Queries

Query Basics

Regular Queries

To submit a query, use the query function:

  1. $db->query('YOUR QUERY HERE');

The query() function returns a database result object when “read”type queries are run which you can use to show yourresults. When “write” type queries are run it simplyreturns TRUE or FALSE depending on success or failure. When retrievingdata you will typically assign the query to your own variable, likethis:

  1. $query = $db->query('YOUR QUERY HERE');

Simplified Queries

The simpleQuery method is a simplified version of the$db->query() method. It DOESNOT return a database result set, nor does it set the query timer, orcompile bind data, or store your query for debugging. It simply lets yousubmit a query. Most users will rarely use this function.

It returns whatever the database drivers’ “execute” function returns.That typically is TRUE/FALSE on success or failure for write type queriessuch as INSERT, DELETE or UPDATE statements (which is what it reallyshould be used for) and a resource/object on success for queries withfetchable results.

  1. if ($db->simpleQuery('YOUR QUERY'))
  2. {
  3. echo "Success!";
  4. }
  5. else
  6. {
  7. echo "Query failed!";
  8. }

Note

PostgreSQL’s pg_exec() function (for example) alwaysreturns a resource on success even for write type queries.So keep that in mind if you’re looking for a boolean value.

Working with Database prefixes manually

If you have configured a database prefix and would like to prepend it toa table name for use in a native SQL query for example, then you can usethe following:

  1. $db->prefixTable('tablename'); // outputs prefix_tablename

If for any reason you would like to change the prefix programmaticallywithout needing to create a new connection you can use this method:

  1. $db->setPrefix('newprefix');
  2. $db->prefixTable('tablename'); // outputs newprefix_tablename

You can get the current prefix any time with this method:

  1. $DBPrefix = $db->getPrefix();

Protecting identifiers

In many databases, it is advisable to protect table and field names - forexample with backticks in MySQL. Query Builder queries areautomatically protected, but if you need to manually protect anidentifier you can use:

  1. $db->protectIdentifiers('table_name');

Important

Although the Query Builder will try its best to properlyquote any field and table names that you feed it. Note that itis NOT designed to work with arbitrary user input. DO NOT feed itwith unsanitized user data.

This function will also add a table prefix to your table, assuming youhave a prefix specified in your database config file. To enable theprefixing set TRUE (boolean) via the second parameter:

  1. $db->protectIdentifiers('table_name', TRUE);

Escaping Queries

It’s a very good security practice to escape your data before submittingit into your database. CodeIgniter has three methods that help you dothis:

  • $db->escape() This function determines the data type sothat it can escape only string data. It also automatically addssingle quotes around the data so you don’t have to:
  1. $sql = "INSERT INTO table (title) VALUES(".$db->escape($title).")";
  • $db->escapeString() This function escapes the data passed toit, regardless of type. Most of the time you’ll use the abovefunction rather than this one. Use the function like this:
  1. $sql = "INSERT INTO table (title) VALUES('".$db->escapeString($title)."')";
  • $db->escapeLikeString() This method should be used whenstrings are to be used in LIKE conditions so that LIKE wildcards(‘%’, ‘_’) in the string are also properly escaped.
  1. $search = '20% raise';
  2. $sql = "SELECT id FROM table WHERE column LIKE '%" .
  3. $db->escapeLikeString($search)."%' ESCAPE '!'";

Important

The escapeLikeString() method uses ‘!’ (exclamation mark)to escape special characters for LIKE conditions. Because thismethod escapes partial strings that you would wrap in quotesyourself, it cannot automatically add the ESCAPE '!'condition for you, and so you’ll have to manually do that.

Query Bindings

Bindings enable you to simplify your query syntax by letting the systemput the queries together for you. Consider the following example:

  1. $sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?";
  2. $db->query($sql, [3, 'live', 'Rick']);

The question marks in the query are automatically replaced with thevalues in the array in the second parameter of the query function.

Binding also work with arrays, which will be transformed to IN sets:

  1. $sql = "SELECT * FROM some_table WHERE id IN ? AND status = ? AND author = ?";
  2. $db->query($sql, [[3, 6], 'live', 'Rick']);

The resulting query will be:

  1. SELECT * FROM some_table WHERE id IN (3,6) AND status = 'live' AND author = 'Rick'

The secondary benefit of using binds is that the values areautomatically escaped producing safer queries.You don’t have to remember to manually escape data — the engine does it automatically for you.

Named Bindings

Instead of using the question mark to mark the location of the bound values,you can name the bindings, allowing the keys of the values passed in to matchplaceholders in the query:

  1. $sql = "SELECT * FROM some_table WHERE id = :id: AND status = :status: AND author = :name:";
  2. $db->query($sql, [
  3. 'id' => 3,
  4. 'status' => 'live',
  5. 'name' => 'Rick'
  6. ]);

Note

Each name in the query MUST be surrounded by colons.

Handling Errors

$db->error();

If you need to get the last error that has occurred, the error() methodwill return an array containing its code and message. Here’s a quickexample:

  1. if ( ! $db->simpleQuery('SELECT `example_field` FROM `example_table`'))
  2. {
  3. $error = $db->error(); // Has keys 'code' and 'message'
  4. }

Prepared Queries

Most database engines support some form of prepared statements, that allow you to prepare a query once, and then runthat query multiple times with new sets of data. This eliminates the possibility of SQL injection since the data ispassed to the database in a different format than the query itself. When you need to run the same query multiple timesit can be quite a bit faster, too. However, to use it for every query can have major performance hits, since you’re callingout to the database twice as often. Since the Query Builder and Database connections already handle escaping the datafor you, the safety aspect is already taken care of for you. There will be times, though, when you need to abilityto optimize the query by running a prepared statement, or prepared query.

Preparing the Query

This can be easily done with the prepare() method. This takes a single parameter, which is a Closure that returnsa query object. Query objects are automatically generated by any of the “final” type queries, including insert,update, delete, replace, and get. This is handled the easiest by using the Query Builder torun a query. The query is not actually run, and the values don’t matter since they’re never applied, acting insteadas placeholders. This returns a PreparedQuery object:

  1. $pQuery = $db->prepare(function($db)
  2. {
  3. return $db->table('user')
  4. ->insert([
  5. 'name' => 'x',
  6. 'email' => 'y',
  7. 'country' => 'US'
  8. ]);
  9. });

If you don’t want to use the Query Builder you can create the Query object manually using question marks forvalue placeholders:

  1. use CodeIgniter\Database\Query;
  2.  
  3. $pQuery = $db->prepare(function($db)
  4. {
  5. $sql = "INSERT INTO user (name, email, country) VALUES (?, ?, ?)";
  6.  
  7. return (new Query($db))->setQuery($sql);
  8. });

If the database requires an array of options passed to it during the prepare statement phase you can pass thatarray through in the second parameter:

  1. use CodeIgniter\Database\Query;
  2.  
  3. $pQuery = $db->prepare(function($db)
  4. {
  5. $sql = "INSERT INTO user (name, email, country) VALUES (?, ?, ?)";
  6.  
  7. return (new Query($db))->setQuery($sql);
  8. }, $options);

Executing the Query

Once you have a prepared query you can use the execute() method to actually run the query. You can pass in asmany variables as you need in the query parameters. The number of parameters you pass must match the number ofplaceholders in the query. They must also be passed in the same order as the placeholders appear in the originalquery:

  1. // Prepare the Query
  2. $pQuery = $db->prepare(function($db)
  3. {
  4. return $db->table('user')
  5. ->insert([
  6. 'name' => 'x',
  7. 'email' => 'y',
  8. 'country' => 'US'
  9. ]);
  10. });
  11.  
  12. // Collect the Data
  13. $name = 'John Doe';
  14. $email = 'j.doe@example.com';
  15. $country = 'US';
  16.  
  17. // Run the Query
  18. $results = $pQuery->execute($name, $email, $country);

This returns a standard result set.

Other Methods

In addition to these two primary methods, the prepared query object also has the following methods:

close()

While PHP does a pretty good job of closing all open statements with the database it’s always a good idea toclose out the prepared statement when you’re done with it:

  1. $pQuery->close();

getQueryString()

This returns the prepared query as a string.

hasError()

Returns boolean true/false if the last execute() call created any errors.

getErrorCode()**getErrorMessage()**

If any errors were encountered these methods can be used to retrieve the error code and string.

Working with Query Objects

Internally, all queries are processed and stored as instances ofCodeIgniterDatabaseQuery. This class is responsible for bindingthe parameters, otherwise preparing the query, and storing performancedata about its query.

getLastQuery()

When you just need to retrieve the last Query object, use thegetLastQuery() method:

  1. $query = $db->getLastQuery();
  2. echo (string)$query;

The Query Class

Each query object stores several pieces of information about the query itself.This is used, in part, by the Timeline feature, but is available for your useas well.

getQuery()

Returns the final query after all processing has happened. This is the exactquery that was sent to the database:

  1. $sql = $query->getQuery();

This same value can be retrieved by casting the Query object to a string:

  1. $sql = (string)$query;

getOriginalQuery()

Returns the raw SQL that was passed into the object. This will not have anybinds in it, or prefixes swapped out, etc:

  1. $sql = $query->getOriginalQuery();

hasError()

If an error was encountered during the execution of this query this methodwill return true:

  1. if ($query->hasError())
  2. {
  3. echo 'Code: '. $query->getErrorCode();
  4. echo 'Error: '. $query->getErrorMessage();
  5. }

isWriteType()

Returns true if the query was determined to be a write-type query (i.e.INSERT, UPDATE, DELETE, etc):

  1. if ($query->isWriteType())
  2. {
  3. ... do something
  4. }

swapPrefix()

Replaces one table prefix with another value in the final SQL. The firstparameter is the original prefix that you want replaced, and the secondparameter is the value you want it replaced with:

  1. $sql = $query->swapPrefix('ci3_', 'ci4_');

getStartTime()

Gets the time the query was executed in seconds with microseconds:

  1. $microtime = $query->getStartTime();

getDuration()

Returns a float with the duration of the query in seconds with microseconds:

  1. $microtime = $query->getDuration();