+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: Libraries & Helpers (https://forum.codeigniter.com/forumdisplay.php?fid=11)
+--- Thread: Query Helper append to existing field. (/showthread.php?tid=77668)
Query Helper append to existing field. - imabot - 10-01-2020
Hi! With CodeIgniter 3, I would like to append a string to an existing field. I did something like :
PHP Code:
$this->db->where('id', $id);
$this->db->set('field', "CONCAT(field, '" . $string."')", false);
$this->db->update('mytable');
I don't really like "not escaping" the user input. What is the right and secure way to append a string to an existing field ?
RE: Query Helper append to existing field. - InsiteFX - 10-01-2020
If you use double quote marks you can do it like this.
PHP Code:
$this->db->set('field', "CONCAT(field, {$string})", false);
RE: Query Helper append to existing field. - imabot - 10-04-2020
(10-01-2020, 12:37 PM)InsiteFX Wrote: If you use double quote marks you can do it like this.
PHP Code:$this->db->set('field', "CONCAT(field, {$string})", false);
Thank you, but I don't see why this is safer?
RE: Query Helper append to existing field. - includebeer - 10-04-2020
@InsiteFX This is just different syntax for the same result. It doesn’t escape the value and it’s not more secure.
@Imabot Use the escape function, see https://codeigniter4.github.io/userguide/database/queries.html#escaping-queries
PHP Code:
$this->db->set('field', "CONCAT(field, " . $this->db->escape($string) . ")", false);