Welcome Guest, Not a member yet? Register   Sign In
order by incorrect escaping
#1

[eluser]dmyers[/eluser]
My MySQL order by clause contains

$orderby = ‘concat(firstname,lastname) asc’

because I want to sort by the combined first and last names (which works in MySQL) but, when I try to add it with CI active record via $this->db->order_by($orderby) it doesn’t work because CI tries to escape it to ORDER BY CONCAT(firstname, `lastname)` asc which of course throws a MySQL error. How can I add it and not have CI try to escape it? Is there a secret “don’t escape” parameter?

I suppose a change as such needs to be done in the core files.
#2

[eluser]dmyers[/eluser]
What I did in my core file as per my other post.

Add this to the core file DB_active_rec.php around line 885. Then I just add “true” to the function to “not” try to escape the input. Perhaps a final parameter on every Active Record function that trys to auto escape data would fix a lot of SQL escaping problems????

$this->db->order_by($orderby,true);


/**
* Sets the ORDER BY value
*
* @access public
* @param string
* @param string direction: asc or desc
* @return object
*/
function order_by($orderby, $direction = ‘’)
{
if ($direction === true) {
// doesn’t handle CI “caching”
$this->ar_orderby[] = $orderby;
return $this;
}
#3

[eluser]hyperfire[/eluser]
Just leaving this here for future reference:

// set this to false so that _protect_identifiers skips escaping:
$this->db->_protect_identifiers = FALSE;

// your order_by line:
$this -> db -> order_by('FIELD ( products.country_id, 2, 0, 1 )');

// important to set this back to TRUE or ALL of your queries from now on will be non-escaped:
$this->db->_protect_identifiers = TRUE;
#4

[eluser]tolinho[/eluser]
@hyperfire Big thanks!! Solved my problem with you suggestion




Theme © iAndrew 2016 - Forum software by © MyBB