• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Active record manual where clause is not automatically escaped as advertised

#1
[eluser]Unknown[/eluser]
Hello,

I used the active record "where" method as such:

$this->db->where (" (desc LIKE "%$search%" or name LIKE "%$search%"))

I thought that using the "where" method auto escapes the values but it did not.

In order to get it to work, I had to write the sql using bind variables (ie: ?).

-jeff

#2
[eluser]Matthieu Fauveau[/eluser]
My guess is that it's the intended behavior for the custom string where clauses. Because "custom" implies that you don't want CI to do anything on the string you provide it with.

You could write that to avoid using query binding :

Code:
$like = $this->db->escape("%".$search."%");
[...]
$this->db->where('(desc LIKE '.$like.' OR name LIKE '.$like.')');


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.