Welcome Guest, Not a member yet? Register   Sign In
SQL query prefix bug
#1

[eluser]Rvnikita[/eluser]
Hi.

We have:

Code:
$this->load->database();
$where = "order_type = 1 AND time > 1209497914 AND (realty_type = 0) AND ((price < 2.8 AND price > 1.2 AND currency = 0) OR (price < 0.118721035247 AND price > 0.0508804436775 AND currency = 1) OR(price < 0.0754743427667 AND price > 0.0323461469 AND currency = 2)) AND (metro_group_id = 52 OR 0 OR metro_group_id =0)";
$this->db->where($where);
$final_orders_result=$this->db->get('orders');

After we execute it, we take:
Quote:Error Number: 1054

Unknown column 'rt_order_type' in 'where clause'

SELECT * FROM (`rt_orders`) WHERE `rt_order_type` = 1 AND time > 1209497914 AND (realty_type = 0) AND ((price < 2.8 AND price > 1.2 AND currency = 0) OR (price < 0.118721035247 AND price > 0.0508804436775 AND currency = 1) OR(price < 0.0754743427667 AND price > 0.0323461469 AND currency = 2)) AND (metro_group_id = 52 OR 0 OR metro_group_id =0)

The problem that rt_order_type must be order_type.

After spending a lot of time with hand debuger, and SVN (2 days ago a upgraded from 1.5.4 to 1.6.2) for reverting previous versions, i found, that if in mysql_drive.php we will delete this code
Code:
if (strpos($item, '.') !== FALSE)
{
$aliased_tables = implode(".",$this->ar_aliased_tables).'.';
$table_name =  substr($item, 0, strpos($item, '.')+1);
$item = (strpos($aliased_tables, $table_name) !== FALSE) ? $item = $item : $this->dbprefix.$item;
}
all works ok.
There is no code like this in 1.5.4, but in 1.6.2 it is.
As I understand, there is some problems with this lines.
What must we do? .)
Thank's

P.S. As I understand, the problem may be, because of dots in "price < 2.8" for example.
#2

[eluser]Pascal Kriete[/eluser]
Don't know if this applies in your case, but you can stop the protecting by adding false as a third argument.
Code:
$this->db->where($where, NULL, FALSE);
#3

[eluser]Rvnikita[/eluser]
the problem is that i don't want to stop protection .)
#4

[eluser]Derek Allard[/eluser]
To be clear, it won't stop xss or sql protection, all that will do is prevent CodeIgniter from throwing `backticks` around you table name.
#5

[eluser]Rvnikita[/eluser]
[quote author="Derek Allard" date="1212123414"]To be clear, it won't stop xss or sql protection, all that will do is prevent CodeIgniter from throwing `backticks` around you table name.[/quote]
No problem Wink




Theme © iAndrew 2016 - Forum software by © MyBB