Cdbcriteria::$Having - Parameters Escaping?

sowiq · December 6, 2012, 3:03pm

Hi Everybody,

I have quick question regarding CDbCriteria model.

I need to make simple list of purchases (| total price | list of items |) with filters using CGridView widget.

Part of model’s code is as follows:


$criteria = new CDbCriteria;

$criteria->select = array(

    "*",

    "SUM(t.amount) AS amount",

    "GROUP_CONCAT(t.description SEPARATOR ', ') AS description",

);

$criteria->group = 't.payment_id';

And I would like to allow searching by SUM(t.amount), so I added:


$criteria->having = 'amount = ' . (float)$this->amount;

Then I wanted to allow searching by description:


$criteria->having = "description LIKE '%" . $this->description . "%'";    // don't do this at home

Of course above solution is SQL Injection vulnerable, so it cannot be used without escaping parameter first.

My question is - how should I get rid of this issues? Is there any way to escape string "manually"?

Why isn’t there any solution like below?




$havingCriteria = new CDbCriteria();

$havingCriteria->compare('description', $this->description, true);

$criteria->having = $havingCriteria;

Regards,

KS

redguy · December 6, 2012, 3:42pm




$criteria->having = "description LIKE :searchparam";

$criteria->params[':searchparam'] = "%" . $this->description . "%";

sowiq · December 6, 2012, 11:43pm

Thanks redguy!

I resolved this in different, but less elegant way than you.


$criteria->having = "description LIKE " . Yii::app()->db->quoteValue('%' . $this->description . '%');