i am using codeigniter with postgresql database
i want to set Default value if we can't get value or value == '' from $_POST or $this->input->post() then need to set value DEFAULT but whenever codeigniter execute query its append a quote like "DEFAULT" but i want my query like below example
Example:
Current Output :
update tablename set fieldname = 'DEFAULT' where
Required Output :
update tablename set fieldname = DEFAULT where condition
here problem with codeigniter query which append quotes for DEFAULT value whenever i will update
please help me to remove quotes from core file whenever i will execute query in database through codeigniter
This is a valid question. First, in postgres for example there are constants such as CURRENT_DATE and CURRENT_TIMESTAMP or in MySQL NOW() that, if quoted will cause an error. The way I handle these case is by using the code igniighter set function with a third parameter set to False to tell code ignighter to False like so:
$this->db->where('id',999);
$this->db->set('draft', False);
$this->db->set('submission_date', 'CURRENT_DATE', False);
$this->db->set('status','ok');
$this->db->update('projects');
This will produce the following query:
UPDATE projects SET draft=False, submission_date=CURRENT_DATE, status='ok' WHERE id='999';
Reference: https://www.codeigniter.com/userguide3/database/query_builder.html#inserting-data
Related
I working with Laravel and postgres. I have a code:
$users->orderBy(\DB::raw("FIELD(status, $orderedStatuses)"));
After running, I get error: Undefined function FIELD() in postgres. How I can resolve this issue?
The problem is that the second onwards parameters to FIELD should be valid MySQL literals. In this case, assuming your status values are text, these parameters need to be CSV valid strings. You could use implode here as follows:
$items = "'" . implode("', '", $orderedStatuses) . "'";
// ...
$users->orderBy(\DB::raw("FIELD(status, $items)"));
Note that this approach may expose you to SQL injection. Assuming the list of fields to be used with FIELD are relatively small, it would be safer to use just ORDER BY using a CASE expression.
Edit:
As you are using Postgres, and not MySQL or MariaDB, there is no FIELD function available to you, even with raw SQL. So, you should instead order by a CASE expression, something like this:
ORDER BY CASE status WHEN 'start' THEN 1 WHEN 'middle' THEN 2 ELSE 3 END
Updated Laravel code:
$orderBy = "CASE status WHEN 'start' THEN 1 WHEN 'middle' THEN 2 ELSE 3 END";
$users->orderBy(\DB::raw($orderBy));
In codeigniter when i am using function $this->db->escape() while insert data, It is adding single quote in database, Can anyone please help why i am getting this issue ?
Here is my code
$data = array('company_id'=>$this->db->escape($companyID),'payor_type'=>$this->db->escape($payor_type),
'payer_type'=>$this->db->escape($payer_type),'insurance'=>$this->db->escape($insurance),
'created_date'=>date("Y-m-d H:i:s"));
$this->db->insert('tb_Payer',$data);
When you use the query builder class to construct your queries the values are escaped automatically by the system so you don't have to use the function $this->db->escape. In your case, each value was escaped by the escape function and the system did it again for each value when executing the insert function.
Now if you want to run custom queries using the function $this-db->query it is a good practice to escape the data like bellow:
$sql = "INSERT INTO table (column) VALUES(".$this->db->escape($value).")";
$this->db->query($sql);
I am using active record in codenigiter to do some query and I read some docs that say using AR will escape the parameter automaticly.I want to comfirm this and I read the source code of AR class,but I am confused!
I do some test,eg,I access the url as follow is:
http://wrecruit.tudouya.com/company/editProfile/4
then I enable the profiler in CI.
when I add a single quote at the end of url as follows:
http://wrecruit.tudouya.com/company/editProfile/4'
I see the real sql statement the query execute and I got this:
SELECT *
FROM (`wy_company`)
WHERE `id` = '4%27'
the single quote is escaped to '%27',I want to know how this escape happen?maybe it's escaped by the input class?
Url adress is always encoded with urlencode function. This function replace all symbols with codes.
If you want to prevent xss you should to check you parameter. May be like this (in controller Company):
public function editProfile($id)
{
$id = (int)$id;
if($id){
// model code execute - loading DB data
}
}
And in DB query you should use Query Bindings, or use Active record. Them both are prevent injection.
If I have a MySQL statement like this:
$sql="SELECT `name`, DATE(`time`), FROM `students` WHERE `id`='5'";
I am using CodeIgniter and trying to fetch the result in object format rather than array format (i.e. not using row_array())
$query=$db1->query($sql);
$row=$query->row();
I can get the name as
echo $row->name;
I cannot get the value of date with this method.
Any Ideas how I can get the date with this method, with something like:
echo $row->date;
?
You should be able to use your own field names in SQL like so:
$sql="SELECT `name`, DATE(`time`) as mydate, FROM `students` WHERE `id`='5'";
and subsequently access it like
echo $row->mydate;
If you want the column in the result set to be named date, then add AS date after the DATE expression. You'll then be able to access it as $row->date.
I have my query something like this
INSERT INTO tbl VALUES(UNHEX('some_value'));
How can I pull this query off using codeigniter active record, specifically the '$this->db->set' function
this->db->set('password', $value); // How do I insert the mysql function here
$this->db->insert('tbl');
Take a look at the documentation - it states that if you need some value unescaped, you should set the third parameter in set() to false. Like this:
$this->db->set("password", "UNHEX('".$value."')", FALSE);