DB - Active Record issue with escaping |
[eluser]hendrik[/eluser]
In CI 1.6 I used the following code which worked fine: Code: $this->db->select('lists.*, properties.createdAt'); After upgrading to CI 1.7 it doesn't work anymore and gives me the error: Code: A Database Error Occurred I've tried passing the 2nd parameter 'FALSE' Code: $this->db->select('lists.*, properties.createdAt'); which fixes the problem but I'm concerned that the call isn't as secure anymore as the resulting query is (without escapes): Code: SELECT dc_lists.*, dc_properties.createdAt FROM (dc_properties) JOIN dc_lists ON dc_lists.id = dc_properties.id Any ideas? Thanks
[eluser]davidbehler[/eluser]
This has been reported before, guess it will be fixed in CI 1.7.1: e.g. http://ellislab.com/forums/viewthread/94808/ http://ellislab.com/forums/viewthread/103430/ As far as security is concerned I guess you won't have much of a problem as you are not using any variables in your query (so no way to inject sql code) and your table/column names don't look like they might conflict with any reserverd words in mysql.
|
Welcome Guest, Not a member yet? Register Sign In |