Skip to content
This repository

CDbCriteria does not escape column names. #2176

Closed
undsoft opened this Issue · 9 comments

5 participants

undsoft waza-ari Alexander Makarov Carsten Brandt juhule
undsoft

The following code will fail:

$criteria = new CDbCriteria();
$criteria->compare('left', '<=100');

Produces:

SELECT * FROM `t` WHERE (left<=:ycp0)

which is incorrect because LEFT is the mysql keyword.

CDbCriteria::addSearchCondition() is also affected. Maybe other methods too.

waza-ari

+1 here.

We have a column called "group", which also is not escaped by the class and thus produces an MySQL Syntax error.

waza-ari

Hey, anything new here?
Thats really a annoying bug, and we currently do quick-fixing instead of creating a real patch because we have no idea whats the best solution...

Alexander Makarov
Collaborator

That's scheduled to 1.1.15. Will work on it after 1.1.14.

Carsten Brandt
Collaborator
cebe commented

This can not be fixed because of the design of CDbCriteria. CDbCriteria is not aware of a database connection so it does not know how to escape the columns. See also #2525 for detailed explaination.

Carsten Brandt cebe closed this
waza-ari

So the solution is to use quoteColumnName by hand? Not a too nice solution...

Carsten Brandt
Collaborator
cebe commented

Not a nice solution but I do not see a way to fix this. In yii2 Query this problem does not exist btw.

waza-ari
juhule
juhule commented

Hi, have the same problem. Why don't you just change the line in addSearchCondition to:
$condition="".$column." $like ".self::PARAM_PREFIX.self::$paramCount;
for mysql connections??

Carsten Brandt
Collaborator
cebe commented

CDbCriteria is not aware of the connection so it has no idea whether it will be used with MySQL or other systems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.