syntax criteria using Yii framework

Asked

Viewed 327 times

1

I’m having a hard time making a where using criteria, I am posting the code I am making and below the error..

Codigo Criteria

$criteria->compare('id',$this->id);
        $criteria->compare('data_hora',$this->data_hora,true);
        $criteria->compare('arquivo',$this->arquivo,true);
        $criteria->compare('caminho',$this->caminho,true);
        $criteria->condition="caminho=".$_POST['busca'];

Error Generated

Cdbcommand failed to execute SQL command: SQLSTATE[42000]: Syntax error or access Violation: 1064 You have an error in your SQL syntax; check the manual that Corresponds to your Mysql server version for the right syntax to use near '/home/samba/Administration/scordon/cdgrd/cdgrd.scp' at line 1. The SQL statement executed was: SELECT COUNT(*) FROM path t WHERE path=/home/samba/Administration/scordon/cdgrd/cdgrd.scp (/opt/lampp/htdocs/Yii/framework/db/Cdbcommand.php:543)

  • You can post the sql generated by this code?

  • cannot get to sql, sql functions are generated by Yii framework codes

2 answers

2

You can do it like this:

$criteria->compare('caminho', $_POST['busca']);

This way Yii already filters against SQL Injection. In the form below - as the milz response - the system is vulnerable to SQL Injection.

$criteria->condition="caminho='".$_POST['busca']."'";

1

The error appears to be a problem in WHERE, the query being executed is:

SELECT COUNT(*) FROM path t WHERE caminho=/home/samba/Administracao/scordon/cdgrd/cdgrd.scp

and should be

SELECT COUNT(*) FROM path t WHERE caminho='/home/samba/Administracao/scordon/cdgrd/cdgrd.scp'

Change the condition line to:

$criteria->condition="caminho='".$_POST['busca']."'";

This way the query should no longer produce any error.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.