Skip to content


Subversion checkout URL

You can clone with
Download ZIP


CDbCriteria does not escape column names. #2176

undsoft opened this Issue · 9 comments

5 participants


The following code will fail:

$criteria = new CDbCriteria();
$criteria->compare('left', '<=100');


SELECT * FROM `t` WHERE (left<=:ycp0)

which is incorrect because LEFT is the mysql keyword.

CDbCriteria::addSearchCondition() is also affected. Maybe other methods too.


+1 here.

We have a column called "group", which also is not escaped by the class and thus produces an MySQL Syntax error.

@cebe cebe was assigned

Hey, anything new here?
Thats really a annoying bug, and we currently do quick-fixing instead of creating a real patch because we have no idea whats the best solution...


That's scheduled to 1.1.15. Will work on it after 1.1.14.


This can not be fixed because of the design of CDbCriteria. CDbCriteria is not aware of a database connection so it does not know how to escape the columns. See also #2525 for detailed explaination.

@cebe cebe closed this

So the solution is to use quoteColumnName by hand? Not a too nice solution...


Not a nice solution but I do not see a way to fix this. In yii2 Query this problem does not exist btw.


Hi, have the same problem. Why don't you just change the line in addSearchCondition to:
$condition="".$column." $like ".self::PARAM_PREFIX.self::$paramCount;
for mysql connections??


CDbCriteria is not aware of the connection so it has no idea whether it will be used with MySQL or other systems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.