diff options
author | Andrey Andreev <narf@bofh.bg> | 2012-06-17 16:29:57 +0200 |
---|---|---|
committer | Andrey Andreev <narf@bofh.bg> | 2012-06-17 16:29:57 +0200 |
commit | 929fd2d52beb779e46681d35f8ff138aa65cb8df (patch) | |
tree | eaad2c75479b83b47f85318e79c97731f1684ed6 | |
parent | d1cace76965f71107aca63df1057b98df8d3b85a (diff) |
Improve escaping, support for table names with spaces and fix where() for strings with no spaces around operators
-rw-r--r-- | system/database/DB_driver.php | 56 | ||||
-rw-r--r-- | system/database/DB_query_builder.php | 4 | ||||
-rw-r--r-- | system/database/drivers/postgre/postgre_driver.php | 4 |
3 files changed, 30 insertions, 34 deletions
diff --git a/system/database/DB_driver.php b/system/database/DB_driver.php index 28d665fdf..4ec20f45d 100644 --- a/system/database/DB_driver.php +++ b/system/database/DB_driver.php @@ -1086,6 +1086,20 @@ abstract class CI_DB_driver { // -------------------------------------------------------------------- /** + * Returns the SQL string operator + * + * @param string + * @return string + */ + protected function _get_operator($str) + { + return preg_match('/(=|!|<|>| IS NULL| IS NOT NULL| BETWEEN)/i', $str, $match) + ? $match[1] : FALSE; + } + + // -------------------------------------------------------------------- + + /** * Enables a native PHP function to be run, using a platform agnostic wrapper. * * @param string the function name @@ -1336,39 +1350,21 @@ abstract class CI_DB_driver { // Convert tabs or multiple spaces into single spaces $item = preg_replace('/\s+/', ' ', $item); - static $preg_ec = array(); - - if (empty($preg_ec)) + // If the item has an alias declaration we remove it and set it aside. + // Note: strripos() is used in order to support spaces in table names + if ($offset = strripos($item, ' AS ')) { - if (is_array($this->_escape_char)) - { - $preg_ec = array(preg_quote($this->_escape_char[0]), preg_quote($this->_escape_char[1])); - } - else - { - $preg_ec[0] = $preg_ec[1] = preg_quote($this->_escape_char); - } + $alias = ($protect_identifiers) + ? substr($item, $offset, 4).$this->escape_identifiers(substr($item, $offset + 4)) + : substr($item, $offset); + $item = substr($item, 0, $offset); } - - // If the item has an alias declaration we remove it and set it aside. - // Basically we remove everything to the right of the first space - preg_match('/^(('.$preg_ec[0].'[^'.$preg_ec[1].']+'.$preg_ec[1].')|([^'.$preg_ec[0].'][^\s]+))( AS)*(.+)*$/i', $item, $matches); - - if (isset($matches[4])) + elseif ($offset = strrpos($item, ' ')) { - $item = $matches[1]; - - // Escape the alias, if needed - if ($protect_identifiers === TRUE) - { - $alias = empty($matches[5]) - ? ' '.$this->escape_identifiers(ltrim($matches[4])) - : $matches[4].' '.$this->escape_identifiers(ltrim($matches[5])); - } - else - { - $alias = $matches[4].$matches[5]; - } + $alias = ($protect_identifiers) + ? ' '.$this->escape_identifiers(substr($item, $offset + 1)) + : substr($item, $offset); + $item = substr($item, 0, $offset); } else { diff --git a/system/database/DB_query_builder.php b/system/database/DB_query_builder.php index 531ca9eb7..27f9f363b 100644 --- a/system/database/DB_query_builder.php +++ b/system/database/DB_query_builder.php @@ -459,8 +459,8 @@ abstract class CI_DB_query_builder extends CI_DB_driver { { $prefix = (count($this->qb_where) === 0 && count($this->qb_cache_where) === 0) ? '' : $type; - $k = $this->_has_operator($k) - ? $this->protect_identifiers(substr($k, 0, strpos(rtrim($k), ' ')), FALSE, $escape).strchr(rtrim($k), ' ') + $k = (($op = $this->_get_operator($k)) !== FALSE) + ? $this->protect_identifiers(substr($k, 0, strpos($k, $op)), FALSE, $escape).strstr($k, $op) : $this->protect_identifiers($k, FALSE, $escape); if (is_null($v) && ! $this->_has_operator($k)) diff --git a/system/database/drivers/postgre/postgre_driver.php b/system/database/drivers/postgre/postgre_driver.php index 3d25b25ee..23826a0ae 100644 --- a/system/database/drivers/postgre/postgre_driver.php +++ b/system/database/drivers/postgre/postgre_driver.php @@ -612,8 +612,8 @@ class CI_DB_postgre_driver extends CI_DB { { $prefix = (count($this->qb_where) === 0 && count($this->qb_cache_where) === 0) ? '' : $type; - $k = $this->_has_operator($k) - ? $this->protect_identifiers(substr($k, 0, strpos(rtrim($k), ' ')), FALSE, $escape).strchr(rtrim($k), ' ') + $k = (($op = $this->_get_operator($k)) !== FALSE) + ? $this->protect_identifiers(substr($k, 0, strpos($k, $op)), FALSE, $escape).strstr($k, $op) : $this->protect_identifiers($k, FALSE, $escape); if (is_null($v) && ! $this->_has_operator($k)) |