Codeigniter不使用ActiveRecord在ODBC-mssql中转义单引号 [英] Codeigniter not escaping single quotes in ODBC-mssql using ActiveRecord
问题描述
我有一个有一堆字段的表单。有时用户用单引号提供信息和描述。
I have a form with a bunch of fields. Sometimes users provides information and descriptions with single quotes in it.
我用Jquery和CI验证数据,问题是显然ActiveRecord不转义单引号,导致错误插入/更新数据。
I'm validating the data with Jquery and CI, the problem is that apparently ActiveRecord isn't escaping single quotes, leading to an error inserting/updating data.
不是ActiveRecord应该自动转义这些字符?
Isn't ActiveRecord supposed to escape these characters automatically? If it doesn't, what is the usual way for handing single quotes in user input?
处理插入的模型函数的示例代码:
Example code of my model function that handles the insert:
public function setLicense($dataArray, $data_id="")
{
$iRows = 0; // Rows found.
$DB = $this->load->database('some_database',TRUE,TRUE);
//var_dump($dataArray);
if(empty($dataArray))
return(FALSE);
if(!empty($data_id))
{
$DB->where('idx',$data_id);
$iRows=$DB->count_all_results('some_table');
}
else
{
if(isset($LicenseData['idx']))
{
$license = $LicenseData['idx'];
$DB->where('idx',$license);
$iRows=$DB->count_all_results('some_table');
}
}
if(!$iRows)
$DB->insert('some_table',$dataArray);
else
{
$DB->where('idx',$data_id);
$DB->update('some_table',$dataArray);
}
return(TRUE);
}
推荐答案
当与ODBC数据库驱动程序连接时,重写描述是有意的。以下是此Ellislab论坛讨论的引语:
It appears that the behaviour you're describing is intentional when connecting with the ODBC db driver. Here is a quote from this Ellislab forum discusssion:
由于ODBC的本质,你可以使用几乎任何数据库
平台,没有CodeIgniter有一个方式知道它是一个。
和不同的数据库有不同的转义字符和规则,所以
它真的取决于你做这样的转义。
Due to the very nature of ODBC - you can use pretty much any database platform without CodeIgniter having a way of knowing which one it is. And different databases have different escape characters and rules, so it’s really up to you to do such kind of escaping.
这篇关于Codeigniter不使用ActiveRecord在ODBC-mssql中转义单引号的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!