[英]Codeigniter query with symbols in condition string
I am trying to have filters dropdown in my CMS my model looks like 我想在我的CMS中使用过滤器下拉列表我的模型看起来像
public function load($sort,$order,$key,$value)
{ // $key='listening'; // $value="1";
//configure pagination
$config=array(
'base_url'=>base_url().'/index.php/companies/index',
'total_rows'=>$this->db->get('company')->num_rows(),
'per_page'=>$this->settings_model->get_per_page(),
'num_links'=>20
);
$this->pagination->initialize($config);
$this->db->select('company.id,
company.name,
company.logo,
company.status_id,
company.listening',FALSE);
$this->db->select('company_category.name as category,
company_category.id as category_id',FALSE);
$this->db->select('complain_status.cs_status as status',false);
$this->db->from('company');
$this->db->join('company_category','company_category.id = company.category_id');
$this->db->join('complain_stastus', 'complain_status.cs_id = company.status_id');
if(isset($_POST['key']))
{
$value= str_replace(' ', ' ', $_POST['value']);
var_dump($value);
if($value!='0')
$this->db->having ($_POST['key'], mysql_real_escape_string($value) );
}
if($sort!='' || $sort!=NULL)
$this->db->order_by ($sort, $order);
$this->db->limit($config['per_page'], $this->uri->segment(3));
$result=$this->db->get();
if(!isset($_POST['key']))
$this->filter->set_filters_list($result->result_array());
return $result->result();
}
that generates the below query 生成以下查询
SELECT company.id, company.name, company.logo, company.status_id, company.listening, company_category.name as category, company_category.id as category_id, complain_status.cs_status as status
FROM (`company`)
JOIN `company_category` ON `company_category`.`id` = `company`.`category_id`
JOIN `complain_status` ON `complain_status`.`cs_id` = `company`.`status_id`
HAVING `category` = 'Health & recreation'
LIMIT 20
as you can see here is the problem when category equals some string with special character like Health & recreation
it fails and even if i tried the query generated by CI it works normally on MYSQL and gets me the result 正如你可以看到的那样,当类别等于某些具有特殊字符的字符串(如
Health & recreation
失败时,即使我尝试了由CI生成的查询,它在MYSQL上正常工作并获取结果
Note : I m replacing the space $value= str_replace(' ', ' ', $_POST['value']);
注意:我正在替换空格
$value= str_replace(' ', ' ', $_POST['value']);
as this data comes from select html element that fails when it has spaces in options so i had to parse and remove it later in the back-end code 因为这个数据来自选择的html元素,当它在选项中有空格时失败,所以我不得不在后端代码中解析并删除它
Thanks in advance 提前致谢
Code igniter is probably html_encoding the ampersand so that it reads as its html value. 代码点火器可能是html_encoding&符号,因此它读取为其html值。 YOu can comfirm this by turning on the profiler by adding this line to the constructor of whatever controller or model your runnning the query in:
您可以通过将此行添加到运行查询的任何控制器或模型的构造函数中来启用分析器来确认这一点:
$this->output->enable_profiler(TRUE);
if I'm right your query will have substituted something like &
如果我是对的,你的查询将取代类似
&
where the &
should be. 其中,
&
应该的。
Note the profiler reveals the &
请注意,探查器会显示
&
while using a $this->db->last_query()
still shows a &
使用
$this->db->last_query()
仍显示&
To insert symbols into the database, you need to escape the values first. 要将符号插入数据库,您需要首先转义值。 In PHP, you would normally use: mysql_real_escape_string()
在PHP中,通常使用:mysql_real_escape_string()
How to insert special characters into a database? 如何在数据库中插入特殊字符?
However, as you're doing this in CodeIgniter, you have to use query binding for the data to automatically be escaped, 但是,正如您在CodeIgniter中执行此操作一样,您必须使用查询绑定来自动转义数据,
$category = $this->input->post('category');
$status = $category = $this->input->post('status');
$status_id = $category = $this->input->post('status_id');
$sql = "SELECT * FROM company WHERE category = ? AND status = ?";
$this->db->query($sql, array($category, $status));
http://ellislab.com/codeigniter/user_guide/database/queries.html (under Query Binding) http://ellislab.com/codeigniter/user_guide/database/queries.html (在“查询绑定”下)
Does CodeIgniter automatically prevent SQL injection? CodeIgniter会自动阻止SQL注入吗?
Although its not part of the original question, your code has flaws in that your using $_POST['value'] without any sort of filtering. 虽然它不是原始问题的一部分,但是您的代码存在缺陷,因为您使用$ _POST ['value']而没有任何过滤。 There would be nothing stopping someone from SQL injecting your form.
什么都没有阻止SQL注入你的表单的人。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.