Gitiles
Code Review Sign In
www.giggi.me / code-igniter-v3-giggi / e4ed583067095144eb20aefc61d4499d8386532a^! / . / user_guide
commite4ed583067095144eb20aefc61d4499d8386532a[log] [tgz]
authorDerek Jones <derek.jones@ellislab.com>Fri Feb 20 21:44:59 2009 +0000
committerDerek Jones <derek.jones@ellislab.com>Fri Feb 20 21:44:59 2009 +0000
treeb156a0305e5c1e84466bcb0ca84787b234be3cfd
parent436e6e2583c574a4628984c4a95c5d3da5fcce1f [diff]
added LIKE condition escaping to all drivers and Active Record
updated all DB drivers to accept arrays in escape_str()

diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index 06375d6..cdbfbbd 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html

@@ -71,6 +71,9 @@
 	<li>Database
 		<ul>
 			<li>Switched from using gettype() in escape() to is_* methods, since future PHP versions might change its output.</li>
+			<li>Updated all database drivers to handle arrays in escape_str()</li>
+			<li>Added escape_like_str() method for escaping strings to be used in LIKE conditions</li>
+			<li>Updated Active Record to utilize the new LIKE escaping mechanism.</li>
 		</ul>
 	</li>
 	
@@ -80,6 +83,7 @@
 <ul>
 	<li>Fixed assorted user guide typos or examples (#6743).</li>
 	<li>Fixed a bug with ORIG_PATH_INFO that was allowing URIs of just a slash through.</li>
+	<li>Fixed a fatal error in the Oracle and ODBC drivers (#6752)</li>
 </ul>
 
 <h2>Version 1.7.1</h2>
@@ -136,7 +140,6 @@
 			<li>Fixed a bug where TRUNCATE was not considered a "write" query (#6619).</li>
 			<li>Fixed a bug where csv_from_result() was checking for a nonexistent method.</li>
 			<li>Fixed a bug _protect_identifiers() where it was improperly removing all pipe symbols from items</li>
-			<li>Fixed a fatal error in the Oracle driver (#6752)</li>
 		</ul>
 	</li>
 	<li>Fixed assorted user guide typos or examples (#5998, #6093, #6259, #6339, #6432, #6521).</li>

diff --git a/user_guide/database/queries.html b/user_guide/database/queries.html
index f42e179..9665af2 100644
--- a/user_guide/database/queries.html
+++ b/user_guide/database/queries.html

@@ -96,7 +96,7 @@
 
 <h1>Escaping Queries</h1>
 <p>It's a very good security practice to escape your data before submitting it into your database.
-CodeIgniter has two functions that help you do this:</p>
+CodeIgniter has three methods that help you do this:</p>
 
 <ol>
 <li><strong>$this->db->escape()</strong> This function determines the data type so that it
@@ -108,6 +108,13 @@
 Most of the time you'll use the above function rather than this one. Use the function like this:
 
 <code>$sql = "INSERT INTO table (title) VALUES('".$this->db->escape_str($title)."')";</code></li>
+
+<li><strong>$this->db->escape_like_str()</strong>  This method should be used when strings are to be used in LIKE
+conditions so that LIKE wildcards ('%', '_') in the string are also properly escaped.
+
+<code>$search = '20% raise';<br />
+$sql = "SELECT id FROM table WHERE column LIKE '%".$this->db->escape_like_str($search)."%'";</code>
+
 </ol>