Code Igniter User Guide Version 1.4.0


Queries

To submit a query, use the following function:

$this->db->query('YOUR QUERY HERE');

The query() function returns a database result object which you can use to show your results. You will typically assign the query to your own variable, like this:

$query = $this->db->query('YOUR QUERY HERE');

Escaping Queries

It's a very good security practice to escape your data before sumbiting it into your database. Code Igniter has two functions that help you do this:

  1. $this->db->escape() This function determines the data type so that it can escape only string data. It also automatically adds single quotes around the data so you don't have to: $sql = "INSERT INTO table (title) VALUES(".$this->db->escape($title).")";
  2. $this->db->escape_str() This function escapes the data passed to it, regardless of type. Most of the time you'll use the above function rather then this one. Use the function like this: $sql = "INSERT INTO table (title) VALUES('".$this->db->escape_str($title)."')";


Query Bindings

Bindings enable you to simplify your query syntax by letting the system put the queries together for you. Consider the following example:

$sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?";

$this->db->query($sql, array(3, 'live', 'Rick'));

The question marks in the query are automatically replaced with the values in the array in the second parameter of the query function.

The secondary benefit of using binds is that the values are automatically escaped, producing safer queries. You don't have to remember to manually escape data; the engine does it automatically for you.


Query Helper Functions

$this->db->last_query();

Returns the last query that was run (the query string, not the result). Example:

$str = $this->db->last_query();

// Produces: SELECT * FROM sometable....

The following two functions help simplify the process of writing database INSERTs and UPDATEs.

$this->db->insert_string();

This function simplifies the process of writing database inserts. It returns a correctly formatted SQL insert string. Example:

$data = array('name' => $name, 'email' => $email, 'url' => $url);

$str = $this->db->insert_string('table_name', $data);

The first parameter is the table name, the second is an associative array with the data to be inserted. The above example produces:

INSERT INTO table_name (name, email, url) VALUES ('Rick', 'rick@your-site.com', 'www.your-site.com')

$this->db->update_string();

This function simplifies the process of writing database updates. It returns a correctly formatted SQL update string. Example:

$data = array('name' => $name, 'email' => $email, 'url' => $url);

$where = "author_id = 1 AND status = 'active'";

$str = $this->db->update_string('table_name', $data, $where);

The first parameter is the table name, the second is an associative array with the data to be inserted, and the third parameter is the "where" clause. The above example produces:

UPDATE exp_weblog SET name = 'Rick', email = 'rick@your-site.com', url = 'www.your-site.com' WHERE author_id = 1 AND status = 'active'