Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming trouble with $this->db->escape()
trouble with $this->db->escape()
  • El Forum
    Unregistered
  •  
#1
03-14-2009, 05:39 PM

[eluser]slacker2[/eluser]
I am using CI for the first time and am having trouble with the $this->db->escape() function. I have a mysql database table with fields for username and password. The application will perform a dohash() on the password before it is performs the query. This functionality works fine. When I change the dohash($pw) to dohash($this->db->escape($pw)), it doesn't work. If I echo dohash($pw) and dohash($this->db->escape($pw)), they are different from each other. I am not inputting anything strange, just the word "password".

Any help is greatly appreciated.
  • El Forum
    Unregistered
  •  
#2
03-14-2009, 05:44 PM

[eluser]TheFuzzy0ne[/eluser]
You need to escape it "after" you've hashed it:
Code:
$this->db->escape(dohash($pw));
$this->db->escape is the last thing that should happen before the data goes into the database, therefore, it needs to be on the outside.
  • El Forum
    Unregistered
  •  
#3
03-14-2009, 05:53 PM

[eluser]slacker2[/eluser]
Thanks for the quick reply. I was just testing and noticed that escaping it puts quotes around it. I will switch them around.
  • El Forum
    Unregistered
  •  
#4
03-14-2009, 07:36 PM

[eluser]TheFuzzy0ne[/eluser]
Oh, and welcome to the CodeIgniter forums! Smile
  • El Forum
    Unregistered
  •  
#5
03-14-2009, 08:46 PM

[eluser]slacker2[/eluser]
I made the change to $this->db->escape(dohash($pw)). After testing, the hashes are the same. I was still having a problem with the query finding a match due to the quotes around it. I manually edited the database and put quotes around the username and password and it worked. Is this a normal and expected behavior of the escape function? In the end it will be ok if it is, because I will be escaping the input when I add the user to the database. I am just wondering since this could potentially cause some other problems.

Here is the query in my function:
Quote:$this->db->select('id,username');
$this->db->where('username', $this->db->escape($u);
$this->db->where('password', $this->db->escape(dohash($pw));
$this->db->where('active', 1);
$this->db->limit(1);
$Q = $this->db->get('users');

The output for $u is username while the output for $this->db->escape($u) is 'username'. Is there something else I should be doing?

Thanks.
  • El Forum
    Unregistered
  •  
#6
03-14-2009, 08:52 PM

[eluser]TheFuzzy0ne[/eluser]
You don't need to put quotes around the usernames and passwords in the database. I didn't know you were using the Active Record class. The Active Record class automatically escapes the input, so you don't need to. By doing it, it's being escaped twice, which explains those extra quotes.

Taken from the [url="http://ellislab.com/codeigniter/user-guide/database/active_record.html#insert"]user guide[/url]:

Quote:Note: All values are escaped automatically producing safer queries.
  • El Forum
    Unregistered
  •  
#7
03-14-2009, 08:59 PM

[eluser]slacker2[/eluser]
That makes sense. Thanks again!




Theme © iAndrew 2016 - Forum software by © MyBB