CodeIgniter Forums
Database escape problem - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forum-23.html)
+--- Thread: Database escape problem (/thread-9913.html)



Database escape problem - El Forum - 07-12-2008

[eluser]no_Ob[/eluser]
Hi all
I am just a beginner and i have just started using CI again

Dealing with the databases I run into a problem.

Code:
$username=$_POST["username"];
            $password=$_POST["password"];
            $email=$_POST["email"];
            $hirlevel=$_POST["hirlevelradio"];
            
        
            $username = $this->db->escape($username);
            $password = $this->db->escape($password);
            $email = $this->db->escape($email);
            $hirlevel = $this->db->escape($hirlevel);
            
            
            
            $this->load->helper('security');
            $password = dohash($password);
            
            $query="INSERT INTO users(username,pass,join_date,email,hirlevel)  VALUES('$username','$password',now(),'$email','$hirlevel')";
            
            $this->db->query($query);

If I run this code CI give me this error:
Quote:An Error Was Encountered

Error Number: 1064

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'dasd'','7ab515d12bd2cf431745511ac4ee13fed15ab578',now(),'[email protected]','1')' at line 1

INSERT INTO users(username,pass,join_date,email,hirlevel) VALUES(''dasd'','7ab515d12bd2cf431745511ac4ee13fed15ab578',now(),'[email protected]','1')

But if I comment out the escape commands everthing works fine.
What am I doing wrong?


Database escape problem - El Forum - 07-12-2008

[eluser]Derek Jones[/eluser]
escape() already adds quotes for you intelligently based on the variable type. So you're ending up with double single quotes:

Code:
VALUES(’’dasd’’

Don't use quotes around your variables that you are escape()ing. Alternatively, use $this->db->escape_str() which just escapes the data and doesn't add quotes.

User Guide Reference

Or you can use Active Record's insert() method to handle it all for you:

Code:
$data['username'] = $this->input->post('username');
...

$this->db->insert('users', $data)