问题
I have a form with a bunch of fields. Sometimes users provides information and descriptions with single quotes in it.
I'm validating the data with Jquery and CI, the problem is that apparently ActiveRecord isn't escaping single quotes, leading to an error inserting/updating data.
Isn't ActiveRecord supposed to escape these characters automatically? If it doesn't, what is the usual way for handing single quotes in user input?
Example code of my model function that handles the insert:
public function setLicense($dataArray, $data_id="")
{
$iRows = 0; // Rows found.
$DB = $this->load->database('some_database',TRUE,TRUE);
//var_dump($dataArray);
if(empty($dataArray))
return(FALSE);
if(!empty($data_id))
{
$DB->where('idx',$data_id);
$iRows=$DB->count_all_results('some_table');
}
else
{
if(isset($LicenseData['idx']))
{
$license = $LicenseData['idx'];
$DB->where('idx',$license);
$iRows=$DB->count_all_results('some_table');
}
}
if(!$iRows)
$DB->insert('some_table',$dataArray);
else
{
$DB->where('idx',$data_id);
$DB->update('some_table',$dataArray);
}
return(TRUE);
}
回答1:
It appears that the behaviour you're describing is intentional when connecting with the ODBC db driver. Here is a quote from this Ellislab forum discusssion:
Due to the very nature of ODBC - you can use pretty much any database platform without CodeIgniter having a way of knowing which one it is. And different databases have different escape characters and rules, so it’s really up to you to do such kind of escaping.
来源:https://stackoverflow.com/questions/13054094/codeigniter-not-escaping-single-quotes-in-odbc-mssql-using-activerecord