Hi everyone,
I’m having a heck of a time getting a simple CDbCriteria condition to work.
The following code will provide the results I’m expecting but is open to SQL injection:
$search = $_GET['search'];
$criteria = new CDbCriteria;
$criteria->condition="name LIKE '%$search%'";
$dataProvider=new CActiveDataProvider('Exercises', array(
'criteria'=>$criteria,
));
What I would like to do is utilize the CDbCriteria params in order to help prevent SQL injection. The code I’ve been using is below but it doesn’t return any results:
$criteria = new CDbCriteria;
$criteria->condition="name LIKE '%:search%'";
$criteria->params=array(':search'=>$search);
$dataProvider=new CActiveDataProvider('Exercises', array(
'criteria'=>$criteria,
));
I’ve also tried to set
$criteria->params[’:search’] = $search
but that doesn’t work either.
Am I doing something wrong here?
Thanks,
Chris