Getting MySQL syntax error using CodeIgniter LIKE active record

Question

This is my code

return $this->db
            ->select('organization')
            ->like('title',$this->db->escape_str($query))
            ->or_like('description',$this->db->escape_str($query))
            ->get('shop_search')
            ->num_rows();

every thing works well until there is a ' and NOT " in the $query.

The error is: $query="d'"

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%' OR `description` LIKE '%d\\\\\\'%'' at line 3

SELECT `organization` FROM `default_shop_search` WHERE `title` LIKE '%d\\\\\\'%' OR `description` LIKE '%d\\\\\\'%'

What am I missing here?

Dump of passed query:

Debug #1 of 1: string(2) "d'"

score 0 · Answer 1 · edited Jun 20 '20 at 09:12

0

You don't need to escape manually the parameter while you're using CI Active Record Class, Just remove the $this->db->escape_str() method:

return $this->db
        ->select('organization')
        ->like('title', $query)
        ->or_like('description', $query)
        ->get('shop_search')
        ->num_rows();

From CI user Guide:

$this->db->like()

Note: All values passed to this method are escaped automatically.

Update

Okay, here's my test-case:

$query = "e'";
$res = $this->db
            ->select()
            ->like('title', $query)
            ->or_like('description', $query)
            ->get('shop_search')
            ->num_rows();

var_dump($this->db->last_query());
// Output: string(96) "SELECT * FROM (`myPrefix_shop_search`) WHERE `title` LIKE '%e\'%' OR `description` LIKE '%e\'%'"

var_dump($res);
// Output: int(1)

As I expected, AR added only one backslash to escape the $query. I run this test on CI v2.1.4.

Please revise your logic, and if you don't find anything wrong, share more necessary code, I'm all ears.

edited Jun 20 '20 at 09:12

Community

1
1

answered Aug 24 '13 at 10:28

Hashem Qolami

97,268
26
150
164

Actually, I first tried that but just like now I get the error, ```SELECT `organization` FROM `default_shop_search` WHERE `title` LIKE '%d\\'%' OR `description` LIKE '%d\\'%'``` with your suggested code. After that I added the `$this->db->escape_str()`. – Alireza Aug 24 '13 at 10:32
What is `$query` exactly? could you post `var_dump($query)`? – Hashem Qolami Aug 24 '13 at 10:33
@Youhan I'm making some tests, It may take some mins. – Hashem Qolami Aug 24 '13 at 10:50
@Youhan - Alireza :) I just updated my answer. But I didn't face any error. please take a look at the update section. – Hashem Qolami Aug 24 '13 at 11:17

score 0 · Answer 2 · answered Aug 24 '13 at 13:36

0

use

$query = mysql_real_escape_string($query);

return $this->db
            ->select('organization')
            ->like('title',$query)
            ->or_like('description',$query)
            ->get('shop_search')
            ->num_rows();

answered Aug 24 '13 at 13:36

Kanishka Panamaldeniya

17,302
31
123
193

Getting MySQL syntax error using CodeIgniter LIKE active record

2 Answers2

Update

Linked