Active Record insert doesn't appear to be escaping queries...

#1
[eluser]gabe[/eluser]
User guide says queries are escaped, I am using MySQL 5 DB and this is the kind of query I run:
Code:
$data = array( 'forename' => "helo ' world`" );
Code:
$this->db->insert( 'mytable', $data );

The table row then contains the following:
Code:
helo ' world`


However, if I manually escape it like so:
Code:
$data = array( 'forename' => $this->db->escape( "helo ' world`" ) );
Code:
$this->db->insert( 'mytable', $data );


The table row then contains the following:
Code:
'helo \' world`'



Which is what I expected. Is anyone able to shed some light on this issue, or reassure me that active record insert is escaping the data, but it just didn't see the need to escape this particular string.

Many thanks

Gabriel

#2
[eluser]pvijayanands[/eluser]
Can u use addslases and trim function..

Code:
$field_value = addslashes(trim($field_value));

#3
[eluser]gabe[/eluser]
Thanks for your reply. There are many ways to escape queries in CI, and you have a valid suggestion. However, the point I am trying to make is that the Active Record pattern I was using should escape the query for me, but it doesn't seem to be. I was wondering why this might be the case?

Kind regards

Gabriel

#4
[eluser]gabe[/eluser]
Apologies for the bad form in replying to my own thread. Is this normal and expected behaviour from CodeIgniter and I'm just being silly?

Does anyone else have experience of this, or is able to run a little test and see if their result agree with mine.

Cheers!

#5
[eluser]jeffpeck[/eluser]
The User Guide says:
"Note: All values are escaped automatically producing safer queries."

I have not tested this, but if you noticed it, it may be a bug...

#6
[eluser]Michael Wales[/eluser]
I think that statement is referring to escaping the values for MySQL - not for PHP echoing.

If this line was unescaped it would generate a MySQL error.
Code:
$data = array( 'forename' => "helo ' world`" );
$this->db->insert( 'mytable', $data );
// INSERT INTO mytable (forename) VALUES ('helo ' world`);

If this line was properly escaped it would issue the following query give you the result you are currently getting:
Code:
// INSERT INTO mytable (forename) VALUES ('helo \' world`');
The value in your table would be:
Quote:helo ' world`
As you are receiving.


Maybe I am misunderstanding it all... it just kind of works for me without every worrying about it. Big Grin

#7
[eluser]mamboo[/eluser]
:zip:


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.