ansaurus

Question

Escaping Characters from MySQL from PHP Framework

Answer 1

+1 A:

Right, pretty much all frameworks that implement any sort of database abstraction/ORM layer will automatically mysql_real_espace your queries. If you don't want to use an entire framework, consider a generic ORM library like Propel or Doctrine. Alternatively, look into prepared statements.

deceze 2010-10-20 23:05:36

Thank you for your response, with a default installation of CodeIgniter, I added in the database library and I can insert quotes into a text input which then is sent to an Update query (using the database helper) and it results in a syntax error. So perhaps there is further configuration with CodeIgniter?

Pete Herbert Penito 2010-10-21 02:06:57

@Pete Sorry, I don't understand what you're asking. From your question I thought you were already familiar with CodeIgniter and are looking for ORM libraries like the one CI uses, which *doesn't* require any manual escaping...? Personally I have no experience with CI, so I can't tell you any specifics about it.

deceze 2010-10-21 02:09:53

Answer 2

+1 A:

CakePHP runs all model queries through its own methods, if you use the model methods it automatically sanitizes any data passed to the query for you. i.e

$options['conditions'] = array('Product.status'=>$status);
$this->Product->find('first',$options);

woodscreative 2010-10-20 23:06:18

Answer 3

+2 A:

In order to use prepared statements, you can simply use query bindings with CodeIgniter.

$query = 'SELECT id, name FROM user WHERE name = ?';
$bind = array('Jake');
$this->db->query($query, $bind);

More info found here.

akira_x 2010-10-20 23:23:44

ansaurus

tags:

views:

answers:

Escaping Characters from MySQL from PHP Framework

related questions