I have a problem with the way of escape of Query Builder in Codeigniter 3.0.
For example, this code
echo $this->db->select('ROUND(3.456, 1) AS T1')->get_compiled_select();
Return:
SELECT ROUND(3.456, `1)` AS `T1`
The function put backticks after a coma, but this is solved by setting FALSE the second parameter. But the function "from" put always backticks:
echo $this->nm->db->from('(SELECT ROUND(3.456, 1)) AS T1')->get_compiled_select()
Return:
SELECT * FROM (SELECT ROUND(3.456, `1))` AS `T1`
I'm using Codeigniter 3.0. The problem exists since Codeigniter 2.2. I need use the Query Builder beacuse it's very easy to use, but its escape method is troublesome. How stop the escaping in the function from?
Thanks.
I found a solution, but I'm not sure use it. In "database.php" file should be added a new element for the config array of database connection.
$db['default']['_protect_identifiers'] = FALSE;
That code disable the escape mode. But is it advisable? What is the risk of disabling the escaping system?
Thanks.
or you can disable on current query and enable it again rather on whole app. Before query, insert
$this->db->_protect_identifiers = FALSE;
and after query, set to TRUE to enable it again.
Related
I am trying to update a mysql table with following query using Doctrine. But the table is not get updated. Also below code didnt throw any error. I am totally confused. If i run the query, taken from getDQL() method, in mysql directly it showing 0 rows updated becuase of inproper qoutes. it is working after placed proper qoutes for values in the query. Need help to solve this puzzle.
Since i am new to doctrine, i will use the examples give in querybuilder class file.
$support = $this->createQueryBuilder('p')
->update('gcns', 'g')
->set("g.isActive", "0")
->andWhere("g.issn='".$issn."'");
Do you ever execute the query or are you just building it? You should have something along these lines to execute it:
$support->getQuery()->getSingleScalarResult();
If i run the query, taken from getDQL() method, in mysql directly it showing 0 rows updated becuase of inproper qoutes.
getDQL() returns DQL not SQL, so it will have improper quotesif you try to run it directly inside MySQL, but that's expected.
You shouldn't concatenate $issn into your query. You should use parameters instead:
$qb = $this->createQueryBuilder()
$support = $qb->update('gcns', 'g')
->set('g.isActive', '0')
->andWhere( $qb->expr()->eq('g.issn', ':issn') )
->setParameter( 'issn', $issn )
->getQuery()->getSingleScalarResult()
;
When using string interpolation, sprintf or generally any form of dynamically creating an SQL query string, PhpStorm usually trips up. For example:
$placeholders = join(', ', array_fill(0, count($ids), '?'));
$stmt = $db->prepare("SELECT * FROM foo WHERE bar IN ($placeholders)");
$stmt->execute($ids);
or:
$db->prepare(sprintf('INSERT .. (%s) ..', $foo))
These understandably trigger some sort of SQL syntax error warning in PhpStorm. Is there any way to suppress those without outright disabling SQL language parsing?
I found the definitive answer to this problem from Jetbrains Blog:
http://blog.jetbrains.com/phpstorm/2014/11/database-language-injection-configuration/
You need to add \%\w+. in your Tools > Database section.
You can have basic SQL parsing and syntax checking by following these two steps:
Set the dialect to Generic. In File -> Settings set the following:
Zoom
Then, disable the SQL dialect detection inspection:
Zoom
Confirm with Ok and you're done.
Of course it would be great if PHPStorm could resolve SQL Strings with variable substitution, but sadly that's not the case (yet).
The only solution I've come up with is to add a newline before the SQL like:
$sql = "\nINSERT INTO ...";
PhpStorm thinks it's a plain-old-string now and will not try to parse it as SQL.
I am using lua script
https://github.com/clofresh/mysql-proxy-cache to cache the select query.
But there is a problem with the way it is detecting select statement.
It is using following code
return query:sub(1,6):lower() == 'select'
This will not work if select query is nested in (). Example:
(SELECT * from tbl_name);
Is there a way to remove extra () in mysql proxy ?
or Is there a better way to detect select query?
I would try to write a normalizing script using the String Library that detect common patterns and replaces them with equivalent normalized sql.
One example is your parenteses but also queries where the where parts have been moved around could benefit from this.
The queries are actually inside of the the parentheses, not inside of a string? That shouldn't parse correctly, even with a plug in. If it is in a string then simply use :sub(2, 7), however, if it is not, then put it inside of a string. Create a function that basically reproduces the function, except puts it in a string, e.g.:
function mysqlQuery(mysqlString)
loadstring(mysqlString)();
return mysqlString;
end
mysqlQuery("SELECT * from tbl");
Seems that it may not be possible, but hey I might as well ask, I could be wrong. Was wondering if there's anyway for perl to update multiple rows using one MySQL call, I'm using DBI.
Any help or feedback would be greatly appreciated, this is possible in MSSQL through ASP and ASP.net so was wondering if also possible through perl on MySQL.
Thank you for your feedback!
First and most important, you absolutely should not interpolate variables directly into your SQL strings. That leaves open the possibility of SQL injection attacks. Even if those variables don't come from user input, it leaves open the possibility of dangerous bugs that can screw up your data.
The MySQL DBD driver does support multiple statements, though it's turned off by default as a safety feature. See mysql_multi_statements under the Class Methods section in the DBD::mysql documentation.
But a much better solution, which solves both problems at once and is more portable, is to use prepared statements and placeholder values.
my $sth = $dbh->prepare("UPDATE LOW_PRIORITY TableName SET E1=?,F1=? WHERE X=?");
Then, get your data in a loop of some sort:
while( $whatever) {
my ( $EC, $MR, $EM ) = get_the_data();
$sth->execute( $EC, $MR, $EM );
}
You only need to prepare the statement once, and the placeholder values are replaced (and guaranteed to be properly quoted) by the DBD driver.
Read more about placeholders in the DBI docs.
You don't need mysql_multi_statements, as friedo suggests.
You need turn off AutoCommit mode before you call the loop containing your UPDATE command:
**$dbh->{AutoCommit} = 0;**
while( $condition ) {
my $myParam = something();
...
$sth->execute( $myParam ); #your prepared UPDATE statement
...
}
**$dbh->commit();**
Hey, what's the most effective way to remove beginning and ending slashes from all rows in a particular column using MySQL?
Before:
/hello/world/
foo/bar/
/something/else
/one/more/*
After:
hello/world
foo/bar
something/else
one/more/*
...or maybe this should be done in PHP instead?
See TRIM()
UPDATE MY_TABLE SET my_field=TRIM(BOTH '/' FROM my_field);
You could definitelyt make this work using the MySQL string functions but I think this would be best handled outside of the database using PHP or whatever programming language of your choice.
Your PHP option: (I'm assuming the fetched row is in $row)
$row['Field'] = explode('/', $row['Field']);
//Remove the empty elements
$row['Field'] = array_filter($row['Field']);
$row['Field'] = implode('/', $row['Field']);