summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDerek Allard <derek.allard@ellislab.com>2008-12-15 15:08:35 +0100
committerDerek Allard <derek.allard@ellislab.com>2008-12-15 15:08:35 +0100
commit911d3e0fdd26ebdcb7c862a2a39ddcaef935d6f7 (patch)
tree2f3c48275de7ca06073508c956f94befd45066b2
parent01e2009209aaa28fc4b57308b49c7f041fe61ac7 (diff)
Fixed a bug in database escaping where a compound statement (ie: SUM()) wasn't handled correctly with database prefixes.
-rw-r--r--system/database/DB_driver.php22
-rw-r--r--user_guide/changelog.html5
2 files changed, 14 insertions, 13 deletions
diff --git a/system/database/DB_driver.php b/system/database/DB_driver.php
index 4293acc91..fde0a435f 100644
--- a/system/database/DB_driver.php
+++ b/system/database/DB_driver.php
@@ -1204,11 +1204,20 @@ class CI_DB_driver {
// Basically we remove everything to the right of the first space
$alias = '';
if (strpos($item, ' ') !== FALSE)
- {
+ {
$alias = strstr($item, " ");
$item = substr($item, 0, - strlen($alias));
}
+ // This is basically a bug fix for queries that use MAX, MIN, etc.
+ // If a parenthesis is found we know that we do not need to
+ // escape the data or add a prefix. There's probably a more graceful
+ // way to deal with this, but I'm not thinking of it -- Rick
+ if (strpos($item, '(') !== FALSE)
+ {
+ return $item.$alias;
+ }
+
// Break the string apart if it contains periods, then insert the table prefix
// in the correct location, assuming the period doesn't indicate that we're dealing
// with an alias. While we're at it, we will escape the components
@@ -1220,7 +1229,7 @@ class CI_DB_driver {
// one of the aliases previously identified? If so,
// we have nothing more to do other than escape the item
if (in_array($parts[0], $this->ar_aliased_tables))
- {
+ {
if ($protect_identifiers === TRUE)
{
foreach ($parts as $key => $val)
@@ -1284,15 +1293,6 @@ class CI_DB_driver {
return $item.$alias;
}
- // This is basically a bug fix for queries that use MAX, MIN, etc.
- // If a parenthesis is found we know that we do not need to
- // escape the data or add a prefix. There's probably a more graceful
- // way to deal with this, but I'm not thinking of it -- Rick
- if (strpos($item, '(') !== FALSE)
- {
- return $item.$alias;
- }
-
// Is there a table prefix? If not, no need to insert it
if ($this->dbprefix != '')
{
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index 3b9c73e5f..1801a46b2 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -97,8 +97,9 @@ SVN Revision: </p>
<li>Changed a few docblock comments to reflect actual return values.</li>
<li>Fixed a bug with high ascii characters in subject and from email headers.</li>
<li>Fixed a bug in xss_clean() where whitespace following a validated character entity would not be preserved.</li>
- <li>Fixed a bug where HTML comments and &lt;pre&gt; tags were being parsed in Typography::auto_typography()</li>
- <li>Fixed a bug with non-breaking space cleanup in Typography::auto_typography()</li>
+ <li>Fixed a bug where HTML comments and &lt;pre&gt; tags were being parsed in Typography::auto_typography().</li>
+ <li>Fixed a bug with non-breaking space cleanup in Typography::auto_typography().</li>
+ <li>Fixed a bug in database escaping where a compound statement (ie: SUM()) wasn't handled correctly with database prefixes.</li>
</ul>