summaryrefslogtreecommitdiffstats
path: root/user_guide/database/queries.html
diff options
context:
space:
mode:
authorDerek Jones <derek.jones@ellislab.com>2009-02-20 22:44:59 +0100
committerDerek Jones <derek.jones@ellislab.com>2009-02-20 22:44:59 +0100
commite4ed583067095144eb20aefc61d4499d8386532a (patch)
treeb156a0305e5c1e84466bcb0ca84787b234be3cfd /user_guide/database/queries.html
parent436e6e2583c574a4628984c4a95c5d3da5fcce1f (diff)
added LIKE condition escaping to all drivers and Active Record
updated all DB drivers to accept arrays in escape_str()
Diffstat (limited to 'user_guide/database/queries.html')
-rw-r--r--user_guide/database/queries.html9
1 files changed, 8 insertions, 1 deletions
diff --git a/user_guide/database/queries.html b/user_guide/database/queries.html
index f42e179ab..9665af231 100644
--- a/user_guide/database/queries.html
+++ b/user_guide/database/queries.html
@@ -96,7 +96,7 @@ It simply lets you submit a query. Most users will rarely use this function.</p>
<h1>Escaping Queries</h1>
<p>It's a very good security practice to escape your data before submitting it into your database.
-CodeIgniter has two functions that help you do this:</p>
+CodeIgniter has three methods that help you do this:</p>
<ol>
<li><strong>$this->db->escape()</strong> This function determines the data type so that it
@@ -108,6 +108,13 @@ can escape only string data. It also automatically adds single quotes around th
Most of the time you'll use the above function rather than this one. Use the function like this:
<code>$sql = "INSERT INTO table (title) VALUES('".$this->db->escape_str($title)."')";</code></li>
+
+<li><strong>$this->db->escape_like_str()</strong> This method should be used when strings are to be used in LIKE
+conditions so that LIKE wildcards ('%', '_') in the string are also properly escaped.
+
+<code>$search = '20% raise';<br />
+$sql = "SELECT id FROM table WHERE column LIKE '%".$this->db->escape_like_str($search)."%'";</code>
+
</ol>