tags:

views:

871

answers:

2
Q: 

Is there a way to pass arguments to a query in CodeIgniter *without* using ActiveRecord?

This is what I'd like to do, but it doesn't seem possible: (edit: changed single to double quotes)

function get_archives($limit, $offset) 
{
    $query = $this->db->query("
        SELECT  archivalie.id, 
                archivalie.signature, 
                type_of_source.description AS type_of_source_description, 
                media_type.description AS media_type_description,
                origin.description AS origin_description

        FROM    archivalie, 
                type_of_source, 
                media_type,
                origin

        WHERE   archivalie.type_of_source_id = type_of_source.id                                                        
        AND     type_of_source.media_type_id = media_type.id  
        AND     archivalie.origin_id = origin.id                                                                     

        ORDER BY    archivalie.id ASC
     LIMIT       $limit, $offset
    "); 


    // etc...

}

It gives this error: (edit: new error message using double quotes, and with an offset number passed in the URL)

ERROR: LIMIT #,# syntax is not supported HINT: Use separate LIMIT and OFFSET clauses.

It only works if you pass the variables using the ActiveRecord format:

$this->db->select('archivalie.id, archivalie.signature, etc, etc');
// from, where, etc.
$this->db->limit($limit, $offset);        
$query = $this->db->get();
A: 

If you used double quotes instead of single quotes it would work, but you'd be open to an injection attack if the variables weren't sanitized properly.

Greg  2008-10-09 15:49:42
Perhaps I'm missing something, but why would single versus double quotes make a difference to SQL injection attacks?
Thomas Owens  2008-10-09 15:51:31
I'm with Thomas. I don't get what Greg means with this.
Thorpe Obazee  2009-11-03 04:34:46
Because you're passing a variable directly into an SQL statement - you should escape it first.
Greg  2009-11-03 08:29:47
Question was changed after I answered btw
Greg  2009-11-03 08:30:38
+1  A: 

This worked:

$query = $this->db->query("
    SELECT  archivalie.id, 
            archivalie.signature, 
            type_of_source.description AS type_of_source_description, 
            media_type.description AS media_type_description,
            origin.description AS origin_description

    FROM    archivalie, 
            type_of_source, 
            media_type,
            origin

    WHERE   archivalie.type_of_source_id = type_of_source.id                                                        
    AND     type_of_source.media_type_id = media_type.id  
    AND     archivalie.origin_id = origin.id                                                                     

    ORDER BY    archivalie.id ASC
    LIMIT       $limit
    OFFSET      $offset
");

But it requires a check to assign a default value if no offset is present in the URL. From my controller:

# Check/assign an offset
$offset = (!$this->uri->segment(3)) ? 0 : $this->uri->segment(3);

# Get the data
$archives = $this->archive->get_archives($config['per_page'], $offset);
meleyal  2008-10-10 08:41:36

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP