0

I am trying to have filters dropdown in my CMS my model looks like 

public function load($sort,$order,$key,$value)
{ //        $key='listening'; //        $value="1";
            //configure pagination
    $config=array(
      'base_url'=>base_url().'/index.php/companies/index',
      'total_rows'=>$this->db->get('company')->num_rows(),
      'per_page'=>$this->settings_model->get_per_page(),
      'num_links'=>20
    );

    $this->pagination->initialize($config);



    $this->db->select('company.id, 
                       company.name, 
                       company.logo, 
                       company.status_id, 
                       company.listening',FALSE);
    $this->db->select('company_category.name as category,
                       company_category.id as category_id',FALSE);

    $this->db->select('complain_status.cs_status as status',false);
    $this->db->from('company');
    $this->db->join('company_category','company_category.id = company.category_id');
    $this->db->join('complain_stastus', 'complain_status.cs_id = company.status_id');



    if(isset($_POST['key']))
    {
       $value=  str_replace('&nbsp', ' ', $_POST['value']);
        var_dump($value);
        if($value!='0')
            $this->db->having ($_POST['key'], mysql_real_escape_string($value) );

    }
    if($sort!='' || $sort!=NULL)
        $this->db->order_by ($sort, $order);

    $this->db->limit($config['per_page'], $this->uri->segment(3));

    $result=$this->db->get();
    if(!isset($_POST['key']))
        $this->filter->set_filters_list($result->result_array());

    return $result->result();
}

that generates the below query 

SELECT company.id, company.name, company.logo, company.status_id, company.listening, company_category.name as category, company_category.id as category_id, complain_status.cs_status as status
FROM (`company`)
JOIN `company_category` ON `company_category`.`id` = `company`.`category_id`
JOIN `complain_status`  ON `complain_status`.`cs_id` = `company`.`status_id`
HAVING `category` =  'Health & recreation'
LIMIT 20

as you can see here is the problem when category equals some string with special character like Health & recreation it fails and even if i tried the query generated by CI it works normally on MYSQL and gets me the result

Note : I m replacing the space $value= str_replace('&nbsp', ' ', $_POST['value']); as this data comes from select html element that fails when it has spaces in options so i had to parse and remove it later in the back-end code

Thanks in advance

Improve this question
2
  • 1
    How do you know that's the query that's getting generated? Did you use echo $this->db->last_query() to make sure that's the query that's getting generated? Commented Nov 14, 2012 at 19:21
  • No actually i just misspell the anything in the query like wrong table name and i get it from the error generated on ajax response.. Commented Nov 14, 2012 at 19:27

2 Answers 2

Reset to default
2

Code igniter is probably html_encoding the ampersand so that it reads as its html value. YOu can comfirm this by turning on the profiler by adding this line to the constructor of whatever controller or model your runnning the query in:

$this->output->enable_profiler(TRUE);

if I'm right your query will have substituted something like & where the & should be.

Note the profiler reveals the & while using a $this->db->last_query() still shows a &

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

i used the profiler and i got HAVING category = 'Health & recreation', it's really strange the same query is running on mysql and working ok @jJohn B
hmmm. Could you try running the query through sql except using &#amp; and & in place of &. Se if either of those work.
0

To insert symbols into the database, you need to escape the values first. In PHP, you would normally use: mysql_real_escape_string()

How to insert special characters into a database?

However, as you're doing this in CodeIgniter, you have to use query binding for the data to automatically be escaped,

$category = $this->input->post('category');
$status = $category = $this->input->post('status');
$status_id = $category = $this->input->post('status_id');

$sql = "SELECT * FROM company WHERE category = ? AND status = ?"; 

$this->db->query($sql, array($category, $status));

http://ellislab.com/codeigniter/user_guide/database/queries.html (under Query Binding)

Does CodeIgniter automatically prevent SQL injection?

Although its not part of the original question, your code has flaws in that your using $_POST['value'] without any sort of filtering. There would be nothing stopping someone from SQL injecting your form.

How can I prevent SQL injection in PHP?

Improve this answer

2 Comments

Thanks Jarret for your response, but my problem with selecting not inserting values and i have used escape character string function but same behavior this is just filter in the CMS that add one more condition in the query
Try adding a forward slash before the ampersand "&" so that it reads: category = 'Health \& recreation'

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.