diff options
author | Andrey Andreev <narf@devilix.net> | 2014-10-22 22:46:38 +0200 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2014-10-22 22:46:38 +0200 |
commit | aff2fdc8c69c9257422ca325d2018a347309b0b9 (patch) | |
tree | 57c44ecdfe94d192aeb44f9e7ee93e34e50d0da4 | |
parent | 2b2288dc1ddeb030eb43734683ab3586ac826189 (diff) | |
parent | 1db369f77a158d72fcb7fe44f84efcfe9ac2f0d7 (diff) |
Merge pull request #3277 from clawoo/develop
Escape arrays sent as binding values for database queries.
-rw-r--r-- | system/database/DB_driver.php | 14 | ||||
-rw-r--r-- | user_guide_src/source/changelog.rst | 1 | ||||
-rw-r--r-- | user_guide_src/source/database/queries.rst | 9 |
3 files changed, 22 insertions, 2 deletions
diff --git a/system/database/DB_driver.php b/system/database/DB_driver.php index 62cea758e..fc1d9566c 100644 --- a/system/database/DB_driver.php +++ b/system/database/DB_driver.php @@ -922,7 +922,12 @@ abstract class CI_DB_driver { do { $c--; - $sql = substr_replace($sql, $this->escape($binds[$c]), $matches[0][$c][1], $ml); + $escaped_value = $this->escape($binds[$c]); + if (is_array($escaped_value)) + { + $escaped_value = '('.implode(',', $escaped_value).')'; + } + $sql = substr_replace($sql, $escaped_value, $matches[0][$c][1], $ml); } while ($c !== 0); @@ -992,7 +997,12 @@ abstract class CI_DB_driver { */ public function escape($str) { - if (is_string($str) OR (is_object($str) && method_exists($str, '__toString'))) + if (is_array($str)) + { + $str = array_map(array(&$this, 'escape'), $str); + return $str; + } + elseif (is_string($str) OR (is_object($str) && method_exists($str, '__toString'))) { return "'".$this->escape_str($str)."'"; } diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index 0e4930289..99cdf4d4e 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -173,6 +173,7 @@ Release Date: Not Released - Added Interbase/Firebird database support via the *ibase* driver. - Added ODBC support for ``create_database()``, ``drop_database()`` and ``drop_table()`` in :doc:`Database Forge <database/forge>`. - Added **save_queries** configuration setting to *application/config/database.php* (defaults to ``TRUE``). + - Added support to binding arrays as ``IN()`` sets in ``query()``. - :doc:`Query Builder <database/query_builder>` changes include: diff --git a/user_guide_src/source/database/queries.rst b/user_guide_src/source/database/queries.rst index 90f49afb1..76ff1083f 100644 --- a/user_guide_src/source/database/queries.rst +++ b/user_guide_src/source/database/queries.rst @@ -132,6 +132,15 @@ put the queries together for you. Consider the following example:: The question marks in the query are automatically replaced with the values in the array in the second parameter of the query function. +Binding also work with arrays, which will be transformed to IN sets:: + + $sql = "SELECT * FROM some_table WHERE id IN ? AND status = ? AND author = ?"; + $this->db->query($sql, array(array(3, 6), 'live', 'Rick')); + +The resulting query will be:: + + SELECT * FROM some_table WHERE id IN (3,6) AND status = 'live' AND author = 'Rick' + The secondary benefit of using binds is that the values are automatically escaped, producing safer queries. You don't have to remember to manually escape data; the engine does it automatically for |