Why does CodeIgniter escape wrongly some elements of the query when I use CASE?JOIN and the ON clause (NULL values)SQL CASE WHEN issue, Query not running at allChecking existence in mysql query with CASE statementOptimizing my mysql querysql error 1064 when i change inner join to left joinMy Query Run Slow MysqlVery slow query on MySQL 5.7 with multiple left joins and indexesincorrect file type '/tmp/#sql_53b8_0.MYI'; try to repair itInterbase SQL remake a Select queryHow to use subquery in caes statement

Rising and falling intonation

How to create ADT in Haskell?

Is there a RAID 0 Equivalent for RAM?

How can Trident be so inexpensive? Will it orbit Triton or just do a (slow) flyby?

Terse Method to Swap Lowest for Highest?

Is aluminum electrical wire used on aircraft?

Biological Blimps: Propulsion

Are the IPv6 address space and IPv4 address space completely disjoint?

Why should universal income be universal?

Why a symmetric relation is defined: ∀x∀y( xRy⟹yRx) and not ∀x∀y (xRy⟺yRx)?

Did arcade monitors have same pixel aspect ratio as TV sets?

Has any country ever had 2 former presidents in jail simultaneously?

Dealing with a rejection from a journal

How to explain what's wrong with this application of the chain rule?

How do you make your own symbol when Detexify fails?

Travelling outside the UK without a passport

Removing files under particular conditions (number of files, file age)

What should you do if you miss a job interview (deliberately)?

Not using 's' for he/she/it

What is the evidence for the "tyranny of the majority problem" in a direct democracy context?

Closed-form expression for certain product

copy and scale one figure (wheel)

Yosemite Fire Rings - What to Expect?

What is Cash Advance APR?



Why does CodeIgniter escape wrongly some elements of the query when I use CASE?


JOIN and the ON clause (NULL values)SQL CASE WHEN issue, Query not running at allChecking existence in mysql query with CASE statementOptimizing my mysql querysql error 1064 when i change inner join to left joinMy Query Run Slow MysqlVery slow query on MySQL 5.7 with multiple left joins and indexesincorrect file type '/tmp/#sql_53b8_0.MYI'; try to repair itInterbase SQL remake a Select queryHow to use subquery in caes statement













0















My problem is very specific, and I couldn't find any information to help me. Here it is:



I use MySQL mariadb-10.2.3 and CodeIgniter 3, and have a problem in a query because CodeIgniter failed trying to protect against SQL injection:



You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '.`id END` AS `responsable_qui_valide_id`, CASE WHEN bdc_valide_par_responsable.b' at line 13

SELECT `b`.`id`, CONCAT(u.nom,' ',u.prenom) AS demandeur, 
CONCAT(u.email_nom,'@',e.domaine) AS demandeur_email, 
DATE_FORMAT(b.horodateur, "%d/%m/%Y") AS horodateur, 
`p`.`nom` AS `direction_concernee`, 
`b`.`expression_besoin` AS `expression`, 
CASE 
 WHEN oa.bdc_id IS NOT NULL 
 THEN oa.explication 
 ELSE 
 CASE 
 WHEN oi.bdc_id IS NOT NULL 
 THEN CONCAT('Demande Interservices - Dossier n°',oi.demande_interservices_id,' de ',CONCAT(uis.nom,' ',uis.prenom)) 
 ELSE 'Entretien ou besoin courant' 
 END 
END AS origine, 
CONCAT(u_elu.nom,' ',u_elu.prenom) AS elu_associe_au_bdc, 
`bdc_code`.`code_famille`, 
`bdc_code`.`imputation`, 
`d`.`id` AS `num_devis_choisi`, 
`d`.`fournisseur` AS `fournisseur_devis_choisi`, 
`d`.`devis`, CONCAT(d.montant,'€') AS montant_devis_choisi, 
CASE d.marche 
 WHEN 1 
 THEN '(Marché)' 
 ELSE NULL 
END AS marche, `bdc_devis_choisi`.`raison_choix` AS `choix`, 
`bdc_niveau_validation`.`niveau`, 
CASE 
 WHEN bdc_refuse.bdc_id IS NULL 
 THEN CAST(0 AS BINARY) 
 ELSE CAST(1 AS BINARY) 
END AS refus, 
`bdc_refuse`.`raison_refus`, 
CONCAT(ur.nom,' ',ur.prenom) AS refuseur, 
`ur`.`id` AS `refuseur_id`, 
CONCAT(uvr.email_nom,'@',e_uvr.domaine) AS refuseur_email, 
CASE 
 WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CONCAT(uvr.nom,' ',uvr.prenom) 
 ELSE CONCAT(uvrp.nom,' ',uvrp.prenom) 
END AS responsable_qui_valide, 
`CASE WHEN bdc_valide_par_responsable`.`bdc_id IS NOT NULL THEN uvr`.`id ELSE uvrp`.`id END` AS `responsable_qui_valide_id`, 
CASE 
 WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CONCAT(uvr.email_nom,'@',e_uvr.domaine) 
 ELSE CONCAT(uvrp.email_nom,'@',e_uvrp.domaine) 
END AS responsable_email, 
CASE 
 WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY) 
 ELSE CAST(0 AS BINARY) 
END AS responsable_a_valide, 
CASE 
 WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_responsable.date_validation, "%d/%m/%Y") 
 ELSE NULL END AS date_validation_responsable, 
CASE 
 WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CONCAT(uve.nom,' ',uve.prenom) 
 ELSE CONCAT(u_elu.nom,' ',u_elu.prenom) 
END AS elu_qui_valide, 
CASE 
 WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CONCAT(uve.email_nom,'@',e_uve.domaine) 
 ELSE CONCAT(u_elu.email_nom,'@',e_u_elu.domaine) 
END AS elu_email, 
CASE 
 WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY) 
 ELSE CAST(0 AS BINARY) 
END AS elu_a_valide, 
CASE 
 WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_elu.date_validation, "%d/%m/%Y") 
 ELSE NULL 
END AS date_validation_elu, 
CASE 
 WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CONCAT(uvc.nom,' ',uvc.prenom) 
 ELSE 
 (SELECT CONCAT(urc.nom,' ',urc.prenom) 
 FROM utilisateur AS urc 
 JOIN pole ON pole.responsable_id = urc.id 
 WHERE pole.nom LIKE 'Pôle Ressources') 
END AS compta_qui_valide, 
CASE 
 WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CONCAT(uvc.email_nom,'@',e_uvc.domaine) 
 ELSE 
 (SELECT CONCAT(urc.email_nom,'@',e_urc.domaine) 
 FROM utilisateur AS urc 
 JOIN pole ON pole.responsable_id = urc.id 
 JOIN email_domaine AS e_urc ON urc.email_domaine_id = e_urc.id 
 WHERE pole.nom LIKE 'Pôle Ressources') 
END AS compta_email, 
CASE 
 WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY) 
 ELSE CAST(0 AS BINARY) 
END AS compta_a_valide, 
CASE 
 WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_comptabilite.date_validation, "%d/%m/%Y") 
 ELSE NULL 
END AS date_validation_compta, 
CASE 
 WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY) 
 ELSE CAST(0 AS BINARY) 
END AS dirigeant_a_valide, 
CASE 
 WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CONCAT(uvd.nom,' ',uvd.prenom) 
 ELSE NULL 
END AS dirigeant_qui_a_valide, 
CASE 
 WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CONCAT(uvd.email_nom,'@',e_uvd.domaine)
 ELSE NULL 
END AS dirigeant_email, 
CASE 
 WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_dirigeant.date_validation, "%d/%m/%Y") 
 ELSE NULL 
END AS date_validation_dirigeant 
FROM `bon_de_commande` AS `b` 
JOIN `utilisateur` AS `u` ON `b`.`demandeur_id` = `u`.`id` 
JOIN `email_domaine` AS `e` ON `u`.`email_domaine_id` = `e`.`id` 
JOIN `pole` AS `p` ON `b`.`pole_concerne_id` = `p`.`id` 
LEFT JOIN `bdc_origine_besoin_courant` AS `ob` ON `ob`.`bdc_id` = `b`.`id` 
LEFT JOIN `bdc_origine_interservices` AS `oi` ON `oi`.`bdc_id` = `b`.`id` 
LEFT JOIN `demande_interservices` ON `oi`.`demande_interservices_id` = `demande_interservices`.`id` 
LEFT JOIN `utilisateur` AS `uis` ON `demande_interservices`.`utilisateur_id` = `uis`.`id` 
LEFT JOIN `bdc_origine_autre` AS `oa` ON `oa`.`bdc_id` = `b`.`id` 
LEFT JOIN `bdc_associe_elu` ON `bdc_associe_elu`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `u_elu` ON `bdc_associe_elu`.`elu_id` = `u_elu`.`id` 
LEFT JOIN `email_domaine` AS `e_u_elu` ON `u_elu`.`email_domaine_id` = `e_u_elu`.`id` 
LEFT JOIN `bdc_code` ON `bdc_code`.`bdc_id` = `b`.`id` 
JOIN `bdc_devis_choisi` ON `bdc_devis_choisi`.`bdc_id` = `b`.`id` 
JOIN `devis` AS `d` ON `bdc_devis_choisi`.`devis_id` = `d`.`id` 
JOIN `bdc_niveau_validation` ON `bdc_niveau_validation`.`bdc_id` = `b`.`id` 
LEFT JOIN `bdc_refuse` ON `bdc_refuse`.`bdc_id` = `b`.`id` 
LEFT JOIN `bdc_valide_par_commission` ON `bdc_valide_par_commission`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `uvcm` ON `bdc_valide_par_commission`.`elu_id` = `uvcm`.`id` 
LEFT JOIN `bdc_valide_par_comptabilite` ON `bdc_valide_par_comptabilite`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `uvc` ON `bdc_valide_par_comptabilite`.`responsable_id` = `uvc`.`id` 
LEFT JOIN `email_domaine` AS `e_uvc` ON `uvc`.`email_domaine_id` = `e_uvc`.`id` 
LEFT JOIN `bdc_valide_par_elu` ON `bdc_valide_par_elu`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `uve` ON `bdc_valide_par_elu`.`elu_id` = `uve`.`id` 
LEFT JOIN `email_domaine` AS `e_uve` ON `uve`.`email_domaine_id` = `e_uve`.`id` 
LEFT JOIN `bdc_valide_par_responsable` ON `bdc_valide_par_responsable`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `uvr` ON `bdc_valide_par_responsable`.`responsable_id` = `uvr`.`id` 
LEFT JOIN `email_domaine` AS `e_uvr` ON `uvr`.`email_domaine_id` = `e_uvr`.`id` 
LEFT JOIN `utilisateur` AS `uvrp` ON `p`.`responsable_id` = `uvrp`.`id` 
LEFT JOIN `email_domaine` AS `e_uvrp` ON `uvrp`.`email_domaine_id` = `e_uvrp`.`id` 
LEFT JOIN `bdc_valide_par_dirigeant` ON `bdc_valide_par_dirigeant`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `uvd` ON `bdc_valide_par_dirigeant`.`dirigeant_id` = `uvd`.`id` 
LEFT JOIN `email_domaine` AS `e_uvd` ON `uvd`.`email_domaine_id` = `e_uvd`.`id` 
LEFT JOIN `utilisateur` AS `ur` ON `bdc_refuse`.`refuseur_id` = `ur`.`id` 
LEFT JOIN `email_domaine` AS `e_ur` ON `ur`.`email_domaine_id` = `e_ur`.`id` 
WHERE `b`.`id` = 1


And the original code in my PHP file is:



$select = array(
 'b.id',
 'CONCAT(u.nom,' ',u.prenom) AS demandeur',
 'CONCAT(u.email_nom,'@',e.domaine) AS demandeur_email',
 'DATE_FORMAT(b.horodateur, "%d/%m/%Y") AS horodateur',
 'p.nom AS direction_concernee',
 'b.expression_besoin AS expression',
 'CASE WHEN oa.bdc_id IS NOT NULL 
 THEN oa.explication 
 ELSE 
 CASE WHEN oi.bdc_id IS NOT NULL 
 THEN CONCAT('Demande Interservices - Dossier n°',oi.demande_interservices_id,' de ',CONCAT(uis.nom,' ',uis.prenom))
 ELSE 'Entretien ou besoin courant' 
 END 
 END 
 AS origine',
 'CONCAT(u_elu.nom,' ',u_elu.prenom) AS elu_associe_au_bdc',
 'bdc_code.code_famille',
 'bdc_code.imputation',
 'd.id AS num_devis_choisi',
 'd.fournisseur AS fournisseur_devis_choisi',
 'd.devis',
 'CONCAT(d.montant,'€') AS montant_devis_choisi',
 'CASE d.marche WHEN 1 THEN '(Marché)' ELSE NULL END AS marche',
 'bdc_devis_choisi.raison_choix AS choix',
 'bdc_niveau_validation.niveau',
 'CASE WHEN bdc_refuse.bdc_id IS NULL THEN CAST(0 AS BINARY) ELSE CAST(1 AS BINARY) END AS refus',
 'bdc_refuse.raison_refus',
 'CONCAT(ur.nom,' ',ur.prenom) AS refuseur',
 'ur.id AS refuseur_id',
 'CONCAT(uvr.email_nom,'@',e_uvr.domaine) AS refuseur_email',
 'CASE WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CONCAT(uvr.nom,' ',uvr.prenom)
 ELSE CONCAT(uvrp.nom,' ',uvrp.prenom)
 END
 AS responsable_qui_valide',
 'CASE WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN uvr.id
 ELSE uvrp.id
 END
 AS responsable_qui_valide_id',
 'CASE WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CONCAT(uvr.email_nom,'@',e_uvr.domaine)
 ELSE CONCAT(uvrp.email_nom,'@',e_uvrp.domaine)
 END
 AS responsable_email',
 'CASE WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY)
 ELSE CAST(0 AS BINARY)
 END
 AS responsable_a_valide',
 'CASE WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_responsable.date_validation, "%d/%m/%Y")
 ELSE NULL
 END
 AS date_validation_responsable',
 'CASE WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CONCAT(uve.nom,' ',uve.prenom)
 ELSE CONCAT(u_elu.nom,' ',u_elu.prenom)
 END
 AS elu_qui_valide',
 'CASE WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN (SELECT uve.id)
 ELSE (SELECT u_elu.id)
 END
 AS elu_qui_valide_id',
 'CASE WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CONCAT(uve.email_nom,'@',e_uve.domaine)
 ELSE CONCAT(u_elu.email_nom,'@',e_u_elu.domaine)
 END
 AS elu_email',
 'CASE WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY)
 ELSE CAST(0 AS BINARY)
 END
 AS elu_a_valide',
 'CASE WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_elu.date_validation, "%d/%m/%Y")
 ELSE NULL
 END
 AS date_validation_elu',
 'CASE WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CONCAT(uvc.nom,' ',uvc.prenom)
 ELSE
 (SELECT CONCAT(urc.nom,' ',urc.prenom) FROM utilisateur AS urc JOIN pole ON pole.responsable_id = urc.id WHERE pole.nom LIKE 'Pôle Ressources')
 END
 AS compta_qui_valide',
 'CASE WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN (SELECT uvc.id)
 ELSE
 (SELECT urc.id FROM utilisateur AS urc JOIN pole ON pole.responsable_id = urc.id WHERE pole.nom LIKE 'Pôle Ressources')
 END
 AS compta_qui_valide_id',
 'CASE WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CONCAT(uvc.email_nom,'@',e_uvc.domaine)
 ELSE
 (SELECT CONCAT(urc.email_nom,'@',e_urc.domaine) FROM utilisateur AS urc
 JOIN pole ON pole.responsable_id = urc.id
 JOIN email_domaine AS e_urc ON urc.email_domaine_id = e_urc.id
 WHERE pole.nom LIKE 'Pôle Ressources') 
 END
 AS compta_email',
 'CASE WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY)
 ELSE CAST(0 AS BINARY)
 END
 AS compta_a_valide',
 'CASE WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_comptabilite.date_validation, "%d/%m/%Y")
 ELSE NULL
 END
 AS date_validation_compta',
 'CASE WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY)
 ELSE CAST(0 AS BINARY)
 END
 AS dirigeant_a_valide',
 'CASE WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CONCAT(uvd.nom,' ',uvd.prenom)
 ELSE NULL
 END
 AS dirigeant_qui_a_valide',
 'CASE WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN (SELECT uvd.id)
 ELSE NULL
 END
 AS dirigeant_qui_a_valide_id',
 'CASE WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CONCAT(uvd.email_nom,'@',e_uvd.domaine)
 ELSE NULL
 END
 AS dirigeant_email',
 'CASE WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_dirigeant.date_validation, "%d/%m/%Y")
 ELSE NULL
 END
 AS date_validation_dirigeant'
 );
 $where = array('b.id' => $bdc_id);

 $this->db->select($select);
 $this->db->from('bon_de_commande AS b');
 $this->db->join('utilisateur AS u', 'b.demandeur_id = u.id');
 $this->db->join('email_domaine AS e', 'u.email_domaine_id = e.id');
 $this->db->join('pole AS p', 'b.pole_concerne_id = p.id');
 $this->db->join('bdc_origine_besoin_courant AS ob', 'ob.bdc_id = b.id', 'left');
 $this->db->join('bdc_origine_interservices AS oi', 'oi.bdc_id = b.id', 'left');
 $this->db->join('demande_interservices', 'oi.demande_interservices_id = demande_interservices.id', 'left');
 $this->db->join('utilisateur AS uis', 'demande_interservices.utilisateur_id = uis.id', 'left');
 $this->db->join('bdc_origine_autre AS oa', 'oa.bdc_id = b.id', 'left');
 $this->db->join('bdc_associe_elu', 'bdc_associe_elu.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS u_elu', 'bdc_associe_elu.elu_id = u_elu.id', 'left');
 $this->db->join('email_domaine AS e_u_elu', 'u_elu.email_domaine_id = e_u_elu.id', 'left');
 $this->db->join('bdc_code', 'bdc_code.bdc_id = b.id', 'left');
 $this->db->join('bdc_devis_choisi', 'bdc_devis_choisi.bdc_id = b.id');
 $this->db->join('devis AS d', 'bdc_devis_choisi.devis_id = d.id');
 $this->db->join('bdc_niveau_validation', 'bdc_niveau_validation.bdc_id = b.id');
 $this->db->join('bdc_refuse', 'bdc_refuse.bdc_id = b.id', 'left');
 $this->db->join('bdc_valide_par_commission', 'bdc_valide_par_commission.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS uvcm', 'bdc_valide_par_commission.elu_id = uvcm.id', 'left');
 $this->db->join('bdc_valide_par_comptabilite', 'bdc_valide_par_comptabilite.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS uvc', 'bdc_valide_par_comptabilite.responsable_id = uvc.id', 'left');
 $this->db->join('email_domaine AS e_uvc', 'uvc.email_domaine_id = e_uvc.id', 'left');
 $this->db->join('bdc_valide_par_elu', 'bdc_valide_par_elu.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS uve', 'bdc_valide_par_elu.elu_id = uve.id', 'left');
 $this->db->join('email_domaine AS e_uve', 'uve.email_domaine_id = e_uve.id', 'left');
 $this->db->join('bdc_valide_par_responsable', 'bdc_valide_par_responsable.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS uvr', 'bdc_valide_par_responsable.responsable_id = uvr.id', 'left');
 $this->db->join('email_domaine AS e_uvr', 'uvr.email_domaine_id = e_uvr.id', 'left');
 $this->db->join('utilisateur AS uvrp', 'p.responsable_id = uvrp.id', 'left');
 $this->db->join('email_domaine AS e_uvrp', 'uvrp.email_domaine_id = e_uvrp.id', 'left');
 $this->db->join('bdc_valide_par_dirigeant', 'bdc_valide_par_dirigeant.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS uvd', 'bdc_valide_par_dirigeant.dirigeant_id = uvd.id', 'left');
 $this->db->join('email_domaine AS e_uvd', 'uvd.email_domaine_id = e_uvd.id', 'left');
 $this->db->join('utilisateur AS ur', 'bdc_refuse.refuseur_id = ur.id', 'left');
 $this->db->join('email_domaine AS e_ur', 'ur.email_domaine_id = e_ur.id', 'left');
 $this->db->where($where);
 $query = $this->db->get();


The problem is in this line (in the error message):



`CASE WHEN bdc_valide_par_responsable`.`bdc_id IS NOT NULL THEN uvr`.`id ELSE uvrp`.`id END` AS `responsable_qui_valide_id`,


As you can see, CodeIgniter inserts the small apostrophe ` to prevent SQL injection, but not always. And in this case, the apostrophes are not well inserted and it causes a wrong query.



The strange thing is, when I replace the conditions in the bad CASE by this one:



THEN CONCAT(uvr.id)


or by:



THEN (SELECT uvr.id)


No more syntax error ...



What's happening? Is there a better way to write the query with CodeIgniter?






mysql codeigniter case sql-injection







share|improve this question
























  • Which Codeignitor version are you using? Also i suspect Codeignitor escape() function not to be perfect safe against all SQL injections pretty i suspect it to be a wrapper around mysqli_real_escape_string() or a custom one that manually "escape" with regexes or string matching on Special Character Escape Sequences..

    – Raymond Nijland
    2 days ago











  • Seams iám right about this see the function escape() and internal used escape_str() ... it tracks back to a what they call a "Platform-dependent string escape" function _escape_str()

    – Raymond Nijland
    2 days ago











  • not sure where the function remove_invisible_characters() is defined. But seeing all these source code i can't say a other thing then the anti SQL injection seams to be really sloppy done in Codeigniter atleast with the escape() function.

    – Raymond Nijland
    2 days ago












  • I uses CI 3. Same impression for me, these functions must fail in the escaping, and I'm pretty sure there is no solution. Thanks for your opinion ;)

    – Benoit Poux
    2 days ago











  • "Thanks for your opinion" no problem but what i said was is no opinion atleast it was not meant as one, what i said is a fact it based on the CL 3 source code :)

    – Raymond Nijland
    2 days ago
















0















My problem is very specific, and I couldn't find any information to help me. Here it is:



I use MySQL mariadb-10.2.3 and CodeIgniter 3, and have a problem in a query because CodeIgniter failed trying to protect against SQL injection:



You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '.`id END` AS `responsable_qui_valide_id`, CASE WHEN bdc_valide_par_responsable.b' at line 13

SELECT `b`.`id`, CONCAT(u.nom,' ',u.prenom) AS demandeur, 
CONCAT(u.email_nom,'@',e.domaine) AS demandeur_email, 
DATE_FORMAT(b.horodateur, "%d/%m/%Y") AS horodateur, 
`p`.`nom` AS `direction_concernee`, 
`b`.`expression_besoin` AS `expression`, 
CASE 
 WHEN oa.bdc_id IS NOT NULL 
 THEN oa.explication 
 ELSE 
 CASE 
 WHEN oi.bdc_id IS NOT NULL 
 THEN CONCAT('Demande Interservices - Dossier n°',oi.demande_interservices_id,' de ',CONCAT(uis.nom,' ',uis.prenom)) 
 ELSE 'Entretien ou besoin courant' 
 END 
END AS origine, 
CONCAT(u_elu.nom,' ',u_elu.prenom) AS elu_associe_au_bdc, 
`bdc_code`.`code_famille`, 
`bdc_code`.`imputation`, 
`d`.`id` AS `num_devis_choisi`, 
`d`.`fournisseur` AS `fournisseur_devis_choisi`, 
`d`.`devis`, CONCAT(d.montant,'€') AS montant_devis_choisi, 
CASE d.marche 
 WHEN 1 
 THEN '(Marché)' 
 ELSE NULL 
END AS marche, `bdc_devis_choisi`.`raison_choix` AS `choix`, 
`bdc_niveau_validation`.`niveau`, 
CASE 
 WHEN bdc_refuse.bdc_id IS NULL 
 THEN CAST(0 AS BINARY) 
 ELSE CAST(1 AS BINARY) 
END AS refus, 
`bdc_refuse`.`raison_refus`, 
CONCAT(ur.nom,' ',ur.prenom) AS refuseur, 
`ur`.`id` AS `refuseur_id`, 
CONCAT(uvr.email_nom,'@',e_uvr.domaine) AS refuseur_email, 
CASE 
 WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CONCAT(uvr.nom,' ',uvr.prenom) 
 ELSE CONCAT(uvrp.nom,' ',uvrp.prenom) 
END AS responsable_qui_valide, 
`CASE WHEN bdc_valide_par_responsable`.`bdc_id IS NOT NULL THEN uvr`.`id ELSE uvrp`.`id END` AS `responsable_qui_valide_id`, 
CASE 
 WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CONCAT(uvr.email_nom,'@',e_uvr.domaine) 
 ELSE CONCAT(uvrp.email_nom,'@',e_uvrp.domaine) 
END AS responsable_email, 
CASE 
 WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY) 
 ELSE CAST(0 AS BINARY) 
END AS responsable_a_valide, 
CASE 
 WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_responsable.date_validation, "%d/%m/%Y") 
 ELSE NULL END AS date_validation_responsable, 
CASE 
 WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CONCAT(uve.nom,' ',uve.prenom) 
 ELSE CONCAT(u_elu.nom,' ',u_elu.prenom) 
END AS elu_qui_valide, 
CASE 
 WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CONCAT(uve.email_nom,'@',e_uve.domaine) 
 ELSE CONCAT(u_elu.email_nom,'@',e_u_elu.domaine) 
END AS elu_email, 
CASE 
 WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY) 
 ELSE CAST(0 AS BINARY) 
END AS elu_a_valide, 
CASE 
 WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_elu.date_validation, "%d/%m/%Y") 
 ELSE NULL 
END AS date_validation_elu, 
CASE 
 WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CONCAT(uvc.nom,' ',uvc.prenom) 
 ELSE 
 (SELECT CONCAT(urc.nom,' ',urc.prenom) 
 FROM utilisateur AS urc 
 JOIN pole ON pole.responsable_id = urc.id 
 WHERE pole.nom LIKE 'Pôle Ressources') 
END AS compta_qui_valide, 
CASE 
 WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CONCAT(uvc.email_nom,'@',e_uvc.domaine) 
 ELSE 
 (SELECT CONCAT(urc.email_nom,'@',e_urc.domaine) 
 FROM utilisateur AS urc 
 JOIN pole ON pole.responsable_id = urc.id 
 JOIN email_domaine AS e_urc ON urc.email_domaine_id = e_urc.id 
 WHERE pole.nom LIKE 'Pôle Ressources') 
END AS compta_email, 
CASE 
 WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY) 
 ELSE CAST(0 AS BINARY) 
END AS compta_a_valide, 
CASE 
 WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_comptabilite.date_validation, "%d/%m/%Y") 
 ELSE NULL 
END AS date_validation_compta, 
CASE 
 WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY) 
 ELSE CAST(0 AS BINARY) 
END AS dirigeant_a_valide, 
CASE 
 WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CONCAT(uvd.nom,' ',uvd.prenom) 
 ELSE NULL 
END AS dirigeant_qui_a_valide, 
CASE 
 WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CONCAT(uvd.email_nom,'@',e_uvd.domaine)
 ELSE NULL 
END AS dirigeant_email, 
CASE 
 WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_dirigeant.date_validation, "%d/%m/%Y") 
 ELSE NULL 
END AS date_validation_dirigeant 
FROM `bon_de_commande` AS `b` 
JOIN `utilisateur` AS `u` ON `b`.`demandeur_id` = `u`.`id` 
JOIN `email_domaine` AS `e` ON `u`.`email_domaine_id` = `e`.`id` 
JOIN `pole` AS `p` ON `b`.`pole_concerne_id` = `p`.`id` 
LEFT JOIN `bdc_origine_besoin_courant` AS `ob` ON `ob`.`bdc_id` = `b`.`id` 
LEFT JOIN `bdc_origine_interservices` AS `oi` ON `oi`.`bdc_id` = `b`.`id` 
LEFT JOIN `demande_interservices` ON `oi`.`demande_interservices_id` = `demande_interservices`.`id` 
LEFT JOIN `utilisateur` AS `uis` ON `demande_interservices`.`utilisateur_id` = `uis`.`id` 
LEFT JOIN `bdc_origine_autre` AS `oa` ON `oa`.`bdc_id` = `b`.`id` 
LEFT JOIN `bdc_associe_elu` ON `bdc_associe_elu`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `u_elu` ON `bdc_associe_elu`.`elu_id` = `u_elu`.`id` 
LEFT JOIN `email_domaine` AS `e_u_elu` ON `u_elu`.`email_domaine_id` = `e_u_elu`.`id` 
LEFT JOIN `bdc_code` ON `bdc_code`.`bdc_id` = `b`.`id` 
JOIN `bdc_devis_choisi` ON `bdc_devis_choisi`.`bdc_id` = `b`.`id` 
JOIN `devis` AS `d` ON `bdc_devis_choisi`.`devis_id` = `d`.`id` 
JOIN `bdc_niveau_validation` ON `bdc_niveau_validation`.`bdc_id` = `b`.`id` 
LEFT JOIN `bdc_refuse` ON `bdc_refuse`.`bdc_id` = `b`.`id` 
LEFT JOIN `bdc_valide_par_commission` ON `bdc_valide_par_commission`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `uvcm` ON `bdc_valide_par_commission`.`elu_id` = `uvcm`.`id` 
LEFT JOIN `bdc_valide_par_comptabilite` ON `bdc_valide_par_comptabilite`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `uvc` ON `bdc_valide_par_comptabilite`.`responsable_id` = `uvc`.`id` 
LEFT JOIN `email_domaine` AS `e_uvc` ON `uvc`.`email_domaine_id` = `e_uvc`.`id` 
LEFT JOIN `bdc_valide_par_elu` ON `bdc_valide_par_elu`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `uve` ON `bdc_valide_par_elu`.`elu_id` = `uve`.`id` 
LEFT JOIN `email_domaine` AS `e_uve` ON `uve`.`email_domaine_id` = `e_uve`.`id` 
LEFT JOIN `bdc_valide_par_responsable` ON `bdc_valide_par_responsable`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `uvr` ON `bdc_valide_par_responsable`.`responsable_id` = `uvr`.`id` 
LEFT JOIN `email_domaine` AS `e_uvr` ON `uvr`.`email_domaine_id` = `e_uvr`.`id` 
LEFT JOIN `utilisateur` AS `uvrp` ON `p`.`responsable_id` = `uvrp`.`id` 
LEFT JOIN `email_domaine` AS `e_uvrp` ON `uvrp`.`email_domaine_id` = `e_uvrp`.`id` 
LEFT JOIN `bdc_valide_par_dirigeant` ON `bdc_valide_par_dirigeant`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `uvd` ON `bdc_valide_par_dirigeant`.`dirigeant_id` = `uvd`.`id` 
LEFT JOIN `email_domaine` AS `e_uvd` ON `uvd`.`email_domaine_id` = `e_uvd`.`id` 
LEFT JOIN `utilisateur` AS `ur` ON `bdc_refuse`.`refuseur_id` = `ur`.`id` 
LEFT JOIN `email_domaine` AS `e_ur` ON `ur`.`email_domaine_id` = `e_ur`.`id` 
WHERE `b`.`id` = 1


And the original code in my PHP file is:



$select = array(
 'b.id',
 'CONCAT(u.nom,' ',u.prenom) AS demandeur',
 'CONCAT(u.email_nom,'@',e.domaine) AS demandeur_email',
 'DATE_FORMAT(b.horodateur, "%d/%m/%Y") AS horodateur',
 'p.nom AS direction_concernee',
 'b.expression_besoin AS expression',
 'CASE WHEN oa.bdc_id IS NOT NULL 
 THEN oa.explication 
 ELSE 
 CASE WHEN oi.bdc_id IS NOT NULL 
 THEN CONCAT('Demande Interservices - Dossier n°',oi.demande_interservices_id,' de ',CONCAT(uis.nom,' ',uis.prenom))
 ELSE 'Entretien ou besoin courant' 
 END 
 END 
 AS origine',
 'CONCAT(u_elu.nom,' ',u_elu.prenom) AS elu_associe_au_bdc',
 'bdc_code.code_famille',
 'bdc_code.imputation',
 'd.id AS num_devis_choisi',
 'd.fournisseur AS fournisseur_devis_choisi',
 'd.devis',
 'CONCAT(d.montant,'€') AS montant_devis_choisi',
 'CASE d.marche WHEN 1 THEN '(Marché)' ELSE NULL END AS marche',
 'bdc_devis_choisi.raison_choix AS choix',
 'bdc_niveau_validation.niveau',
 'CASE WHEN bdc_refuse.bdc_id IS NULL THEN CAST(0 AS BINARY) ELSE CAST(1 AS BINARY) END AS refus',
 'bdc_refuse.raison_refus',
 'CONCAT(ur.nom,' ',ur.prenom) AS refuseur',
 'ur.id AS refuseur_id',
 'CONCAT(uvr.email_nom,'@',e_uvr.domaine) AS refuseur_email',
 'CASE WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CONCAT(uvr.nom,' ',uvr.prenom)
 ELSE CONCAT(uvrp.nom,' ',uvrp.prenom)
 END
 AS responsable_qui_valide',
 'CASE WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN uvr.id
 ELSE uvrp.id
 END
 AS responsable_qui_valide_id',
 'CASE WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CONCAT(uvr.email_nom,'@',e_uvr.domaine)
 ELSE CONCAT(uvrp.email_nom,'@',e_uvrp.domaine)
 END
 AS responsable_email',
 'CASE WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY)
 ELSE CAST(0 AS BINARY)
 END
 AS responsable_a_valide',
 'CASE WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_responsable.date_validation, "%d/%m/%Y")
 ELSE NULL
 END
 AS date_validation_responsable',
 'CASE WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CONCAT(uve.nom,' ',uve.prenom)
 ELSE CONCAT(u_elu.nom,' ',u_elu.prenom)
 END
 AS elu_qui_valide',
 'CASE WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN (SELECT uve.id)
 ELSE (SELECT u_elu.id)
 END
 AS elu_qui_valide_id',
 'CASE WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CONCAT(uve.email_nom,'@',e_uve.domaine)
 ELSE CONCAT(u_elu.email_nom,'@',e_u_elu.domaine)
 END
 AS elu_email',
 'CASE WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY)
 ELSE CAST(0 AS BINARY)
 END
 AS elu_a_valide',
 'CASE WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_elu.date_validation, "%d/%m/%Y")
 ELSE NULL
 END
 AS date_validation_elu',
 'CASE WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CONCAT(uvc.nom,' ',uvc.prenom)
 ELSE
 (SELECT CONCAT(urc.nom,' ',urc.prenom) FROM utilisateur AS urc JOIN pole ON pole.responsable_id = urc.id WHERE pole.nom LIKE 'Pôle Ressources')
 END
 AS compta_qui_valide',
 'CASE WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN (SELECT uvc.id)
 ELSE
 (SELECT urc.id FROM utilisateur AS urc JOIN pole ON pole.responsable_id = urc.id WHERE pole.nom LIKE 'Pôle Ressources')
 END
 AS compta_qui_valide_id',
 'CASE WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CONCAT(uvc.email_nom,'@',e_uvc.domaine)
 ELSE
 (SELECT CONCAT(urc.email_nom,'@',e_urc.domaine) FROM utilisateur AS urc
 JOIN pole ON pole.responsable_id = urc.id
 JOIN email_domaine AS e_urc ON urc.email_domaine_id = e_urc.id
 WHERE pole.nom LIKE 'Pôle Ressources') 
 END
 AS compta_email',
 'CASE WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY)
 ELSE CAST(0 AS BINARY)
 END
 AS compta_a_valide',
 'CASE WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_comptabilite.date_validation, "%d/%m/%Y")
 ELSE NULL
 END
 AS date_validation_compta',
 'CASE WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY)
 ELSE CAST(0 AS BINARY)
 END
 AS dirigeant_a_valide',
 'CASE WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CONCAT(uvd.nom,' ',uvd.prenom)
 ELSE NULL
 END
 AS dirigeant_qui_a_valide',
 'CASE WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN (SELECT uvd.id)
 ELSE NULL
 END
 AS dirigeant_qui_a_valide_id',
 'CASE WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CONCAT(uvd.email_nom,'@',e_uvd.domaine)
 ELSE NULL
 END
 AS dirigeant_email',
 'CASE WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_dirigeant.date_validation, "%d/%m/%Y")
 ELSE NULL
 END
 AS date_validation_dirigeant'
 );
 $where = array('b.id' => $bdc_id);

 $this->db->select($select);
 $this->db->from('bon_de_commande AS b');
 $this->db->join('utilisateur AS u', 'b.demandeur_id = u.id');
 $this->db->join('email_domaine AS e', 'u.email_domaine_id = e.id');
 $this->db->join('pole AS p', 'b.pole_concerne_id = p.id');
 $this->db->join('bdc_origine_besoin_courant AS ob', 'ob.bdc_id = b.id', 'left');
 $this->db->join('bdc_origine_interservices AS oi', 'oi.bdc_id = b.id', 'left');
 $this->db->join('demande_interservices', 'oi.demande_interservices_id = demande_interservices.id', 'left');
 $this->db->join('utilisateur AS uis', 'demande_interservices.utilisateur_id = uis.id', 'left');
 $this->db->join('bdc_origine_autre AS oa', 'oa.bdc_id = b.id', 'left');
 $this->db->join('bdc_associe_elu', 'bdc_associe_elu.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS u_elu', 'bdc_associe_elu.elu_id = u_elu.id', 'left');
 $this->db->join('email_domaine AS e_u_elu', 'u_elu.email_domaine_id = e_u_elu.id', 'left');
 $this->db->join('bdc_code', 'bdc_code.bdc_id = b.id', 'left');
 $this->db->join('bdc_devis_choisi', 'bdc_devis_choisi.bdc_id = b.id');
 $this->db->join('devis AS d', 'bdc_devis_choisi.devis_id = d.id');
 $this->db->join('bdc_niveau_validation', 'bdc_niveau_validation.bdc_id = b.id');
 $this->db->join('bdc_refuse', 'bdc_refuse.bdc_id = b.id', 'left');
 $this->db->join('bdc_valide_par_commission', 'bdc_valide_par_commission.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS uvcm', 'bdc_valide_par_commission.elu_id = uvcm.id', 'left');
 $this->db->join('bdc_valide_par_comptabilite', 'bdc_valide_par_comptabilite.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS uvc', 'bdc_valide_par_comptabilite.responsable_id = uvc.id', 'left');
 $this->db->join('email_domaine AS e_uvc', 'uvc.email_domaine_id = e_uvc.id', 'left');
 $this->db->join('bdc_valide_par_elu', 'bdc_valide_par_elu.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS uve', 'bdc_valide_par_elu.elu_id = uve.id', 'left');
 $this->db->join('email_domaine AS e_uve', 'uve.email_domaine_id = e_uve.id', 'left');
 $this->db->join('bdc_valide_par_responsable', 'bdc_valide_par_responsable.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS uvr', 'bdc_valide_par_responsable.responsable_id = uvr.id', 'left');
 $this->db->join('email_domaine AS e_uvr', 'uvr.email_domaine_id = e_uvr.id', 'left');
 $this->db->join('utilisateur AS uvrp', 'p.responsable_id = uvrp.id', 'left');
 $this->db->join('email_domaine AS e_uvrp', 'uvrp.email_domaine_id = e_uvrp.id', 'left');
 $this->db->join('bdc_valide_par_dirigeant', 'bdc_valide_par_dirigeant.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS uvd', 'bdc_valide_par_dirigeant.dirigeant_id = uvd.id', 'left');
 $this->db->join('email_domaine AS e_uvd', 'uvd.email_domaine_id = e_uvd.id', 'left');
 $this->db->join('utilisateur AS ur', 'bdc_refuse.refuseur_id = ur.id', 'left');
 $this->db->join('email_domaine AS e_ur', 'ur.email_domaine_id = e_ur.id', 'left');
 $this->db->where($where);
 $query = $this->db->get();


The problem is in this line (in the error message):



`CASE WHEN bdc_valide_par_responsable`.`bdc_id IS NOT NULL THEN uvr`.`id ELSE uvrp`.`id END` AS `responsable_qui_valide_id`,


As you can see, CodeIgniter inserts the small apostrophe ` to prevent SQL injection, but not always. And in this case, the apostrophes are not well inserted and it causes a wrong query.



The strange thing is, when I replace the conditions in the bad CASE by this one:



THEN CONCAT(uvr.id)


or by:



THEN (SELECT uvr.id)


No more syntax error ...



What's happening? Is there a better way to write the query with CodeIgniter?






mysql codeigniter case sql-injection







share|improve this question
























  • Which Codeignitor version are you using? Also i suspect Codeignitor escape() function not to be perfect safe against all SQL injections pretty i suspect it to be a wrapper around mysqli_real_escape_string() or a custom one that manually "escape" with regexes or string matching on Special Character Escape Sequences..

    – Raymond Nijland
    2 days ago











  • Seams iám right about this see the function escape() and internal used escape_str() ... it tracks back to a what they call a "Platform-dependent string escape" function _escape_str()

    – Raymond Nijland
    2 days ago











  • not sure where the function remove_invisible_characters() is defined. But seeing all these source code i can't say a other thing then the anti SQL injection seams to be really sloppy done in Codeigniter atleast with the escape() function.

    – Raymond Nijland
    2 days ago












  • I uses CI 3. Same impression for me, these functions must fail in the escaping, and I'm pretty sure there is no solution. Thanks for your opinion ;)

    – Benoit Poux
    2 days ago











  • "Thanks for your opinion" no problem but what i said was is no opinion atleast it was not meant as one, what i said is a fact it based on the CL 3 source code :)

    – Raymond Nijland
    2 days ago














0












0








0








My problem is very specific, and I couldn't find any information to help me. Here it is:



I use MySQL mariadb-10.2.3 and CodeIgniter 3, and have a problem in a query because CodeIgniter failed trying to protect against SQL injection:



You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '.`id END` AS `responsable_qui_valide_id`, CASE WHEN bdc_valide_par_responsable.b' at line 13

SELECT `b`.`id`, CONCAT(u.nom,' ',u.prenom) AS demandeur, 
CONCAT(u.email_nom,'@',e.domaine) AS demandeur_email, 
DATE_FORMAT(b.horodateur, "%d/%m/%Y") AS horodateur, 
`p`.`nom` AS `direction_concernee`, 
`b`.`expression_besoin` AS `expression`, 
CASE 
 WHEN oa.bdc_id IS NOT NULL 
 THEN oa.explication 
 ELSE 
 CASE 
 WHEN oi.bdc_id IS NOT NULL 
 THEN CONCAT('Demande Interservices - Dossier n°',oi.demande_interservices_id,' de ',CONCAT(uis.nom,' ',uis.prenom)) 
 ELSE 'Entretien ou besoin courant' 
 END 
END AS origine, 
CONCAT(u_elu.nom,' ',u_elu.prenom) AS elu_associe_au_bdc, 
`bdc_code`.`code_famille`, 
`bdc_code`.`imputation`, 
`d`.`id` AS `num_devis_choisi`, 
`d`.`fournisseur` AS `fournisseur_devis_choisi`, 
`d`.`devis`, CONCAT(d.montant,'€') AS montant_devis_choisi, 
CASE d.marche 
 WHEN 1 
 THEN '(Marché)' 
 ELSE NULL 
END AS marche, `bdc_devis_choisi`.`raison_choix` AS `choix`, 
`bdc_niveau_validation`.`niveau`, 
CASE 
 WHEN bdc_refuse.bdc_id IS NULL 
 THEN CAST(0 AS BINARY) 
 ELSE CAST(1 AS BINARY) 
END AS refus, 
`bdc_refuse`.`raison_refus`, 
CONCAT(ur.nom,' ',ur.prenom) AS refuseur, 
`ur`.`id` AS `refuseur_id`, 
CONCAT(uvr.email_nom,'@',e_uvr.domaine) AS refuseur_email, 
CASE 
 WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CONCAT(uvr.nom,' ',uvr.prenom) 
 ELSE CONCAT(uvrp.nom,' ',uvrp.prenom) 
END AS responsable_qui_valide, 
`CASE WHEN bdc_valide_par_responsable`.`bdc_id IS NOT NULL THEN uvr`.`id ELSE uvrp`.`id END` AS `responsable_qui_valide_id`, 
CASE 
 WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CONCAT(uvr.email_nom,'@',e_uvr.domaine) 
 ELSE CONCAT(uvrp.email_nom,'@',e_uvrp.domaine) 
END AS responsable_email, 
CASE 
 WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY) 
 ELSE CAST(0 AS BINARY) 
END AS responsable_a_valide, 
CASE 
 WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_responsable.date_validation, "%d/%m/%Y") 
 ELSE NULL END AS date_validation_responsable, 
CASE 
 WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CONCAT(uve.nom,' ',uve.prenom) 
 ELSE CONCAT(u_elu.nom,' ',u_elu.prenom) 
END AS elu_qui_valide, 
CASE 
 WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CONCAT(uve.email_nom,'@',e_uve.domaine) 
 ELSE CONCAT(u_elu.email_nom,'@',e_u_elu.domaine) 
END AS elu_email, 
CASE 
 WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY) 
 ELSE CAST(0 AS BINARY) 
END AS elu_a_valide, 
CASE 
 WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_elu.date_validation, "%d/%m/%Y") 
 ELSE NULL 
END AS date_validation_elu, 
CASE 
 WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CONCAT(uvc.nom,' ',uvc.prenom) 
 ELSE 
 (SELECT CONCAT(urc.nom,' ',urc.prenom) 
 FROM utilisateur AS urc 
 JOIN pole ON pole.responsable_id = urc.id 
 WHERE pole.nom LIKE 'Pôle Ressources') 
END AS compta_qui_valide, 
CASE 
 WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CONCAT(uvc.email_nom,'@',e_uvc.domaine) 
 ELSE 
 (SELECT CONCAT(urc.email_nom,'@',e_urc.domaine) 
 FROM utilisateur AS urc 
 JOIN pole ON pole.responsable_id = urc.id 
 JOIN email_domaine AS e_urc ON urc.email_domaine_id = e_urc.id 
 WHERE pole.nom LIKE 'Pôle Ressources') 
END AS compta_email, 
CASE 
 WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY) 
 ELSE CAST(0 AS BINARY) 
END AS compta_a_valide, 
CASE 
 WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_comptabilite.date_validation, "%d/%m/%Y") 
 ELSE NULL 
END AS date_validation_compta, 
CASE 
 WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY) 
 ELSE CAST(0 AS BINARY) 
END AS dirigeant_a_valide, 
CASE 
 WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CONCAT(uvd.nom,' ',uvd.prenom) 
 ELSE NULL 
END AS dirigeant_qui_a_valide, 
CASE 
 WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CONCAT(uvd.email_nom,'@',e_uvd.domaine)
 ELSE NULL 
END AS dirigeant_email, 
CASE 
 WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_dirigeant.date_validation, "%d/%m/%Y") 
 ELSE NULL 
END AS date_validation_dirigeant 
FROM `bon_de_commande` AS `b` 
JOIN `utilisateur` AS `u` ON `b`.`demandeur_id` = `u`.`id` 
JOIN `email_domaine` AS `e` ON `u`.`email_domaine_id` = `e`.`id` 
JOIN `pole` AS `p` ON `b`.`pole_concerne_id` = `p`.`id` 
LEFT JOIN `bdc_origine_besoin_courant` AS `ob` ON `ob`.`bdc_id` = `b`.`id` 
LEFT JOIN `bdc_origine_interservices` AS `oi` ON `oi`.`bdc_id` = `b`.`id` 
LEFT JOIN `demande_interservices` ON `oi`.`demande_interservices_id` = `demande_interservices`.`id` 
LEFT JOIN `utilisateur` AS `uis` ON `demande_interservices`.`utilisateur_id` = `uis`.`id` 
LEFT JOIN `bdc_origine_autre` AS `oa` ON `oa`.`bdc_id` = `b`.`id` 
LEFT JOIN `bdc_associe_elu` ON `bdc_associe_elu`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `u_elu` ON `bdc_associe_elu`.`elu_id` = `u_elu`.`id` 
LEFT JOIN `email_domaine` AS `e_u_elu` ON `u_elu`.`email_domaine_id` = `e_u_elu`.`id` 
LEFT JOIN `bdc_code` ON `bdc_code`.`bdc_id` = `b`.`id` 
JOIN `bdc_devis_choisi` ON `bdc_devis_choisi`.`bdc_id` = `b`.`id` 
JOIN `devis` AS `d` ON `bdc_devis_choisi`.`devis_id` = `d`.`id` 
JOIN `bdc_niveau_validation` ON `bdc_niveau_validation`.`bdc_id` = `b`.`id` 
LEFT JOIN `bdc_refuse` ON `bdc_refuse`.`bdc_id` = `b`.`id` 
LEFT JOIN `bdc_valide_par_commission` ON `bdc_valide_par_commission`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `uvcm` ON `bdc_valide_par_commission`.`elu_id` = `uvcm`.`id` 
LEFT JOIN `bdc_valide_par_comptabilite` ON `bdc_valide_par_comptabilite`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `uvc` ON `bdc_valide_par_comptabilite`.`responsable_id` = `uvc`.`id` 
LEFT JOIN `email_domaine` AS `e_uvc` ON `uvc`.`email_domaine_id` = `e_uvc`.`id` 
LEFT JOIN `bdc_valide_par_elu` ON `bdc_valide_par_elu`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `uve` ON `bdc_valide_par_elu`.`elu_id` = `uve`.`id` 
LEFT JOIN `email_domaine` AS `e_uve` ON `uve`.`email_domaine_id` = `e_uve`.`id` 
LEFT JOIN `bdc_valide_par_responsable` ON `bdc_valide_par_responsable`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `uvr` ON `bdc_valide_par_responsable`.`responsable_id` = `uvr`.`id` 
LEFT JOIN `email_domaine` AS `e_uvr` ON `uvr`.`email_domaine_id` = `e_uvr`.`id` 
LEFT JOIN `utilisateur` AS `uvrp` ON `p`.`responsable_id` = `uvrp`.`id` 
LEFT JOIN `email_domaine` AS `e_uvrp` ON `uvrp`.`email_domaine_id` = `e_uvrp`.`id` 
LEFT JOIN `bdc_valide_par_dirigeant` ON `bdc_valide_par_dirigeant`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `uvd` ON `bdc_valide_par_dirigeant`.`dirigeant_id` = `uvd`.`id` 
LEFT JOIN `email_domaine` AS `e_uvd` ON `uvd`.`email_domaine_id` = `e_uvd`.`id` 
LEFT JOIN `utilisateur` AS `ur` ON `bdc_refuse`.`refuseur_id` = `ur`.`id` 
LEFT JOIN `email_domaine` AS `e_ur` ON `ur`.`email_domaine_id` = `e_ur`.`id` 
WHERE `b`.`id` = 1


And the original code in my PHP file is:



$select = array(
 'b.id',
 'CONCAT(u.nom,' ',u.prenom) AS demandeur',
 'CONCAT(u.email_nom,'@',e.domaine) AS demandeur_email',
 'DATE_FORMAT(b.horodateur, "%d/%m/%Y") AS horodateur',
 'p.nom AS direction_concernee',
 'b.expression_besoin AS expression',
 'CASE WHEN oa.bdc_id IS NOT NULL 
 THEN oa.explication 
 ELSE 
 CASE WHEN oi.bdc_id IS NOT NULL 
 THEN CONCAT('Demande Interservices - Dossier n°',oi.demande_interservices_id,' de ',CONCAT(uis.nom,' ',uis.prenom))
 ELSE 'Entretien ou besoin courant' 
 END 
 END 
 AS origine',
 'CONCAT(u_elu.nom,' ',u_elu.prenom) AS elu_associe_au_bdc',
 'bdc_code.code_famille',
 'bdc_code.imputation',
 'd.id AS num_devis_choisi',
 'd.fournisseur AS fournisseur_devis_choisi',
 'd.devis',
 'CONCAT(d.montant,'€') AS montant_devis_choisi',
 'CASE d.marche WHEN 1 THEN '(Marché)' ELSE NULL END AS marche',
 'bdc_devis_choisi.raison_choix AS choix',
 'bdc_niveau_validation.niveau',
 'CASE WHEN bdc_refuse.bdc_id IS NULL THEN CAST(0 AS BINARY) ELSE CAST(1 AS BINARY) END AS refus',
 'bdc_refuse.raison_refus',
 'CONCAT(ur.nom,' ',ur.prenom) AS refuseur',
 'ur.id AS refuseur_id',
 'CONCAT(uvr.email_nom,'@',e_uvr.domaine) AS refuseur_email',
 'CASE WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CONCAT(uvr.nom,' ',uvr.prenom)
 ELSE CONCAT(uvrp.nom,' ',uvrp.prenom)
 END
 AS responsable_qui_valide',
 'CASE WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN uvr.id
 ELSE uvrp.id
 END
 AS responsable_qui_valide_id',
 'CASE WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CONCAT(uvr.email_nom,'@',e_uvr.domaine)
 ELSE CONCAT(uvrp.email_nom,'@',e_uvrp.domaine)
 END
 AS responsable_email',
 'CASE WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY)
 ELSE CAST(0 AS BINARY)
 END
 AS responsable_a_valide',
 'CASE WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_responsable.date_validation, "%d/%m/%Y")
 ELSE NULL
 END
 AS date_validation_responsable',
 'CASE WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CONCAT(uve.nom,' ',uve.prenom)
 ELSE CONCAT(u_elu.nom,' ',u_elu.prenom)
 END
 AS elu_qui_valide',
 'CASE WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN (SELECT uve.id)
 ELSE (SELECT u_elu.id)
 END
 AS elu_qui_valide_id',
 'CASE WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CONCAT(uve.email_nom,'@',e_uve.domaine)
 ELSE CONCAT(u_elu.email_nom,'@',e_u_elu.domaine)
 END
 AS elu_email',
 'CASE WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY)
 ELSE CAST(0 AS BINARY)
 END
 AS elu_a_valide',
 'CASE WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_elu.date_validation, "%d/%m/%Y")
 ELSE NULL
 END
 AS date_validation_elu',
 'CASE WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CONCAT(uvc.nom,' ',uvc.prenom)
 ELSE
 (SELECT CONCAT(urc.nom,' ',urc.prenom) FROM utilisateur AS urc JOIN pole ON pole.responsable_id = urc.id WHERE pole.nom LIKE 'Pôle Ressources')
 END
 AS compta_qui_valide',
 'CASE WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN (SELECT uvc.id)
 ELSE
 (SELECT urc.id FROM utilisateur AS urc JOIN pole ON pole.responsable_id = urc.id WHERE pole.nom LIKE 'Pôle Ressources')
 END
 AS compta_qui_valide_id',
 'CASE WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CONCAT(uvc.email_nom,'@',e_uvc.domaine)
 ELSE
 (SELECT CONCAT(urc.email_nom,'@',e_urc.domaine) FROM utilisateur AS urc
 JOIN pole ON pole.responsable_id = urc.id
 JOIN email_domaine AS e_urc ON urc.email_domaine_id = e_urc.id
 WHERE pole.nom LIKE 'Pôle Ressources') 
 END
 AS compta_email',
 'CASE WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY)
 ELSE CAST(0 AS BINARY)
 END
 AS compta_a_valide',
 'CASE WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_comptabilite.date_validation, "%d/%m/%Y")
 ELSE NULL
 END
 AS date_validation_compta',
 'CASE WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY)
 ELSE CAST(0 AS BINARY)
 END
 AS dirigeant_a_valide',
 'CASE WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CONCAT(uvd.nom,' ',uvd.prenom)
 ELSE NULL
 END
 AS dirigeant_qui_a_valide',
 'CASE WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN (SELECT uvd.id)
 ELSE NULL
 END
 AS dirigeant_qui_a_valide_id',
 'CASE WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CONCAT(uvd.email_nom,'@',e_uvd.domaine)
 ELSE NULL
 END
 AS dirigeant_email',
 'CASE WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_dirigeant.date_validation, "%d/%m/%Y")
 ELSE NULL
 END
 AS date_validation_dirigeant'
 );
 $where = array('b.id' => $bdc_id);

 $this->db->select($select);
 $this->db->from('bon_de_commande AS b');
 $this->db->join('utilisateur AS u', 'b.demandeur_id = u.id');
 $this->db->join('email_domaine AS e', 'u.email_domaine_id = e.id');
 $this->db->join('pole AS p', 'b.pole_concerne_id = p.id');
 $this->db->join('bdc_origine_besoin_courant AS ob', 'ob.bdc_id = b.id', 'left');
 $this->db->join('bdc_origine_interservices AS oi', 'oi.bdc_id = b.id', 'left');
 $this->db->join('demande_interservices', 'oi.demande_interservices_id = demande_interservices.id', 'left');
 $this->db->join('utilisateur AS uis', 'demande_interservices.utilisateur_id = uis.id', 'left');
 $this->db->join('bdc_origine_autre AS oa', 'oa.bdc_id = b.id', 'left');
 $this->db->join('bdc_associe_elu', 'bdc_associe_elu.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS u_elu', 'bdc_associe_elu.elu_id = u_elu.id', 'left');
 $this->db->join('email_domaine AS e_u_elu', 'u_elu.email_domaine_id = e_u_elu.id', 'left');
 $this->db->join('bdc_code', 'bdc_code.bdc_id = b.id', 'left');
 $this->db->join('bdc_devis_choisi', 'bdc_devis_choisi.bdc_id = b.id');
 $this->db->join('devis AS d', 'bdc_devis_choisi.devis_id = d.id');
 $this->db->join('bdc_niveau_validation', 'bdc_niveau_validation.bdc_id = b.id');
 $this->db->join('bdc_refuse', 'bdc_refuse.bdc_id = b.id', 'left');
 $this->db->join('bdc_valide_par_commission', 'bdc_valide_par_commission.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS uvcm', 'bdc_valide_par_commission.elu_id = uvcm.id', 'left');
 $this->db->join('bdc_valide_par_comptabilite', 'bdc_valide_par_comptabilite.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS uvc', 'bdc_valide_par_comptabilite.responsable_id = uvc.id', 'left');
 $this->db->join('email_domaine AS e_uvc', 'uvc.email_domaine_id = e_uvc.id', 'left');
 $this->db->join('bdc_valide_par_elu', 'bdc_valide_par_elu.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS uve', 'bdc_valide_par_elu.elu_id = uve.id', 'left');
 $this->db->join('email_domaine AS e_uve', 'uve.email_domaine_id = e_uve.id', 'left');
 $this->db->join('bdc_valide_par_responsable', 'bdc_valide_par_responsable.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS uvr', 'bdc_valide_par_responsable.responsable_id = uvr.id', 'left');
 $this->db->join('email_domaine AS e_uvr', 'uvr.email_domaine_id = e_uvr.id', 'left');
 $this->db->join('utilisateur AS uvrp', 'p.responsable_id = uvrp.id', 'left');
 $this->db->join('email_domaine AS e_uvrp', 'uvrp.email_domaine_id = e_uvrp.id', 'left');
 $this->db->join('bdc_valide_par_dirigeant', 'bdc_valide_par_dirigeant.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS uvd', 'bdc_valide_par_dirigeant.dirigeant_id = uvd.id', 'left');
 $this->db->join('email_domaine AS e_uvd', 'uvd.email_domaine_id = e_uvd.id', 'left');
 $this->db->join('utilisateur AS ur', 'bdc_refuse.refuseur_id = ur.id', 'left');
 $this->db->join('email_domaine AS e_ur', 'ur.email_domaine_id = e_ur.id', 'left');
 $this->db->where($where);
 $query = $this->db->get();


The problem is in this line (in the error message):



`CASE WHEN bdc_valide_par_responsable`.`bdc_id IS NOT NULL THEN uvr`.`id ELSE uvrp`.`id END` AS `responsable_qui_valide_id`,


As you can see, CodeIgniter inserts the small apostrophe ` to prevent SQL injection, but not always. And in this case, the apostrophes are not well inserted and it causes a wrong query.



The strange thing is, when I replace the conditions in the bad CASE by this one:



THEN CONCAT(uvr.id)


or by:



THEN (SELECT uvr.id)


No more syntax error ...



What's happening? Is there a better way to write the query with CodeIgniter?






mysql codeigniter case sql-injection







share|improve this question
















My problem is very specific, and I couldn't find any information to help me. Here it is:



I use MySQL mariadb-10.2.3 and CodeIgniter 3, and have a problem in a query because CodeIgniter failed trying to protect against SQL injection:



You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '.`id END` AS `responsable_qui_valide_id`, CASE WHEN bdc_valide_par_responsable.b' at line 13

SELECT `b`.`id`, CONCAT(u.nom,' ',u.prenom) AS demandeur, 
CONCAT(u.email_nom,'@',e.domaine) AS demandeur_email, 
DATE_FORMAT(b.horodateur, "%d/%m/%Y") AS horodateur, 
`p`.`nom` AS `direction_concernee`, 
`b`.`expression_besoin` AS `expression`, 
CASE 
 WHEN oa.bdc_id IS NOT NULL 
 THEN oa.explication 
 ELSE 
 CASE 
 WHEN oi.bdc_id IS NOT NULL 
 THEN CONCAT('Demande Interservices - Dossier n°',oi.demande_interservices_id,' de ',CONCAT(uis.nom,' ',uis.prenom)) 
 ELSE 'Entretien ou besoin courant' 
 END 
END AS origine, 
CONCAT(u_elu.nom,' ',u_elu.prenom) AS elu_associe_au_bdc, 
`bdc_code`.`code_famille`, 
`bdc_code`.`imputation`, 
`d`.`id` AS `num_devis_choisi`, 
`d`.`fournisseur` AS `fournisseur_devis_choisi`, 
`d`.`devis`, CONCAT(d.montant,'€') AS montant_devis_choisi, 
CASE d.marche 
 WHEN 1 
 THEN '(Marché)' 
 ELSE NULL 
END AS marche, `bdc_devis_choisi`.`raison_choix` AS `choix`, 
`bdc_niveau_validation`.`niveau`, 
CASE 
 WHEN bdc_refuse.bdc_id IS NULL 
 THEN CAST(0 AS BINARY) 
 ELSE CAST(1 AS BINARY) 
END AS refus, 
`bdc_refuse`.`raison_refus`, 
CONCAT(ur.nom,' ',ur.prenom) AS refuseur, 
`ur`.`id` AS `refuseur_id`, 
CONCAT(uvr.email_nom,'@',e_uvr.domaine) AS refuseur_email, 
CASE 
 WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CONCAT(uvr.nom,' ',uvr.prenom) 
 ELSE CONCAT(uvrp.nom,' ',uvrp.prenom) 
END AS responsable_qui_valide, 
`CASE WHEN bdc_valide_par_responsable`.`bdc_id IS NOT NULL THEN uvr`.`id ELSE uvrp`.`id END` AS `responsable_qui_valide_id`, 
CASE 
 WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CONCAT(uvr.email_nom,'@',e_uvr.domaine) 
 ELSE CONCAT(uvrp.email_nom,'@',e_uvrp.domaine) 
END AS responsable_email, 
CASE 
 WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY) 
 ELSE CAST(0 AS BINARY) 
END AS responsable_a_valide, 
CASE 
 WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_responsable.date_validation, "%d/%m/%Y") 
 ELSE NULL END AS date_validation_responsable, 
CASE 
 WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CONCAT(uve.nom,' ',uve.prenom) 
 ELSE CONCAT(u_elu.nom,' ',u_elu.prenom) 
END AS elu_qui_valide, 
CASE 
 WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CONCAT(uve.email_nom,'@',e_uve.domaine) 
 ELSE CONCAT(u_elu.email_nom,'@',e_u_elu.domaine) 
END AS elu_email, 
CASE 
 WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY) 
 ELSE CAST(0 AS BINARY) 
END AS elu_a_valide, 
CASE 
 WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_elu.date_validation, "%d/%m/%Y") 
 ELSE NULL 
END AS date_validation_elu, 
CASE 
 WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CONCAT(uvc.nom,' ',uvc.prenom) 
 ELSE 
 (SELECT CONCAT(urc.nom,' ',urc.prenom) 
 FROM utilisateur AS urc 
 JOIN pole ON pole.responsable_id = urc.id 
 WHERE pole.nom LIKE 'Pôle Ressources') 
END AS compta_qui_valide, 
CASE 
 WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CONCAT(uvc.email_nom,'@',e_uvc.domaine) 
 ELSE 
 (SELECT CONCAT(urc.email_nom,'@',e_urc.domaine) 
 FROM utilisateur AS urc 
 JOIN pole ON pole.responsable_id = urc.id 
 JOIN email_domaine AS e_urc ON urc.email_domaine_id = e_urc.id 
 WHERE pole.nom LIKE 'Pôle Ressources') 
END AS compta_email, 
CASE 
 WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY) 
 ELSE CAST(0 AS BINARY) 
END AS compta_a_valide, 
CASE 
 WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_comptabilite.date_validation, "%d/%m/%Y") 
 ELSE NULL 
END AS date_validation_compta, 
CASE 
 WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY) 
 ELSE CAST(0 AS BINARY) 
END AS dirigeant_a_valide, 
CASE 
 WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CONCAT(uvd.nom,' ',uvd.prenom) 
 ELSE NULL 
END AS dirigeant_qui_a_valide, 
CASE 
 WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CONCAT(uvd.email_nom,'@',e_uvd.domaine)
 ELSE NULL 
END AS dirigeant_email, 
CASE 
 WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_dirigeant.date_validation, "%d/%m/%Y") 
 ELSE NULL 
END AS date_validation_dirigeant 
FROM `bon_de_commande` AS `b` 
JOIN `utilisateur` AS `u` ON `b`.`demandeur_id` = `u`.`id` 
JOIN `email_domaine` AS `e` ON `u`.`email_domaine_id` = `e`.`id` 
JOIN `pole` AS `p` ON `b`.`pole_concerne_id` = `p`.`id` 
LEFT JOIN `bdc_origine_besoin_courant` AS `ob` ON `ob`.`bdc_id` = `b`.`id` 
LEFT JOIN `bdc_origine_interservices` AS `oi` ON `oi`.`bdc_id` = `b`.`id` 
LEFT JOIN `demande_interservices` ON `oi`.`demande_interservices_id` = `demande_interservices`.`id` 
LEFT JOIN `utilisateur` AS `uis` ON `demande_interservices`.`utilisateur_id` = `uis`.`id` 
LEFT JOIN `bdc_origine_autre` AS `oa` ON `oa`.`bdc_id` = `b`.`id` 
LEFT JOIN `bdc_associe_elu` ON `bdc_associe_elu`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `u_elu` ON `bdc_associe_elu`.`elu_id` = `u_elu`.`id` 
LEFT JOIN `email_domaine` AS `e_u_elu` ON `u_elu`.`email_domaine_id` = `e_u_elu`.`id` 
LEFT JOIN `bdc_code` ON `bdc_code`.`bdc_id` = `b`.`id` 
JOIN `bdc_devis_choisi` ON `bdc_devis_choisi`.`bdc_id` = `b`.`id` 
JOIN `devis` AS `d` ON `bdc_devis_choisi`.`devis_id` = `d`.`id` 
JOIN `bdc_niveau_validation` ON `bdc_niveau_validation`.`bdc_id` = `b`.`id` 
LEFT JOIN `bdc_refuse` ON `bdc_refuse`.`bdc_id` = `b`.`id` 
LEFT JOIN `bdc_valide_par_commission` ON `bdc_valide_par_commission`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `uvcm` ON `bdc_valide_par_commission`.`elu_id` = `uvcm`.`id` 
LEFT JOIN `bdc_valide_par_comptabilite` ON `bdc_valide_par_comptabilite`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `uvc` ON `bdc_valide_par_comptabilite`.`responsable_id` = `uvc`.`id` 
LEFT JOIN `email_domaine` AS `e_uvc` ON `uvc`.`email_domaine_id` = `e_uvc`.`id` 
LEFT JOIN `bdc_valide_par_elu` ON `bdc_valide_par_elu`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `uve` ON `bdc_valide_par_elu`.`elu_id` = `uve`.`id` 
LEFT JOIN `email_domaine` AS `e_uve` ON `uve`.`email_domaine_id` = `e_uve`.`id` 
LEFT JOIN `bdc_valide_par_responsable` ON `bdc_valide_par_responsable`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `uvr` ON `bdc_valide_par_responsable`.`responsable_id` = `uvr`.`id` 
LEFT JOIN `email_domaine` AS `e_uvr` ON `uvr`.`email_domaine_id` = `e_uvr`.`id` 
LEFT JOIN `utilisateur` AS `uvrp` ON `p`.`responsable_id` = `uvrp`.`id` 
LEFT JOIN `email_domaine` AS `e_uvrp` ON `uvrp`.`email_domaine_id` = `e_uvrp`.`id` 
LEFT JOIN `bdc_valide_par_dirigeant` ON `bdc_valide_par_dirigeant`.`bdc_id` = `b`.`id` 
LEFT JOIN `utilisateur` AS `uvd` ON `bdc_valide_par_dirigeant`.`dirigeant_id` = `uvd`.`id` 
LEFT JOIN `email_domaine` AS `e_uvd` ON `uvd`.`email_domaine_id` = `e_uvd`.`id` 
LEFT JOIN `utilisateur` AS `ur` ON `bdc_refuse`.`refuseur_id` = `ur`.`id` 
LEFT JOIN `email_domaine` AS `e_ur` ON `ur`.`email_domaine_id` = `e_ur`.`id` 
WHERE `b`.`id` = 1


And the original code in my PHP file is:



$select = array(
 'b.id',
 'CONCAT(u.nom,' ',u.prenom) AS demandeur',
 'CONCAT(u.email_nom,'@',e.domaine) AS demandeur_email',
 'DATE_FORMAT(b.horodateur, "%d/%m/%Y") AS horodateur',
 'p.nom AS direction_concernee',
 'b.expression_besoin AS expression',
 'CASE WHEN oa.bdc_id IS NOT NULL 
 THEN oa.explication 
 ELSE 
 CASE WHEN oi.bdc_id IS NOT NULL 
 THEN CONCAT('Demande Interservices - Dossier n°',oi.demande_interservices_id,' de ',CONCAT(uis.nom,' ',uis.prenom))
 ELSE 'Entretien ou besoin courant' 
 END 
 END 
 AS origine',
 'CONCAT(u_elu.nom,' ',u_elu.prenom) AS elu_associe_au_bdc',
 'bdc_code.code_famille',
 'bdc_code.imputation',
 'd.id AS num_devis_choisi',
 'd.fournisseur AS fournisseur_devis_choisi',
 'd.devis',
 'CONCAT(d.montant,'€') AS montant_devis_choisi',
 'CASE d.marche WHEN 1 THEN '(Marché)' ELSE NULL END AS marche',
 'bdc_devis_choisi.raison_choix AS choix',
 'bdc_niveau_validation.niveau',
 'CASE WHEN bdc_refuse.bdc_id IS NULL THEN CAST(0 AS BINARY) ELSE CAST(1 AS BINARY) END AS refus',
 'bdc_refuse.raison_refus',
 'CONCAT(ur.nom,' ',ur.prenom) AS refuseur',
 'ur.id AS refuseur_id',
 'CONCAT(uvr.email_nom,'@',e_uvr.domaine) AS refuseur_email',
 'CASE WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CONCAT(uvr.nom,' ',uvr.prenom)
 ELSE CONCAT(uvrp.nom,' ',uvrp.prenom)
 END
 AS responsable_qui_valide',
 'CASE WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN uvr.id
 ELSE uvrp.id
 END
 AS responsable_qui_valide_id',
 'CASE WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CONCAT(uvr.email_nom,'@',e_uvr.domaine)
 ELSE CONCAT(uvrp.email_nom,'@',e_uvrp.domaine)
 END
 AS responsable_email',
 'CASE WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY)
 ELSE CAST(0 AS BINARY)
 END
 AS responsable_a_valide',
 'CASE WHEN bdc_valide_par_responsable.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_responsable.date_validation, "%d/%m/%Y")
 ELSE NULL
 END
 AS date_validation_responsable',
 'CASE WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CONCAT(uve.nom,' ',uve.prenom)
 ELSE CONCAT(u_elu.nom,' ',u_elu.prenom)
 END
 AS elu_qui_valide',
 'CASE WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN (SELECT uve.id)
 ELSE (SELECT u_elu.id)
 END
 AS elu_qui_valide_id',
 'CASE WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CONCAT(uve.email_nom,'@',e_uve.domaine)
 ELSE CONCAT(u_elu.email_nom,'@',e_u_elu.domaine)
 END
 AS elu_email',
 'CASE WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY)
 ELSE CAST(0 AS BINARY)
 END
 AS elu_a_valide',
 'CASE WHEN bdc_valide_par_elu.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_elu.date_validation, "%d/%m/%Y")
 ELSE NULL
 END
 AS date_validation_elu',
 'CASE WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CONCAT(uvc.nom,' ',uvc.prenom)
 ELSE
 (SELECT CONCAT(urc.nom,' ',urc.prenom) FROM utilisateur AS urc JOIN pole ON pole.responsable_id = urc.id WHERE pole.nom LIKE 'Pôle Ressources')
 END
 AS compta_qui_valide',
 'CASE WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN (SELECT uvc.id)
 ELSE
 (SELECT urc.id FROM utilisateur AS urc JOIN pole ON pole.responsable_id = urc.id WHERE pole.nom LIKE 'Pôle Ressources')
 END
 AS compta_qui_valide_id',
 'CASE WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CONCAT(uvc.email_nom,'@',e_uvc.domaine)
 ELSE
 (SELECT CONCAT(urc.email_nom,'@',e_urc.domaine) FROM utilisateur AS urc
 JOIN pole ON pole.responsable_id = urc.id
 JOIN email_domaine AS e_urc ON urc.email_domaine_id = e_urc.id
 WHERE pole.nom LIKE 'Pôle Ressources') 
 END
 AS compta_email',
 'CASE WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY)
 ELSE CAST(0 AS BINARY)
 END
 AS compta_a_valide',
 'CASE WHEN bdc_valide_par_comptabilite.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_comptabilite.date_validation, "%d/%m/%Y")
 ELSE NULL
 END
 AS date_validation_compta',
 'CASE WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CAST(1 AS BINARY)
 ELSE CAST(0 AS BINARY)
 END
 AS dirigeant_a_valide',
 'CASE WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CONCAT(uvd.nom,' ',uvd.prenom)
 ELSE NULL
 END
 AS dirigeant_qui_a_valide',
 'CASE WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN (SELECT uvd.id)
 ELSE NULL
 END
 AS dirigeant_qui_a_valide_id',
 'CASE WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN CONCAT(uvd.email_nom,'@',e_uvd.domaine)
 ELSE NULL
 END
 AS dirigeant_email',
 'CASE WHEN bdc_valide_par_dirigeant.bdc_id IS NOT NULL 
 THEN DATE_FORMAT(bdc_valide_par_dirigeant.date_validation, "%d/%m/%Y")
 ELSE NULL
 END
 AS date_validation_dirigeant'
 );
 $where = array('b.id' => $bdc_id);

 $this->db->select($select);
 $this->db->from('bon_de_commande AS b');
 $this->db->join('utilisateur AS u', 'b.demandeur_id = u.id');
 $this->db->join('email_domaine AS e', 'u.email_domaine_id = e.id');
 $this->db->join('pole AS p', 'b.pole_concerne_id = p.id');
 $this->db->join('bdc_origine_besoin_courant AS ob', 'ob.bdc_id = b.id', 'left');
 $this->db->join('bdc_origine_interservices AS oi', 'oi.bdc_id = b.id', 'left');
 $this->db->join('demande_interservices', 'oi.demande_interservices_id = demande_interservices.id', 'left');
 $this->db->join('utilisateur AS uis', 'demande_interservices.utilisateur_id = uis.id', 'left');
 $this->db->join('bdc_origine_autre AS oa', 'oa.bdc_id = b.id', 'left');
 $this->db->join('bdc_associe_elu', 'bdc_associe_elu.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS u_elu', 'bdc_associe_elu.elu_id = u_elu.id', 'left');
 $this->db->join('email_domaine AS e_u_elu', 'u_elu.email_domaine_id = e_u_elu.id', 'left');
 $this->db->join('bdc_code', 'bdc_code.bdc_id = b.id', 'left');
 $this->db->join('bdc_devis_choisi', 'bdc_devis_choisi.bdc_id = b.id');
 $this->db->join('devis AS d', 'bdc_devis_choisi.devis_id = d.id');
 $this->db->join('bdc_niveau_validation', 'bdc_niveau_validation.bdc_id = b.id');
 $this->db->join('bdc_refuse', 'bdc_refuse.bdc_id = b.id', 'left');
 $this->db->join('bdc_valide_par_commission', 'bdc_valide_par_commission.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS uvcm', 'bdc_valide_par_commission.elu_id = uvcm.id', 'left');
 $this->db->join('bdc_valide_par_comptabilite', 'bdc_valide_par_comptabilite.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS uvc', 'bdc_valide_par_comptabilite.responsable_id = uvc.id', 'left');
 $this->db->join('email_domaine AS e_uvc', 'uvc.email_domaine_id = e_uvc.id', 'left');
 $this->db->join('bdc_valide_par_elu', 'bdc_valide_par_elu.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS uve', 'bdc_valide_par_elu.elu_id = uve.id', 'left');
 $this->db->join('email_domaine AS e_uve', 'uve.email_domaine_id = e_uve.id', 'left');
 $this->db->join('bdc_valide_par_responsable', 'bdc_valide_par_responsable.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS uvr', 'bdc_valide_par_responsable.responsable_id = uvr.id', 'left');
 $this->db->join('email_domaine AS e_uvr', 'uvr.email_domaine_id = e_uvr.id', 'left');
 $this->db->join('utilisateur AS uvrp', 'p.responsable_id = uvrp.id', 'left');
 $this->db->join('email_domaine AS e_uvrp', 'uvrp.email_domaine_id = e_uvrp.id', 'left');
 $this->db->join('bdc_valide_par_dirigeant', 'bdc_valide_par_dirigeant.bdc_id = b.id', 'left');
 $this->db->join('utilisateur AS uvd', 'bdc_valide_par_dirigeant.dirigeant_id = uvd.id', 'left');
 $this->db->join('email_domaine AS e_uvd', 'uvd.email_domaine_id = e_uvd.id', 'left');
 $this->db->join('utilisateur AS ur', 'bdc_refuse.refuseur_id = ur.id', 'left');
 $this->db->join('email_domaine AS e_ur', 'ur.email_domaine_id = e_ur.id', 'left');
 $this->db->where($where);
 $query = $this->db->get();


The problem is in this line (in the error message):



`CASE WHEN bdc_valide_par_responsable`.`bdc_id IS NOT NULL THEN uvr`.`id ELSE uvrp`.`id END` AS `responsable_qui_valide_id`,


As you can see, CodeIgniter inserts the small apostrophe ` to prevent SQL injection, but not always. And in this case, the apostrophes are not well inserted and it causes a wrong query.



The strange thing is, when I replace the conditions in the bad CASE by this one:



THEN CONCAT(uvr.id)


or by:



THEN (SELECT uvr.id)


No more syntax error ...



What's happening? Is there a better way to write the query with CodeIgniter?






mysql codeigniter case sql-injection




mysql codeigniter case sql-injection






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 2 days ago







Benoit Poux

















asked 2 days ago









Benoit PouxBenoit Poux

134




134












  • Which Codeignitor version are you using? Also i suspect Codeignitor escape() function not to be perfect safe against all SQL injections pretty i suspect it to be a wrapper around mysqli_real_escape_string() or a custom one that manually "escape" with regexes or string matching on Special Character Escape Sequences..

    – Raymond Nijland
    2 days ago











  • Seams iám right about this see the function escape() and internal used escape_str() ... it tracks back to a what they call a "Platform-dependent string escape" function _escape_str()

    – Raymond Nijland
    2 days ago











  • not sure where the function remove_invisible_characters() is defined. But seeing all these source code i can't say a other thing then the anti SQL injection seams to be really sloppy done in Codeigniter atleast with the escape() function.

    – Raymond Nijland
    2 days ago












  • I uses CI 3. Same impression for me, these functions must fail in the escaping, and I'm pretty sure there is no solution. Thanks for your opinion ;)

    – Benoit Poux
    2 days ago











  • "Thanks for your opinion" no problem but what i said was is no opinion atleast it was not meant as one, what i said is a fact it based on the CL 3 source code :)

    – Raymond Nijland
    2 days ago


















  • Which Codeignitor version are you using? Also i suspect Codeignitor escape() function not to be perfect safe against all SQL injections pretty i suspect it to be a wrapper around mysqli_real_escape_string() or a custom one that manually "escape" with regexes or string matching on Special Character Escape Sequences..

    – Raymond Nijland
    2 days ago











  • Seams iám right about this see the function escape() and internal used escape_str() ... it tracks back to a what they call a "Platform-dependent string escape" function _escape_str()

    – Raymond Nijland
    2 days ago











  • not sure where the function remove_invisible_characters() is defined. But seeing all these source code i can't say a other thing then the anti SQL injection seams to be really sloppy done in Codeigniter atleast with the escape() function.

    – Raymond Nijland
    2 days ago












  • I uses CI 3. Same impression for me, these functions must fail in the escaping, and I'm pretty sure there is no solution. Thanks for your opinion ;)

    – Benoit Poux
    2 days ago











  • "Thanks for your opinion" no problem but what i said was is no opinion atleast it was not meant as one, what i said is a fact it based on the CL 3 source code :)

    – Raymond Nijland
    2 days ago

















Which Codeignitor version are you using? Also i suspect Codeignitor escape() function not to be perfect safe against all SQL injections pretty i suspect it to be a wrapper around mysqli_real_escape_string() or a custom one that manually "escape" with regexes or string matching on Special Character Escape Sequences..

– Raymond Nijland
2 days ago





Which Codeignitor version are you using? Also i suspect Codeignitor escape() function not to be perfect safe against all SQL injections pretty i suspect it to be a wrapper around mysqli_real_escape_string() or a custom one that manually "escape" with regexes or string matching on Special Character Escape Sequences..

– Raymond Nijland
2 days ago













Seams iám right about this see the function escape() and internal used escape_str() ... it tracks back to a what they call a "Platform-dependent string escape" function _escape_str()

– Raymond Nijland
2 days ago





Seams iám right about this see the function escape() and internal used escape_str() ... it tracks back to a what they call a "Platform-dependent string escape" function _escape_str()

– Raymond Nijland
2 days ago













not sure where the function remove_invisible_characters() is defined. But seeing all these source code i can't say a other thing then the anti SQL injection seams to be really sloppy done in Codeigniter atleast with the escape() function.

– Raymond Nijland
2 days ago






not sure where the function remove_invisible_characters() is defined. But seeing all these source code i can't say a other thing then the anti SQL injection seams to be really sloppy done in Codeigniter atleast with the escape() function.

– Raymond Nijland
2 days ago














I uses CI 3. Same impression for me, these functions must fail in the escaping, and I'm pretty sure there is no solution. Thanks for your opinion ;)

– Benoit Poux
2 days ago





I uses CI 3. Same impression for me, these functions must fail in the escaping, and I'm pretty sure there is no solution. Thanks for your opinion ;)

– Benoit Poux
2 days ago













"Thanks for your opinion" no problem but what i said was is no opinion atleast it was not meant as one, what i said is a fact it based on the CL 3 source code :)

– Raymond Nijland
2 days ago






"Thanks for your opinion" no problem but what i said was is no opinion atleast it was not meant as one, what i said is a fact it based on the CL 3 source code :)

– Raymond Nijland
2 days ago













0






active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55281260%2fwhy-does-codeigniter-escape-wrongly-some-elements-of-the-query-when-i-use-case%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes















draft saved

draft discarded
















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55281260%2fwhy-does-codeigniter-escape-wrongly-some-elements-of-the-query-when-i-use-case%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

SQL error code 1064 with creating Laravel foreign keysForeign key constraints: When to use ON UPDATE and ON DELETEDropping column with foreign key Laravel error: General error: 1025 Error on renameLaravel SQL Can't create tableLaravel Migration foreign key errorLaravel php artisan migrate:refresh giving a syntax errorSQLSTATE[42S01]: Base table or view already exists or Base table or view already exists: 1050 Tableerror in migrating laravel file to xampp serverSyntax error or access violation: 1064:syntax to use near 'unsigned not null, modelName varchar(191) not null, title varchar(191) not nLaravel cannot create new table field in mysqlLaravel 5.7:Last migration creates table but is not registered in the migration table

Image
Does a multiclassed wizard start with a spellbook? Minimizing medical costs with HSA Boss has banned cycling to work because he thinks it's unsafe Is there a typical layout to blocking installed for backing in new construction framing? In the Seventh Seal why does Death let the chess game happen? Why has Novell never written its own boot loader? Should I warn my boss I might take sick leave Why is the saxophone not common in classical repertoire? Is it possible to spoof an IP address to an exact number? Motorcyle Chain needs to be cleaned every time you lube it? Bypass with wrong cvv of debit card and getting OTP Do we have a much compact and generalized version of erase–remove idiom? how can i make this execution plan more efficient? Why did moving the mouse cursor cause Windows 95 to run more quickly? What's the big deal about the Nazgûl losing their horses? Has chattel slavery ever been used as a criminal punishment in the USA since the passag...
Read more

용인 삼성생명 블루밍스 목차 통계 역대 감독 선수단 응원단 경기장 같이 보기 외부 링크 둘러보기 메뉴samsungblueminx.comeh선수 명단용인 삼성생명 블루밍스용인 삼성생명 블루밍스ehsamsungblueminx.comeheheheh

Image
수원 삼성생명 비추미광주 신세계 쿨캣수원 삼성생명 비추미안산 신한은행 에스버드안산 신한은행 에스버드안산 신한은행 에스버드춘천 우리은행 한새춘천 우리은행 한새춘천 우리은행 한새춘천 우리은행 한새아산 우리은행 위비아산 우리은행 위비청주 KB 스타즈 한국 여자 농구 연맹 팀1977년 설립...
Read more

155 수학 과학 기타 둘러보기 메뉴eh추가해eh문서를 완성해

Image
0123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369...
Read more