you updated your CI to the latest release? I had this problem for a bit and then I upgraded my version.