Codeigniter Escaping Periods in Query

I have this bit that I'm using to search IP addresses in a database.

开发者_开发知识库

$this->db->where("IP1='$ip' OR IP2='$ip'");

When I use it, it is escaping the periods in the IP addresses and breaking the query by producing this.

SELECT * FROM (`xxxx`) WHERE `IP1='111`.`111`.`111`.`111'` 

I want it to produce:

SELECT * FROM (`xxxx`) WHERE IP1='111.111.111.111' OR IP2 = '111.111.111.111'

Thank you!

---

From the documentation:

"$this->db->where() accepts an optional third parameter. If you set it to FALSE, CodeIgniter will not try to protect your field or table names with back-ticks."

$this->db->where('MATCH (field) AGAINST ("value")', NULL, FALSE);

You better make sure that you are sanatizing your variables if you do it this way.

---

This looks like a bug in the where helper. According to the documentation, you can include an optional third parameter of FALSE to stop CodeIgniter from escaping your table/field names:

$this->db->where("IP1='$ip' OR IP2='$ip'", NULL, FALSE);
//                                       ^^^^^^^^^^^^^ add this

However, if $ip comes from user input you will no longer be protected from SQL injection in this query.