syntax criteria using yii framework

1

I'm having trouble performing where using criteria, I'm posting the code I'm doing and below the error ..

Criteria Code

$criteria->compare('id',$this->id);
        $criteria->compare('data_hora',$this->data_hora,true);
        $criteria->compare('arquivo',$this->arquivo,true);
        $criteria->compare('caminho',$this->caminho,true);
        $criteria->condition="caminho=".$_POST['busca'];

Error Generated

  

CDbCommand failed to execute SQL command: SQLSTATE [42000]: Syntax   error or access violation: 1064 You have an error in your SQL syntax;   check the manual that corresponds to your MySQL server version for the   right syntax to use near   '/home/samba/Administration/scordon/cdgrd/cdgrd.scp' at line 1. The SQL   statement executed was: SELECT COUNT (*) FROM path t WHERE   path = / home / samba / Admin / scordon / cdgrd / cdgrd.scp   (/opt/lampp/htdocs/yii/framework/db/CDbCommand.php:543)

    
asked by anonymous 17.07.2014 / 15:52

2 answers

2

You can do this:

$criteria->compare('caminho', $_POST['busca']);

In this way Yii has already filtered against SQL Injection . In the form below - according to milz's answer - the system is vulnerable to SQL Injection .

$criteria->condition="caminho='".$_POST['busca']."'";
    
15.08.2014 / 14:52
1

The error appears to be a problem in WHERE, and the query that is being executed is:

SELECT COUNT(*) FROM path t WHERE caminho=/home/samba/Administracao/scordon/cdgrd/cdgrd.scp

and should be

SELECT COUNT(*) FROM path t WHERE caminho='/home/samba/Administracao/scordon/cdgrd/cdgrd.scp'

Change the condition line to:

$criteria->condition="caminho='".$_POST['busca']."'";

In this way the query should no longer produce any errors.

    
17.07.2014 / 16:13