[eluser]GeoffL[/eluser]
Thanks. As it only lets me see the SQL after it's been sent to the DBMS and most of the time I need this debugging trick when the SQL causes a run-time error (e.g. SQL syntax errors), I at first thought it would be of limited use. However, I deliberately introduced an SQL error and note that CI helpfully included the SQL in the error message it generated.
So while it's not quite what I was looking for, it has let me identify the cause of the problem for this particular case. Running the code in my previous post with username="username" and password="password" produces:
Code:
SELECT *
FROM (`csw_user`)
WHERE `username` = '\'username\''
AND `password` = '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8'
IOW, CI seems to implement its own version of the infamous 'magic quotes'. I did check using phpinfo() and all variants of magic quotes are 'off' on my system (PHP 5.3.5-1ubuntu7.2 under Ubuntu 11.04).
I experimented and now know that I can get rid of the issue for now by changing:
Code:
$this->db->where('username', $this->db->escape($this->input->post('username')));
to
Code:
$this->db->where('username', mysql_real_escape_string($this->input->post('username')));
However, that reduces portability and I may switch to Postgres at some time in the future.
I know that the docs say that db->escape() automatically adds single quotes around the data so you don't have to, but surely it's a common requirement to escape an input value when passed as a parameter of db->where() - and that's somewhere this 'feature' makes no sense. Is this a bug, or am I missing something?
TIA,
Geoff
