Active Record insert doesn’t appear to be escaping queries… |
|||
|---|---|---|---|
| Date: | 11/29/2007 | Severity: | Major |
| Status: | Bogus | Reporter: | gabe |
| Version: | 1.5.4 | ||
| Keywords: | Libraries, Database Class | ||
| Forum Thread: | http://codeigniter.com/forums/viewthread/65805/#324305 | ||
Description
User guide says queries are escaped, I am using MySQL 5 DB and it seems the data isn’t escaped when inserted in the database using active record.
Code Sample
$data = array( 'forename' => "helo ' world`" );
$this->db->insert( 'mytable', $data );
The table row then contains the following:
helo ' world`
However, if I manually escape it like so:
$data = array( 'forename' => $this->db->escape( "helo ' world`" ) );
$this->db->insert( 'mytable', $data );
The table row then contains the following:
'helo \' world`'
Expected Result
‘helo \’ world`’
Actual Result
helo ‘ world`
Comment on Bug Report
| Posted by: Derek Jones on 29 November 2007 9:35am | |
|
If it were not being escaped, then you would get a query error, as your query would be written:
INSERT INTO `mytable` ('forename') VALUES ('helo ' world`')
The single quotes in the value string would break the query. It is being properly escaped in the DB driver, which you can see if you follow the code in the insert() method of the active record class, and with the proper result. The escape sequences, the slashes, are not going to be written to the database, that would be terribly wrong. Their purpose is to make sure the data gets to your database safely and intact, as your original string. If you want ‘helo \’ world`’ literally to be written to your database, then that’s the string you need to put in your data array. |
