Hi Everybody,
I have quick question regarding CDbCriteria model.
I need to make simple list of purchases (| total price | list of items |) with filters using CGridView widget.
Part of model's code is as follows:
And I would like to allow searching by SUM(t.amount), so I added:
Then I wanted to allow searching by description:
Of course above solution is SQL Injection vulnerable, so it cannot be used without escaping parameter first.
My question is - how should I get rid of this issues? Is there any way to escape string "manually"?
Why isn't there any solution like below?
Regards,
KS
I have quick question regarding CDbCriteria model.
I need to make simple list of purchases (| total price | list of items |) with filters using CGridView widget.
Part of model's code is as follows:
$criteria = new CDbCriteria;
$criteria->select = array(
"*",
"SUM(t.amount) AS amount",
"GROUP_CONCAT(t.description SEPARATOR ', ') AS description",
);
$criteria->group = 't.payment_id';And I would like to allow searching by SUM(t.amount), so I added:
$criteria->having = 'amount = ' . (float)$this->amount;
Then I wanted to allow searching by description:
$criteria->having = "description LIKE '%" . $this->description . "%'"; // don't do this at home
Of course above solution is SQL Injection vulnerable, so it cannot be used without escaping parameter first.
My question is - how should I get rid of this issues? Is there any way to escape string "manually"?
Why isn't there any solution like below?
$havingCriteria = new CDbCriteria();
$havingCriteria->compare('description', $this->description, true);
$criteria->having = $havingCriteria;
Regards,
KS