Welcome Guest, Not a member yet? Register   Sign In
Active record manual where clause is not automatically escaped as advertised
#1

[eluser]Unknown[/eluser]
Hello,

I used the active record "where" method as such:

$this->db->where (" (desc LIKE "%$search%" or name LIKE "%$search%"))

I thought that using the "where" method auto escapes the values but it did not.

In order to get it to work, I had to write the sql using bind variables (ie: ?).

-jeff
#2

[eluser]Matthieu Fauveau[/eluser]
My guess is that it's the intended behavior for the custom string where clauses. Because "custom" implies that you don't want CI to do anything on the string you provide it with.

You could write that to avoid using query binding :

Code:
$like = $this->db->escape("%".$search."%");
[...]
$this->db->where('(desc LIKE '.$like.' OR name LIKE '.$like.')');




Theme © iAndrew 2016 - Forum software by © MyBB