问题
I just recently started using active record (before I just wrote manual queries since I was so used to them).
I was looking at the code of ion_auth and I saw that in a few places the strings had been escaped even though active record was used,
i.e
->where($this->identity_column, $this->db->escape_str($identity))
->where($this->tables['groups'].'.name', $this->db->escape_str($group))
Thing is, I havent escaped anywhere where I have used active record since on the documentation it said active record escapes strings automatically.
My question, when using active record, are there some situations when you should escape strings?
回答1:
From the Codeigniter User Guide:
Beyond simplicity, a major benefit to using the Active Record features is that it allows you to create database independent applications, since the query syntax is generated by each database adapter. It also allows for safer queries, since the values are escaped automatically by the system.
The creator of ion_auth may have had a particular reason for escaping the string, but if you are using Active Record, Codeigniter escapes the queries automatically.
But there are queries that "look" like they might be Active Record, which need to be escaped. Here's a list of them, again from the Codeigniter User Guide.
回答2:
Usually you can let codeigniter handle it. In some cases if you are building a more complex query using the active record (e.g : $this->db->where('(some sql where clause)') you can use the escape methods of the DB library.
回答3:
No, it is not necessary to use escape. I have tried with different format of text mixing single quote and double quote also a whole bunch of html tags, all works perfectly fine.
来源:https://stackoverflow.com/questions/13125707/codeigniter-active-record-when-to-escape-if-at-all