diff options
author | Derek Jones <derek.jones@ellislab.com> | 2009-02-20 22:44:59 +0100 |
---|---|---|
committer | Derek Jones <derek.jones@ellislab.com> | 2009-02-20 22:44:59 +0100 |
commit | e4ed583067095144eb20aefc61d4499d8386532a (patch) | |
tree | b156a0305e5c1e84466bcb0ca84787b234be3cfd /user_guide | |
parent | 436e6e2583c574a4628984c4a95c5d3da5fcce1f (diff) |
added LIKE condition escaping to all drivers and Active Record
updated all DB drivers to accept arrays in escape_str()
Diffstat (limited to 'user_guide')
-rw-r--r-- | user_guide/changelog.html | 5 | ||||
-rw-r--r-- | user_guide/database/queries.html | 9 |
2 files changed, 12 insertions, 2 deletions
diff --git a/user_guide/changelog.html b/user_guide/changelog.html index 06375d6f4..cdbfbbd04 100644 --- a/user_guide/changelog.html +++ b/user_guide/changelog.html @@ -71,6 +71,9 @@ SVN Revision: </p> <li>Database <ul> <li>Switched from using gettype() in escape() to is_* methods, since future PHP versions might change its output.</li> + <li>Updated all database drivers to handle arrays in escape_str()</li> + <li>Added escape_like_str() method for escaping strings to be used in LIKE conditions</li> + <li>Updated Active Record to utilize the new LIKE escaping mechanism.</li> </ul> </li> @@ -80,6 +83,7 @@ SVN Revision: </p> <ul> <li>Fixed assorted user guide typos or examples (#6743).</li> <li>Fixed a bug with ORIG_PATH_INFO that was allowing URIs of just a slash through.</li> + <li>Fixed a fatal error in the Oracle and ODBC drivers (#6752)</li> </ul> <h2>Version 1.7.1</h2> @@ -136,7 +140,6 @@ SVN Revision: 1640</p> <li>Fixed a bug where TRUNCATE was not considered a "write" query (#6619).</li> <li>Fixed a bug where csv_from_result() was checking for a nonexistent method.</li> <li>Fixed a bug _protect_identifiers() where it was improperly removing all pipe symbols from items</li> - <li>Fixed a fatal error in the Oracle driver (#6752)</li> </ul> </li> <li>Fixed assorted user guide typos or examples (#5998, #6093, #6259, #6339, #6432, #6521).</li> diff --git a/user_guide/database/queries.html b/user_guide/database/queries.html index f42e179ab..9665af231 100644 --- a/user_guide/database/queries.html +++ b/user_guide/database/queries.html @@ -96,7 +96,7 @@ It simply lets you submit a query. Most users will rarely use this function.</p> <h1>Escaping Queries</h1> <p>It's a very good security practice to escape your data before submitting it into your database. -CodeIgniter has two functions that help you do this:</p> +CodeIgniter has three methods that help you do this:</p> <ol> <li><strong>$this->db->escape()</strong> This function determines the data type so that it @@ -108,6 +108,13 @@ can escape only string data. It also automatically adds single quotes around th Most of the time you'll use the above function rather than this one. Use the function like this: <code>$sql = "INSERT INTO table (title) VALUES('".$this->db->escape_str($title)."')";</code></li> + +<li><strong>$this->db->escape_like_str()</strong> This method should be used when strings are to be used in LIKE +conditions so that LIKE wildcards ('%', '_') in the string are also properly escaped. + +<code>$search = '20% raise';<br /> +$sql = "SELECT id FROM table WHERE column LIKE '%".$this->db->escape_like_str($search)."%'";</code> + </ol> |