Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion Bug in Active Record WHERE function
Bug in Active Record WHERE function
  • El Forum
    Guest
  •  
#1
02-26-2010, 05:30 PM

[eluser]Neil_W[/eluser]
Hello,
The manual says you can enter a customer string as the where clause. So I entered the following:

Code:
$where="parent_id=0 AND (status='$status' OR platform like '$platform%')";
        $this->db->where($where);

However, the system returns an error because it is trying to put back ticks around all of the first clause, i.e.:
Code:
Unknown column 'parent_id=0' in 'where clause'

SELECT `easylink`, `name` FROM (`retro_games`) WHERE `parent_id=0` AND (status='finished' OR platform like '%') ORDER BY `name` asc

If I swap it around it seems to manage ok:
Code:
$where="(status='$status' OR platform like '%$platform%') AND parent_id=0";
        $this->db->where($where);


Is there something missing?

btw, I think what's missing from the active record methods is the ability to set a flag in the WHERE, etc functions to bracket the current entry. That way I could have used the other methods to chain the where clauses together.
  • El Forum
    Guest
  •  
#2
02-26-2010, 06:13 PM

[eluser]Armchair Samurai[/eluser]
Try separating your column from your value - I've run into a similar issue at one point and the CI parser was reading the entire clause as a column with out the spaces.

Code:
parent_id = 0 // ... not parent_id=0

Tangentially related, I think it would be safer to do this:

Code:
$status = $this->db->escape($status);
$platform = $this->db->escape_like_str($platform);

$this->db->where('parent_id', 0);
$this->db->where("(status = $status OR platform LIKE '$platform%')", NULL, FALSE);
  • El Forum
    Guest
  •  
#3
02-26-2010, 06:53 PM

[eluser]Neil_W[/eluser]
Putting in the spaces does fix it, so I guess there's a little bug there.

Thanks for the tip, I guess using FALSE means it has less work to do given there is actually no need for them in this example as the names are quite valid Smile

Regarding your use of escape funcitons, in this example the data is coming from the URL segments so I figured there was no need to escape it as CI is strict on this and escaping would serve no purpose?
  • El Forum
    Guest
  •  
#4
02-26-2010, 07:18 PM

[eluser]Armchair Samurai[/eluser]
With most DB functions, there's a third parameter which, when set to FALSE, does not escape any submitted data. When you're using things like SQL functions or brackets, it's best to escape the data manually if you're using CI's Active Record, otherwise it can really mangle your query up.

As far as the escaping goes, I follow the "always assume submitted data is malicious" school of thought, so I pretty much escape everything unless it's hard-coded into the script. ;-)
  • El Forum
    Guest
  •  
#5
04-27-2011, 06:54 AM

[eluser]Musa[/eluser]
Thanks Armchair Samurai, So, we must need space between key, value and conditional operators.




Theme © iAndrew 2016 - Forum software by © MyBB