Using slashes in the where clause while comparing values in active record codeigniter

Question

I have the following query

$query="DELETE FROM salesinvoiceitems WHERE invoiceNumber=".$this->put('invoiceNumber');

Here $this->put('invoiceNumber'); always have values like "M\34\SD". Due to slashes in values it doesn't work as expected.

I researched and found the mysql_escape_string can be used for this purpose but its deprecated now as per the manual. So whats my best bet here?

Answer 1

Why not use Codeingiter Active Record instead? An example:

$this->db->where('invoiceNumber', $this->put('invoiceNumber'));
$this->db->delete('salesinvoiceitems');

Taken from Codeigniter documentation:

Beyond simplicity, a major benefit to using the Active Record features is that it allows you to create database independent applications, since the query syntax is generated by each database adapter. It also allows for safer queries, since the values are escaped automatically by the system.

Answer 2

Try strip slashes

$query="DELETE FROM salesinvoiceitems WHERE invoiceNumber='".($this->put('invoiceNumber')). "'";

Answer 3

Try this

$query="DELETE FROM salesinvoiceitems WHERE invoiceNumber=".addslashes($this->put('invoiceNumber'));

Answer 4

There's a method in the activerecord called escape, so you should :

$invoice = $this->db->escape($yourVar);
$query = "DELETE FROM salesinvoiceitems WHERE invoiceNumber=$invoice";

Which will protect against sql injection as it escapes the var.