Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Development CodeIgniter 3.x change $_escape_char from application [migration problem]
change $_escape_char from application [migration problem]
  • Offline pabloveliz
    Newbie
  • *
  • Posts: 4
    Threads: 2
    Joined: Apr 2015
    Reputation: 0
#1
04-14-2015, 09:43 AM

I have various apps working with CI 2.2.x and the OCI8 driver, in which I have to pull the trick of setting the system DB variable $_escape_char to empty, so that case sensitive won't be an issue in the app.

That allows me that queries like this works on Oracle and CI:
Code:
SELECT code, description FROM SALES.EXCHANGE WHERE company = 'GOOG'

but recent version of CI 3.0 made this variable protected, which makes migration a titanic task, due the changes to be made in queries, in variables,  in html forms and perhaps in js code also.

The very simple solution is to change the line in system/database/drivers/oci8/oci8_driver.php but that means that I have to remember that every time I upgrade CI

So... what's the best way to have this from application (not system)?
PHP Code:
$this->db->_escape_char ''
  • since it's protected, we cannot change it,
  • since it's in database class we cannot extend it
... what I'm missing?

Also, why it has to be protected? ('just because' is not a good reason)

More Info: https://github.com/bcit-ci/CodeIgniter/issues/3757
Also: https://github.com/bcit-ci/CodeIgniter/pull/3759
Reply
  • Offline gadelat
    Member
  • ***
  • Posts: 128
    Threads: 3
    Joined: Feb 2015
    Reputation: 7
#2
04-15-2015, 12:01 AM

Changing escape_char to empty is security risk because you are effectively disabling sql injection protection with that. That's why it's not allowed to change. There is no other reason to change this. Your problem is that you are not using correct names. Either rewrite your queries to use correct case, or rename your tables to use case you are using in your queries, or check if you can configure your database server to ignore different case.
Reply
  • Offline pabloveliz
    Newbie
  • *
  • Posts: 4
    Threads: 2
    Joined: Apr 2015
    Reputation: 0
#3
Question  04-15-2015, 03:20 PM

(04-15-2015, 12:01 AM)gadelat Wrote: Changing escape_char to empty is security risk because you are effectively disabling sql injection protection with that.
Thanks for the reply gadelat, but I don't follow... that variable (CI_DB_driver::$_escape_char) is used in only functions:
  • CI_DB_driver::escape_identifiers($item)
  • CI_DB_query_builder::_is_literal($str)
and I guess is only for IDENTIFIERS which are different from VALUES, which are the problem in SQL injection.
As I understand SQL injection is avoided in OCI8 by using query parameters "?"

And regard the possible solutions:
1) "rewrite your queries" besides models, is a problem with ActiveRecord that get data from an HTML form, this will imply changes in the JS validation, changes in the html form... I already started that, is too much and too error prone. For new projects... excellent, for old ones migrating.. is a pain in.. well, you get the idea.
2) "rename your tables" is not the tables only, is the fields also, and that is a "no no", since the database is shared with other systems
3) "database server to ignore different case" is a major change that the DBA is not willing to investigate/make, for me this means "IT burocracy", which is a great great delay.

I'm pretty sure I'm not alone in this case scenario, I know that many CI 2.x apps are interacting with OCI8 and using that hack, and that they will have this problem when migrating to CI 3.0

Narf told me that there was a way, can't find it yet!
Reply
  • Offline Narf
    Me
  • *******
  • Posts: 1,589
    Threads: 1
    Joined: Oct 2014
    Reputation: 121
#4
04-16-2015, 06:00 AM

Code:
$db['default']['_escape_char'] = '';

Don't thank me, this is a bad thing to do.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB