TIP: Use Markdown or, <pre> for multi line code blocks / <code> for inline code.
ORM addslashes ?
  • shark255shark255
    Here is my code to post data:

    $users_blog = ORM::factory('UsersBlog');
    $users_blog->users_id = $current_user->id;
    $users_blog->values($_POST);

    if ($users_blog->check()) {
    $users_blog->save();
    } else {
    $errors = $users_blog->errors();
    }
    I have add as blog title in $_POST data "test's string", and single quoute ' was not escaped in database.
    How to provide escaping special characters by default in Kohana ?
  • rlm80rlm80
    The question may seem silly but how do you know it wasn't escaped ?
    Does the save() call throws an SQL error exception or something ?
    Because that's what would happen if your test string wasn't escaped, I think.
  • shark255shark255
    INSERT INTO `users` (id, `password`, email) VALUES (null, '12345', " '''test ");

    i can insert email as '''test using direct sql, but it is not safe - yeah ? it must be escaped in field \'\'\'test, and when get it from database make strip slashes.
  • rlm80rlm80
    I don't get it.

    Sorry for repeating myself, but what makes you so sure that Kohana doesn't escape the string ?

    If it didn't, the code you've posted in the first post wouldn't work at all...it would generate the query :

    insert into `users` (`id`, `password`, `email`) VALUES (null, '12345', 'test's string');
    ...which isn't valid SQL, MySQL shouldn't accept it, and you should get an exception.
  • shark255shark255
    ok, i have tried some tests and saw that record in database saved without slashes, slash is necessary only to indicate that "special character will be go after backslash" )
    Thanks a lot, all is clear with slashes in my mind )
Add a Comment