diff options
author | Greg Aker <greg.aker@ellislab.com> | 2011-04-20 23:03:04 +0200 |
---|---|---|
committer | Greg Aker <greg.aker@ellislab.com> | 2011-04-20 23:03:04 +0200 |
commit | e156c6eb4a018a91d3cfcaa2d1fd3b3e67dc2808 (patch) | |
tree | 1ce43f2ddb909e3ea5945f365f771953f7a3cfe2 | |
parent | e5c8812f4165bf145e550a2f4c0354685c5bdb74 (diff) |
Fixed a bug (Core #340) where when passing in the second parameter to $this->db->select(), column names in subsequent queries would not be properly escaped.
-rw-r--r-- | system/database/DB_active_rec.php | 20 | ||||
-rw-r--r-- | user_guide/changelog.html | 1 |
2 files changed, 9 insertions, 12 deletions
diff --git a/system/database/DB_active_rec.php b/system/database/DB_active_rec.php index db8471364..9ceac0b76 100644 --- a/system/database/DB_active_rec.php +++ b/system/database/DB_active_rec.php @@ -58,6 +58,8 @@ class CI_DB_active_record extends CI_DB_driver { var $ar_cache_having = array(); var $ar_cache_orderby = array(); var $ar_cache_set = array(); + + var $ar_no_escape = array(); // -------------------------------------------------------------------- @@ -73,12 +75,6 @@ class CI_DB_active_record extends CI_DB_driver { */ function select($select = '*', $escape = NULL) { - // Set the global value if this was sepecified - if (is_bool($escape)) - { - $this->_protect_identifiers = $escape; - } - if (is_string($select)) { $select = explode(',', $select); @@ -91,6 +87,7 @@ class CI_DB_active_record extends CI_DB_driver { if ($val != '') { $this->ar_select[] = $val; + $this->ar_no_escape[] = $escape; if ($this->ar_caching === TRUE) { @@ -441,10 +438,10 @@ class CI_DB_active_record extends CI_DB_driver { $v = ' '.$this->escape($v); } - + if ( ! $this->_has_operator($k)) { - $k .= ' ='; + $k .= ' = '; } } else @@ -1718,7 +1715,7 @@ class CI_DB_active_record extends CI_DB_driver { // is because until the user calls the from() function we don't know if there are aliases foreach ($this->ar_select as $key => $val) { - $this->ar_select[$key] = $this->_protect_identifiers($val); + $this->ar_select[$key] = $this->_protect_identifiers($val, FALSE, $this->ar_no_escape[$key]); } $sql .= implode(', ', $this->ar_select); @@ -1753,9 +1750,7 @@ class CI_DB_active_record extends CI_DB_driver { if (count($this->ar_where) > 0 OR count($this->ar_like) > 0) { - $sql .= "\n"; - - $sql .= "WHERE "; + $sql .= "\nWHERE "; } $sql .= implode("\n", $this->ar_where); @@ -2032,6 +2027,7 @@ class CI_DB_active_record extends CI_DB_driver { 'ar_orderby' => array(), 'ar_wherein' => array(), 'ar_aliased_tables' => array(), + 'ar_no_escape' => array(), 'ar_distinct' => FALSE, 'ar_limit' => FALSE, 'ar_offset' => FALSE, diff --git a/user_guide/changelog.html b/user_guide/changelog.html index 7ad566733..76f9e5dd9 100644 --- a/user_guide/changelog.html +++ b/user_guide/changelog.html @@ -94,6 +94,7 @@ Change Log <li class="reactor">Removed <samp>APPPATH.'third_party'</samp> from the packages autoloader to negate needless file stats if no packages exist or if the developer does not load any other packages by default.</li> <li>Fixed a bug (Reactor #231) where Sessions Library database table example SQL did not contain an index on last_activity. See <a href="installation/upgrade_203.html">Upgrade Notes</a>.</li> <li>Fixed a bug (Reactor #229) where the Sessions Library example SQL in the documentation contained incorrect SQL.</li> + <li>Fixed a bug (Core #340) where when passing in the second parameter to $this->db->select(), column names in subsequent queries would not be properly escaped.</li> </ul> <h2>Version 2.0.2</h2> |