since my last question in SO, I've been reading a bit about how to prevent sql injection and many people mentioned active records class. but when I google it, it only exists in codeigniter 2.
so my questions are:
is Query Builder Class in codeigniter 3 the upgraded version of Active Record Class or do they serve different purposes?
is it enough (in general) to use Query Builder Class methods like $this->where('field', $foo); instead of $this->where("field = '$foo'"); to prevent sql injection?
P.S. I'm using codeigniter 3 and mysql
1- ActiveRecord was in Codeigniter 2, but in Codeigniter 3 you have QueryBuilder instead. The both classes do same work for you, maybe QueryBuilder is improved version of ActiveRecord. In other frameworks like Yii2, ActiveRecord is an ORM not only query string builder but in CI was simple query builder.
2- Codeigniter will escape all passed parameters automatically but I suggest you validate your inputs before running queries. For example, the value of a numeric id field should be a number, not a string so the rule of ID input should be INTEGER.
You can see Validation in Codeigniter 3 at official documentation: https://www.codeigniter.com/userguide3/libraries/form_validation.html
All works that you should do is pass your field value as a function parameter, not as a string (field and value together). If you want to run your query without QueryBuilder, you must escape your parameters manually. You can get more information about it in Codeigniter documentation:
https://www.codeigniter.com/userguide3/database/queries.html#escaping-queries
Related
Which is the best method to use for the CodeIgniter 4 among the Model and the Query Builder class? What are the limitations of the CodeIgniter 4 Model and the Query Builder?
I searched a lot about this question. But I did not get any clear answer. For complex queries currently, I am using the Query Builder class. But I want to know what is the best method among the CodeIgniter 4 Model and the Query Builder class. Your answers are highly appreciated.
It depends on your needs and preferences.
Model class - This is used by extending the base Model class, and you can add your own functions/methods. It is not as flexible as the Query Builder, and it only has pre-defined methods.
Query Builder - Easy to build complex queries. But more room for errors if didn't handle it. Ex SQL injection if you failed to validate it properly.
I have a table with a JSON column, it's type longtext (DC2Type:json). This table has an Entity in Doctrine ORM in my Symfony project. I would like to query based on fields inside the JSON column, using the Doctrine query builder I have in a variable $qb
How do I do this? Everything I found online says to install a 3rd-party package to enable this. Is there no way to just do it with Doctrine's query builder without installing another package?
One (maybe dumb) workaround I tried was to treat the column as a string, and do...
$qb->andWhere("my_data LIKE \"%id:\\\"1,%\"");
For example, if I wanted to query the JSON column my_data to find the blobs that contain id":1, in the string. This fails with a very strange syntax error, and isn't the right way to query a JSON field anyway. HOWEVER, doing the LIKE query directly in SQL client works the way I want, so I also don't know why this is failing in Doctrine.
EDIT: This is MySQL / MariaDB.
Doctrine Query Language is pretty limited. It covers only the most basic/common SQL functions, which is enough for like 99% use cases, but not all.
If you have a MariaDB version that natively supports JSON (so 10.2 or later) you can use native functions to work with the JSON data. (If you don't then your workaround is the only option regardless, with perhaps some additional filtering in the application).
To be able to use these functions in DQL you either need to define them yourself or indeed use a third party library like scienta/doctrine-json-functions (note that it has documentation for how to use it with Symfony, and it's really simple).
If you need just a single extra function and for some reason don't want the whole bundle, you could just copy that single class and use it as your own.
Alternatively you can forgo DQL and write SQL directly, but that way you can't hydrate into objects directly and use other Doctrine magic with the data. But it can be enough for simple use cases.
In Symfony 5, using Doctrine, how can I get QueryBuilder object (instead of results) from default entity repository methods like findBy, findOneBy, findAll?
I need QueryBuilder for:
Passing it to KnpPaginator (requires specifically QueryBuilder instead of results)
Possibly extending it with additional query logic in the future
I could just write a simple query (like $em->createQuery("SELECT a FROM Article a")), but I want to have access to filtering and ordering provided by default findBy method. I think writing my own QueryBuilder with filtering/sorting by any property would be a lot of work and I'm not sure I could implement it well even if I tried.
EDIT: even though it does not answer my question exactly, I have found a solution for my 1st use case (using KnpPaginator without writing custom queries): Custom data repository pagination.
This method allows to attach pagination to any query without changing it instead of writing a new one through QueryBuilder.
Cakephp find data in controller also can with sql syntax,
example :
$this->Post->find('all');
in sql :
select * from posts
convert query to cakephp find syntax is available at http://dogmatic69.com/sql-to-cakephp-find-converter
but whether there is any link for me if I wanna convert my cakephp find to query..
Thanks in advance...
If I got what you are asking, here is the answer
SQL calls that you can’t or don’t want to make via other model
methods can be made using the model’s query() method (though this
should only rarely be necessary).
query() uses the table name in the query as the array key for the returned data, rather than the model name. For example:
$this->POST->query("SELECT* from posts;");
Here is the link for cakephp documentation
The whole persistance layer is a rather big and complex laravel component. Is there someone who has already looked at it in depth and can explain it in a few words, whats going on schematically under the hood?
Eloquent (in contrast to other ORM Layers) seems to not cache/store the Column Metadata somewhere in the application? Or does it? (In Java JPA or Doctrine this is done via Annotations, but laravel seems to not have this metadata?)
This would mean that it has to query on every request the INFORMATION_SCHEMA.COLUMNS from MySQL. Does this mean, that laravel will for every simple SQL query have to iusse two queries (the first one to get the column/table definitions?)
Will calling hasColumn on a new Instance/Facade inevitably lead to an SQL Query, just to retrieve the metadata/table-definition?
As far as i know, you are right, Eloquent does not cache or store the column metadata. But this does not mean that each query requires a second on which requests the information schema. The query builder just assumes that you know which column names are legal and creates and sends the query. This means, that if you select an unknown column, you'll get an exception! Finally hasColumn leads to an SQL query.