DB Active Record Class WHERE question - Printable Version +- CodeIgniter Forums (https://forum.codeigniter.com) +-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20) +--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23) +--- Thread: DB Active Record Class WHERE question (/showthread.php?tid=4606) |
DB Active Record Class WHERE question - El Forum - 12-05-2007 [eluser]rustyvz[/eluser] Hello all, I hope someone can help me with the following: I have a SQL statement that I need to put into the active record class format: Code: SELECT * When I use the following: Code: $db->from('qanda'); I get this statement as a result: Code: SELECT * I need those paren around the "AND question LIKE 'n;docytosis%' OR answer LIKE 'n;docytosis%'" and I need that part of the code to appear with "AND" as it does in the first example. Any ideas? Thanks in advance! DB Active Record Class WHERE question - El Forum - 12-05-2007 [eluser]gtech[/eluser] the easiest option I can think of Code: $sql = "SELECT * FROM qanda DB Active Record Class WHERE question - El Forum - 12-05-2007 [eluser]JasonSTX[/eluser] Code: $db->from('qanda'); Would something like that work as a workaround? DB Active Record Class WHERE question - El Forum - 12-05-2007 [eluser]ejangi[/eluser] @JasonSTX - I think you're in danger of SQL injection. The method gtech mentioned cleans/quotes the variables before replacing the ?'s (question marks). I could be wrong, but that is my assumption??? DB Active Record Class WHERE question - El Forum - 12-05-2007 [eluser]JasonSTX[/eluser] I guess it isn't a good idea to assume that the parameters information was already cleaned. But you could change it from: $this->parameters['keyword'] to: $this->db->escape($this->parameters['keyword']) But binding the data means you don't have to remember to escape. I was just trying to think of how to do it while still building the query the same way. DB Active Record Class WHERE question - El Forum - 12-05-2007 [eluser]gtech[/eluser] @JasonSTX.. I did try your solution out and it produced the right query (minor modification) Code: $this->db->from('qanda'); result = SELECT * FROM qanda WHERE status = 'a' AND shortcourse = 'b' AND (question LIKE 'c' OR answer LIKE 'd') ORDER BY schoolyear DESC, shortcourse DESC, archivename DESC, createdate ASC, createtime ASC so there you go two possible solutions DB Active Record Class WHERE question - El Forum - 12-05-2007 [eluser]Armchair Samurai[/eluser] I just ran into this the other day. If you have to do it by Active Record: Code: $string = $this->db->escape('%'.$this->parameters['keyword'].'%'); DB Active Record Class WHERE question - El Forum - 12-05-2007 [eluser]JasonSTX[/eluser] [quote author="gtech" date="1196927039"]@JasonSTX.. I did try your solution out and it produced the right query (minor modification) Code: $this->db->from('qanda'); result = SELECT * FROM qanda WHERE status = 'a' AND shortcourse = 'b' AND (question LIKE 'c' OR answer LIKE 'd') ORDER BY schoolyear DESC, shortcourse DESC, archivename DESC, createdate ASC, createtime ASC so there you go two possible solutions[/quote] Do remember to escape the parameters though like in my previous post: change it from: $this->parameters[’keyword’] to: $this->db->escape($this->parameters[’keyword’]) Things would be so much easier if we didn't have to ever worry about security DB Active Record Class WHERE question - El Forum - 12-06-2007 [eluser]rustyvz[/eluser] I'll give those a shot and see how they work! THANKS! One thing about escaping data for security reasons: One of the reasons I specifically used the ARC was because of the following note in the user manual for $this->db->where(): Note: All values passed to this function are escaped automatically, producing safer queries. Nice! Same note for LIKE, SET, UPDATE, DELETE and method chaining! EDIT: Ok, that worked great! Thanks all! I wish there WAS a way to use LIKE & ORLIKE as theu are intended to be used though, but with some sort of 'grouping' (not GROUP BY). I also wonder if I could have used 'having', and just included the whole paren and statement segment in it. Gee, maybe I should test that... :-) |