summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGreg Aker <greg.aker@ellislab.com>2011-04-20 23:03:04 +0200
committerGreg Aker <greg.aker@ellislab.com>2011-04-20 23:03:04 +0200
commite156c6eb4a018a91d3cfcaa2d1fd3b3e67dc2808 (patch)
tree1ce43f2ddb909e3ea5945f365f771953f7a3cfe2
parente5c8812f4165bf145e550a2f4c0354685c5bdb74 (diff)
Fixed a bug (Core #340) where when passing in the second parameter to $this->db->select(), column names in subsequent queries would not be properly escaped.
-rw-r--r--system/database/DB_active_rec.php20
-rw-r--r--user_guide/changelog.html1
2 files changed, 9 insertions, 12 deletions
diff --git a/system/database/DB_active_rec.php b/system/database/DB_active_rec.php
index db8471364..9ceac0b76 100644
--- a/system/database/DB_active_rec.php
+++ b/system/database/DB_active_rec.php
@@ -58,6 +58,8 @@ class CI_DB_active_record extends CI_DB_driver {
var $ar_cache_having = array();
var $ar_cache_orderby = array();
var $ar_cache_set = array();
+
+ var $ar_no_escape = array();
// --------------------------------------------------------------------
@@ -73,12 +75,6 @@ class CI_DB_active_record extends CI_DB_driver {
*/
function select($select = '*', $escape = NULL)
{
- // Set the global value if this was sepecified
- if (is_bool($escape))
- {
- $this->_protect_identifiers = $escape;
- }
-
if (is_string($select))
{
$select = explode(',', $select);
@@ -91,6 +87,7 @@ class CI_DB_active_record extends CI_DB_driver {
if ($val != '')
{
$this->ar_select[] = $val;
+ $this->ar_no_escape[] = $escape;
if ($this->ar_caching === TRUE)
{
@@ -441,10 +438,10 @@ class CI_DB_active_record extends CI_DB_driver {
$v = ' '.$this->escape($v);
}
-
+
if ( ! $this->_has_operator($k))
{
- $k .= ' =';
+ $k .= ' = ';
}
}
else
@@ -1718,7 +1715,7 @@ class CI_DB_active_record extends CI_DB_driver {
// is because until the user calls the from() function we don't know if there are aliases
foreach ($this->ar_select as $key => $val)
{
- $this->ar_select[$key] = $this->_protect_identifiers($val);
+ $this->ar_select[$key] = $this->_protect_identifiers($val, FALSE, $this->ar_no_escape[$key]);
}
$sql .= implode(', ', $this->ar_select);
@@ -1753,9 +1750,7 @@ class CI_DB_active_record extends CI_DB_driver {
if (count($this->ar_where) > 0 OR count($this->ar_like) > 0)
{
- $sql .= "\n";
-
- $sql .= "WHERE ";
+ $sql .= "\nWHERE ";
}
$sql .= implode("\n", $this->ar_where);
@@ -2032,6 +2027,7 @@ class CI_DB_active_record extends CI_DB_driver {
'ar_orderby' => array(),
'ar_wherein' => array(),
'ar_aliased_tables' => array(),
+ 'ar_no_escape' => array(),
'ar_distinct' => FALSE,
'ar_limit' => FALSE,
'ar_offset' => FALSE,
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index 7ad566733..76f9e5dd9 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -94,6 +94,7 @@ Change Log
<li class="reactor">Removed <samp>APPPATH.'third_party'</samp> from the packages autoloader to negate needless file stats if no packages exist or if the developer does not load any other packages by default.</li>
<li>Fixed a bug (Reactor #231) where Sessions Library database table example SQL did not contain an index on last_activity. See <a href="installation/upgrade_203.html">Upgrade Notes</a>.</li>
<li>Fixed a bug (Reactor #229) where the Sessions Library example SQL in the documentation contained incorrect SQL.</li>
+ <li>Fixed a bug (Core #340) where when passing in the second parameter to $this->db->select(), column names in subsequent queries would not be properly escaped.</li>
</ul>
<h2>Version 2.0.2</h2>