• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
DB - Active Record issue with escaping

#1
[eluser]hendrik[/eluser]
In CI 1.6 I used the following code which worked fine:

Code:
$this->db->select('lists.*, properties.createdAt');
$this->db->join('lists', 'lists.id = properties.id');
$query = $this->db->get('properties');

After upgrading to CI 1.7 it doesn't work anymore and gives me the error:

Code:
A Database Error Occurred

Error Number: 1054

Unknown column 'dc_lists.*' in 'field list'

SELECT `dc_lists`.`*`, `dc_properties`.`createdAt` FROM (`dc_properties`) JOIN `dc_lists` ON `dc_lists`.`id` = `dc_properties`.`id`

I've tried passing the 2nd parameter 'FALSE'

Code:
$this->db->select('lists.*, properties.createdAt');

which fixes the problem but I'm concerned that the call isn't as secure anymore as the resulting query is (without escapes):

Code:
SELECT dc_lists.*, dc_properties.createdAt FROM (dc_properties) JOIN dc_lists ON dc_lists.id = dc_properties.id

Any ideas?

Thanks

#2
[eluser]davidbehler[/eluser]
This has been reported before, guess it will be fixed in CI 1.7.1:

e.g.
http://ellislab.com/forums/viewthread/94808/
http://ellislab.com/forums/viewthread/103430/

As far as security is concerned I guess you won't have much of a problem as you are not using any variables in your query (so no way to inject sql code) and your table/column names don't look like they might conflict with any reserverd words in mysql.

#3
[eluser]hendrik[/eluser]
Thanks


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.