I have quick question regarding CDbCriteria model.
I need to make simple list of purchases (| total price | list of items |) with filters using CGridView widget.
Part of model’s code is as follows:
$criteria = new CDbCriteria; $criteria->select = array( "*", "SUM(t.amount) AS amount", "GROUP_CONCAT(t.description SEPARATOR ', ') AS description", ); $criteria->group = 't.payment_id';
And I would like to allow searching by SUM(t.amount), so I added:
$criteria->having = 'amount = ' . (float)$this->amount;
Then I wanted to allow searching by description:
$criteria->having = "description LIKE '%" . $this->description . "%'"; // don't do this at home
Of course above solution is SQL Injection vulnerable, so it cannot be used without escaping parameter first.
My question is - how should I get rid of this issues? Is there any way to escape string "manually"?
Why isn’t there any solution like below?
$havingCriteria = new CDbCriteria(); $havingCriteria->compare('description', $this->description, true); $criteria->having = $havingCriteria;