7

I have the function below in my model for a codeigniter project, and the variable $id is an array and for example, contains (1,2,3). Now that i'm revisiting it, I think that i'm not actually escaping my array $id. I think I would have to change the line $this->db->escape($id) to $id = $this->db->escape($id)

If I do that, then it puts single quotes around every element in the array and treats it as one long string like this: '(1,2,3)'.

Can someone confirm that I am not actually escaping my variable and either suggest a solution or let me know if this is a bug within the codeigniter framework?

function get_ratings($id)
    {

        $this->db->escape($id); // had to manually escape the variable since it's being used in an "in" in the where clause. 

        $sql = "select * from toys t
                 where t.toy_id in ($id)";

        $query = $this->db->query($sql, $id);

        if($query->num_rows() > 0)
        {
            return $query->result_array();
        }
        else
        {
            return false;
        }
    }
Improve this question
0

6 Answers 6

Reset to default
5

You may be interested in using the CI Active Record class:

Beyond simplicity, a major benefit to using the Active Record features is that it allows you to create database independent applications, since the query syntax is generated by each database adapter. It also allows for safer queries, since the values are escaped automatically by the system.

Your rewritten query would look like this (assuming $id is an array):

$this->db->where_in('toy_id', $id)->get('toys');

Aside: I will admit I am a bit confused, as it looks like $ids would be a more appropriate variable name, and the way you are using it in the query, I would assume it is a string...

If active record is not your thing, you may also find Query Bindings to be useful:

The secondary benefit of using binds is that the values are automatically escaped, producing safer queries. You don't have to remember to manually escape data; the engine does it automatically for you.

EDIT: Looking back on this later, it looks like this is what you're trying to do. In that case, try replacing:

$sql = "select * from toys t where t.toy_id in ($id)";

With:

$sql = "select * from toys t where t.toy_id in (?)";

And pass $id as the second argument to query(), but as a comma separated string (implode(',', $id) if $id is indeed an array).

Otherwise you may want to use $this->db->escape_str().

$this->db->escape_str() This function escapes the data passed to it, regardless of type.

Here is an excerpt from the source code of the mysql driver to maybe put your mind at ease.

function escape_str($str, $like = FALSE)
{
    if (is_array($str))
    {
        foreach ($str as $key => $val)
        {
            $str[$key] = $this->escape_str($val, $like);
        }

        return $str;
    }
   // continued...

It loops through arrays and escapes their values.

It does indeed seem that $this->db->escape is not going to work for arrays.

$this->db->escape() This function determines the data type so that it can escape only string data.

Here is the source:

function escape($str)
{
    if (is_string($str))
    {
        $str = "'".$this->escape_str($str)."'";
    }
    elseif (is_bool($str))
    {
        $str = ($str === FALSE) ? 0 : 1;
    }
    elseif (is_null($str))
    {
        $str = 'NULL';
    }

    return $str;
}

Looks like it ignores arrays.

Anyways, hope you find a solution that works for you. My vote is for Active Record.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

I for one agree. Always use active records
Active records will not work with an array. I tried it and it puts quotes around every element in the array and treats it as a string.
@Catish: What do you mean will not work? I've been using AR for years with MySQL with no issues. What kind of database are you using? Of course it's a string, otherwise it wouldn't need escaping. Can you elaborate? Also, what's up with the $mechanicId? And most importantly, is $id really an array(1,2,3) or a string (1,2,3)? It makes a huge difference.
$mechanicId is supposed to be $id. I've edited the question now. It is actually an array which contains the values 1,2,3. If you try to write a query with active record, it escapes it incorrectly so the where clause looks like this: HERE t.toy_id in ('1, 2, 3'). The query returns no results because there is no $id with the value of "1,2,3".
@Catish: Still, you're passing it as a second argument to $this->db->query() which will do nothing, and if $id is indeed an array, that query should fail anyways. It's like saying: where t.toy_id in (Array). I've never heard of this issue between version 1.6 to 2.0.1 - are you 100% sure that $id is an array when it is received by the function? Did any of the other answers help you?
|
3

What you want to do is escape the individual values in the array. So you can use array_map on the array first.

$id = array_map('some_escape_function', $id);

See: http://php.net/manual/en/function.array-map.php

Then you can do:

$in = join(",",$id);

Your SQL would then be:

WHERE t.toy_id in ($in)

Which gives you:

WHERE t.toy_id in ('1','2','3')
Improve this answer

Comments

1

You could try something like this:

$sql = 'select * from toys t where t.toy_id in ('.
  join(',',array_map(function($i) {
    return $this->db->escape($i);
  }, $id)).');';

*Disclaimer: I'm not where I can access my PHP/MySQL server right now, so I haven't validated this. Some modification and/or tweakage may be necessary.

Improve this answer

Comments

1

Here's the solution I'm using for this, with CI 2.1.2:

1) Copy /system/database/DB.php to application/database/DB.php, and around line 123, make it look like:

...
if ( ! isset($active_record) OR $active_record == TRUE)
{
    require_once(BASEPATH.'database/DB_active_rec.php');
    require_once(APPPATH.'database/MY_DB_active_rec' . EXT);

    if ( ! class_exists('CI_DB'))
    {
        eval('class CI_DB extends MY_DB_active_record { }');
    }
}
...

2) Create MY_Loader.php in application/core:


class MY_Loader extends CI_Loader
{
  function __construct()
  {
    parent::__construct();
    log_message('debug', 'MY Loader Class Initialized');
  }

  public function database($params = '', $return = FALSE, $active_record = NULL) {
    // Grab the super object
    $CI = & get_instance();

    // Do we even need to load the database class?
    if (class_exists('CI_DB') AND $return == FALSE AND $active_record == NULL AND isset($CI->db) AND is_object($CI->db)) {
      return FALSE;
    }

    //require_once(BASEPATH . 'database/DB.php');
    require_once(APPPATH . 'database/DB' . EXT);

    if ($return === TRUE) {
      return DB($params, $active_record);
    }

    // Initialize the db variable.  Needed to prevent
    // reference errors with some configurations
    $CI->db = '';

    // Load the DB class
    $CI->db = & DB($params, $active_record);
  }

}

3) Create application/database/MY_DB_active_rec.php:


class MY_DB_active_record extends CI_DB_active_record {

  public function __construct($params)
  {
    parent::__construct($params);
    log_message('debug', 'MY Active Record Database Driver Class Initialized');
  }

  private function _array_escape(&$str)
  {
    $str = "'" . $this->escape_str($str) . "'";
  }

  function escape($str)
  {
    if (is_array($str))
    {
      array_walk($str, array($this, '_array_escape'));
      return implode(',', $str);
    }
    elseif (is_string($str))
    {
      $this->_array_escape($str);
    }
    elseif (is_bool($str))
    {
      $str = ($str === FALSE) ? 0 : 1;
    }
    elseif (is_null($str))
    {
      $str = 'NULL';
    }

    return $str;
  }

}

Then you just pass in an array of values:

$in_data = array(1, 2, 3);
$this->db->query('SELECT * FROM table WHERE id IN(?)', array($in_data));

It's not pretty, but it seems to do the trick!

Improve this answer

Comments

1

Code Igniter v3 now automaticly escapes array values :

http://www.codeigniter.com/userguide3/database/queries.html

Query Bindings

Bindings enable you to simplify your query syntax by letting the system put the queries together for you. Consider the following example:

$sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?"; $this->db->query($sql, array(3, 'live', 'Rick'));

The question marks in the query are automatically replaced with the >values in the array in the second parameter of the query function.

Binding also work with arrays, which will be transformed to IN sets:

$sql = "SELECT * FROM some_table WHERE id IN ? AND status = ? AND author = ?"; $this->db->query($sql, array(array(3, 6), 'live', 'Rick'));

The resulting query will be:

SELECT * FROM some_table WHERE id IN (3,6) AND status = 'live' AND author = 'Rick'

The secondary benefit of using binds is that the values are automatically escaped, producing safer queries. You don’t have to remember to manually escape data; the engine does it automatically for you.

Improve this answer

Comments

0

To bind them you can do the following:

$queryParams = [];

// to add the appropriate amount of bindings ?
$idBindings = str_replace(' ', ',', trim(str_repeat("(?) ", count($ids))));

// add each id with int validation
foreach ($ids as $id) {
    if(is_int(intVal($id)) == TRUE){
        array_push($queryParams, intVal($id));
    }
}

// the other option commented out below is to merge without checking - 
// note: sometimes values look like numeric values but are actually strings
//queryParams = array_merge($queryParams, $ids);


$sql = "select * from toys t where t.toy_id in ('. $idBindings .')";
$query = $this->db->query($sql, $queryParams );
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.