Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

CDbCriteria does not escape column names. #2176

Closed
undsoft opened this Issue · 9 comments

5 participants

@undsoft

The following code will fail:

$criteria = new CDbCriteria();
$criteria->compare('left', '<=100');

Produces:

SELECT * FROM `t` WHERE (left<=:ycp0)

which is incorrect because LEFT is the mysql keyword.

CDbCriteria::addSearchCondition() is also affected. Maybe other methods too.

@waza-ari

+1 here.

We have a column called "group", which also is not escaped by the class and thus produces an MySQL Syntax error.

@cebe cebe was assigned
@waza-ari

Hey, anything new here?
Thats really a annoying bug, and we currently do quick-fixing instead of creating a real patch because we have no idea whats the best solution...

@samdark
Owner

That's scheduled to 1.1.15. Will work on it after 1.1.14.

@cebe
Owner

This can not be fixed because of the design of CDbCriteria. CDbCriteria is not aware of a database connection so it does not know how to escape the columns. See also #2525 for detailed explaination.

@cebe cebe closed this
@waza-ari

So the solution is to use quoteColumnName by hand? Not a too nice solution...

@cebe
Owner

Not a nice solution but I do not see a way to fix this. In yii2 Query this problem does not exist btw.

@waza-ari
@juhule

Hi, have the same problem. Why don't you just change the line in addSearchCondition to:
$condition="".$column." $like ".self::PARAM_PREFIX.self::$paramCount;
for mysql connections??

@cebe
Owner

CDbCriteria is not aware of the connection so it has no idea whether it will be used with MySQL or other systems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.