Having a weird Active Record insert problem

[eluser]plasticated[/eluser]
I tend to use Active Record when I am writing webapps with Codeigniter as I am lazy and AR tends to cover my ass with stuff like escaping queries etc.

Just wrote a basic script to import an XML file and insert the nodes into a database.

The problem is, although the insert code worked fine (nothing complex here), as soon as I hooked it up to the XML output I am getting a database error.

I copied and pasted the SQL query and attempted to run it manually, and I do indeed get an error. The problem appears to be that the values are not being escaped.

However, all the documentation I read tells me that this is done automatically.

Here is the SQL that is shown on my error page:

Code:

INSERT INTO `feed_items` (`title`, `subtitle`, `summary`, `url`, `length`, `pub_date`, `keywords`) VALUES (A Message To The JBs, A Message To The JBs, This is a very old mashup which I am planning on resequencing from scratch soon!, http://soundcloud.com/phatplastic/a-message-to-the-jbs/download, 240666, '2009-12-01 11:31:04', hip hop, funk, soul, breaks, ska)

I don't understand this at all as I have used similar db insert scripts a million times with no issue.

The full code of my script is here:

Code:

function import($type, $username, $id = '')
    {            
        /* grab Soundcloud account name from settings */
        
        $feedurl = 'http://api.soundcloud.com/users/' . $username . '/tracks';
        
        /* check that both username and password are supplied */
        
        $ch = curl_init() or die(curl_error());
        curl_setopt($ch, CURLOPT_URL, $feedurl);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        $result = curl_exec($ch) or die(curl_error());
        
        /* process the response */
        
        $soundcloud_feed = new SimpleXMLElement($result);
        
        /* import new items into db */
        
        foreach ($soundcloud_feed->track as $row) {
            
            /* convert date/time format */
            
            $timestamp = str_replace("T", " ", $row->{'created-at'});
            $timestamp = str_replace("Z", "", $timestamp);
            
            /* essemble data and insert into db */
            
            $data = array(

                'title'     => $row->title,
                'subtitle'     => $row->title,
                'summary'     => $row->description,
                'url'         => $row->{'download-url'},
                'length'     => $row->duration,
                'pub_date'     => $timestamp,
                'keywords'     => $row->{'tag-list'}
            );

            $this->db->insert('feed_items', $data);
            
            return 'Done!';
            
        }
        
    }

Anyone had problems like this?

[eluser]plasticated[/eluser]
I fixed the issue by using this alternative code, but I would still like to know why I am experiencing this behaviour.

Code:

$sql = "INSERT INTO `feed_items` (`title`, `subtitle`, `summary`, `url`, `length`, `pub_date`, `keywords`) VALUES ('?', '?', '?', '?', '?', ?, '?')";
            
            $data = array(

                'title'     => $row->title,
                'subtitle'     => $row->title,
                'summary'     => $row->description,
                'url'         => $row->{'download-url'},
                'length'     => $row->duration,
                'pub_date'     => $timestamp,
                'keywords'     => $row->{'tag-list'}
            );

            $this->db->query($sql, $data);

[eluser]Ben Edmunds[/eluser]
Hey Shealan,

Glad to see you expanding on the code

What DB type are you using? Also, what does a print_r of data look like?

[eluser]Unknown[/eluser]
I'm having the same issue with AR query values not being escaped when the data comes from an XML file read in with simplexml. A print_r call on any of the rows in the XML object doesn't reveal anything of interest aside from the fact that there are no quotes around any of the values.

Update: found the source of the issue. The AR query expects strings, and the values simplexml returns are objects. See this thread for more info...