[eluser]Thorpe Obazee[/eluser]
[quote author="Bogdan Tanase" date="1245153764"]OT:
Hmm... what about the bugs in the database class where escaping goes wild?
example:
Code:
$this->db->select('products.*, users.user_name');
/* this will produce:
SELECT `products`.`*`, users.user_name
-> syntax error
*/
In this case the solution was to use a third FALSE parameter to cancel escaping, which I believe leaves the query vulnerable to SQL injection. Am I right?
Have they been corrected? I haven't checked the SVN in a while...
Also, in some cases, due to limitations of Active Query you'll have to write standard queries:
Code:
$this->db->query("SELECT * FROM products WHERE prod_name='$prod_name'");
I believe this is not escaped, right?[/quote]
I don't think that causes any error. It will produce the correct statement. I just tested it.