Codeigniter不使用ActiveRecord在ODBC-mssql中转义单引号 [英] Codeigniter not escaping single quotes in ODBC-mssql using ActiveRecord

查看:246
本文介绍了Codeigniter不使用ActiveRecord在ODBC-mssql中转义单引号的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个有一堆字段的表单。有时用户用单引号提供信息和描述。

I have a form with a bunch of fields. Sometimes users provides information and descriptions with single quotes in it.

我用Jquery和CI验证数据,问题是显然ActiveRecord不转义单引号,导致错误插入/更新数据。

I'm validating the data with Jquery and CI, the problem is that apparently ActiveRecord isn't escaping single quotes, leading to an error inserting/updating data.

不是ActiveRecord应该自动转义这些字符?

Isn't ActiveRecord supposed to escape these characters automatically? If it doesn't, what is the usual way for handing single quotes in user input?

处理插入的模型函数的示例代码:

Example code of my model function that handles the insert:

public function setLicense($dataArray, $data_id="")
{
    $iRows  = 0; // Rows found.
    $DB = $this->load->database('some_database',TRUE,TRUE);

    //var_dump($dataArray);
    if(empty($dataArray))
        return(FALSE);

    if(!empty($data_id))
    {
        $DB->where('idx',$data_id);
        $iRows=$DB->count_all_results('some_table');
    }
    else
    {
        if(isset($LicenseData['idx']))
        {
            $license = $LicenseData['idx'];
            $DB->where('idx',$license);
            $iRows=$DB->count_all_results('some_table');
        }
    }
    if(!$iRows)
        $DB->insert('some_table',$dataArray);
    else
    {   
        $DB->where('idx',$data_id);
        $DB->update('some_table',$dataArray);
    }
    return(TRUE);
}


推荐答案

当与ODBC数据库驱动程序连接时,重写描述是有意的。以下是此Ellislab论坛讨论的引语:

It appears that the behaviour you're describing is intentional when connecting with the ODBC db driver. Here is a quote from this Ellislab forum discusssion:


由于ODBC的本质,你可以使用几乎任何数据库
平台,没有CodeIgniter有一个方式知道它是一个。
和不同的数据库有不同的转义字符和规则,所以
它真的取决于你做这样的转义。

Due to the very nature of ODBC - you can use pretty much any database platform without CodeIgniter having a way of knowing which one it is. And different databases have different escape characters and rules, so it’s really up to you to do such kind of escaping.

这篇关于Codeigniter不使用ActiveRecord在ODBC-mssql中转义单引号的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆