Issues with inserting special characters CodeIgniter

Question

I am trying to insert a mysql query itself into a table field(Executing a series of queries when certain conditions met), but whenever there is any special characters in query, it is converted in to its corresponding entities.

For example, if Iam inserting this query to table, the quote will become " '" , > to > and space to &# . Is there any way to insert the query as it is and display in correct form .

    "select
      case item_id
      when 206 then '1 Column'
      when 255 then '2 Columns'
      end as split,
      # case oi.product_id
      #   when 24 then 'XXXX'
      #   when 28 then 'CCCC'
      #   when 30 then 'EEEE'
      #   else 'Something Else'
      # end as product,
     case oi.price_id
       when 72 then 'UYT - Single Pay'
       when 73 then 'UYT - Single Pay'
       when 74 then 'UYT - Single Pay'
     else 'Upsell'
     end as product,
     count(distinct(al.cust_id)) as the_count
     from logtable al
     where item_id in (206,255) and
        activity_dts > '2012-01-31 19:15:00' and
        o.order_is_refunded = 0 and
        t.response_code = 1 and
        t.response_reasontext not like '%testmode%'
        group by   1,2;"

Please give me suggestions or Am I missing any thing here. The charset used by my CI installation is UTF-8.

Answer 1

PHP addshlashes

This function will help you add the query along with its quotes as it is, in your db.

Also you can do this way,

If your queries just have multiple single quotes only, then border it by double quotes:

like $tmp = "See single' quotes";

or vice-versa like:

$tmp = 'See double " quotes';

Answer 2

Try following

 $data_insert = mysql_real_escape_string($values);

Also you can find it in detail http://php.net/manual/en/function.mysql-real-escape-string.php

Answer 3

There shouldn't be any problem with inserting your string, as it IS a string, and the database library doesn't make any character encoding by itself, afaik. What encoding are the database and the tables ? (the connection should be UTF-8, as per default settings)

Since you're using the framework, you can use its methods (and not mysql_real_escape_string() or, god, addslashes()!! like suggested in other answers).This should work:

$string_query = "select
      case item_id
      when 206 then '1 Column'
      when 255 then '2 Columns'....";
$sql = "INSERT INTO table(column) VALUES (?)";
$this->db->query($sql, array($string_query));

The query bindings automatically escapes FOR SQL, so for that you're safe (you could have used ActiveRecord with the same result). I don't know what couldn't be working in this, surely NO FUNCTIONS encodes html.

Maybe you're doing the encoding somewhere else: are you sure you're not calling xss_clean() , htmlspecialchars() / htmlentities() , or you have XSS protection enabled, or you pass TRUE as second paramenter of $this->input-> ?

If all the above for some reason - for wich you didn't provide enought information - fails, you can alwasy encode everything:

$string_query = base64_encode("select.....");
// HERE YOU MAKE THE INSERT QUERY

and when you retrieve it, you base64_decode() the string. But the ideal solution is not this, it should work without flaws anyway.