• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
ActiveRecord set/update/select not escaping

#1
[eluser]phazei[/eluser]
I’m using CI1.7.1 and both
$data = array(.....)
->set($data) and ->update(‘table’,$data)
do not escape the col names with backticks.

Is this just me or has anyone else noticed this?

I noticed because I have a new table with a column named `limit`.



There is also a strange issue with select.
I have a model that has:
$this->db->select('limit');
in a method.

This is what happens if I call it twice, it echos last_query() in the model:

Starting First Call
SELECT `limit` FROM (`user_profile`) WHERE `user_id` = '1'
Starting Second Call
A Database Error Occurred

Error Number: 1064

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'limit FROM (user_profile) WHERE `user_id` = '1'' at line 1

SELECT limit FROM (user_profile) WHERE `user_id` = '1'

#2
[eluser]DODMax[/eluser]
It happens to me too (CI 1.7.2)
I did not tested more than that but it seems in some case CI is only escaping the identifiers during the first query. May come from the driver (MySQL in my case) as it seems the escape_str() function is loaded dynamically according to the driver.

My solution was to change the columns name, however this looks like a huge security risk.
Haven't found much more resources on that Sad

#3
[eluser]phazei[/eluser]
ah, yeah, I fixed this too a long time ago.

my solution was YiiFramework.com

#4
[eluser]Jaketoolson[/eluser]
Have you updated your CI to the latest release? I had this problem for a bit and then I upgraded my version.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.