Hi, I have a "General Ledger Accounts" table called GLaccnt.
For some of the records (accounts) - such as assets - I can use the name which is stored in the record (GLaccnt_name).
But for other records - such as clients - I have to get their personal info in a separate table called Client.
In the search() function of GLaccnt model, I cannot use “with” statements and eager loading, because not all GLaccnt records have a related record in Client, resulting in the gridview throwing ‘trying to get property of non-object’ errors - for some records.
So I use a select statement in the dataprovider criteria:
if (GLaccnt has a Client) then use Client.Client_name else use GLaccnt_name
$criteria->select = '
*,
(IF(GLaccnt_forgnkey > 0,
(
SELECT Client.Client_name
FROM Client
WHERE Client.Client_id = GLaccnt_forgnkey
),
GLaccnt_name
)) AS myName';
The problem is that this sql is open for injection attacks, but I can’t do this:
... WHERE Client.Client_id = :fk
$criteria->params=array(':fk' => $this->GLaccnt_forgnkey);
because the value of GLaccnt_forgnkey must change for every record, while $this->GLaccnt_forgnkey was set only once in the controller.
This also does not work:
$criteria->params=array(':fk' => 't.GLaccnt_forgnkey');
I want to sort/filter on this myName column, so I have to include it in the dataprovider. Setting the column’s ‘value’ in the CGridView by using a function, will thus also not work.
Any other ideas to prevent the injection?