diff options
| author | Derek Allard <derek.allard@ellislab.com> | 2008-12-15 15:08:35 +0100 |
|---|---|---|
| committer | Derek Allard <derek.allard@ellislab.com> | 2008-12-15 15:08:35 +0100 |
| commit | 911d3e0fdd26ebdcb7c862a2a39ddcaef935d6f7 (patch) | |
| tree | 2f3c48275de7ca06073508c956f94befd45066b2 | |
| parent | 01e2009209aaa28fc4b57308b49c7f041fe61ac7 (diff) | |
Fixed a bug in database escaping where a compound statement (ie: SUM()) wasn't handled correctly with database prefixes.
| -rw-r--r-- | system/database/DB_driver.php | 22 | ||||
| -rw-r--r-- | user_guide/changelog.html | 5 |
2 files changed, 14 insertions, 13 deletions
diff --git a/system/database/DB_driver.php b/system/database/DB_driver.php index 4293acc91..fde0a435f 100644 --- a/system/database/DB_driver.php +++ b/system/database/DB_driver.php @@ -1204,11 +1204,20 @@ class CI_DB_driver { // Basically we remove everything to the right of the first space $alias = ''; if (strpos($item, ' ') !== FALSE) - { + { $alias = strstr($item, " "); $item = substr($item, 0, - strlen($alias)); } + // This is basically a bug fix for queries that use MAX, MIN, etc. + // If a parenthesis is found we know that we do not need to + // escape the data or add a prefix. There's probably a more graceful + // way to deal with this, but I'm not thinking of it -- Rick + if (strpos($item, '(') !== FALSE) + { + return $item.$alias; + } + // Break the string apart if it contains periods, then insert the table prefix // in the correct location, assuming the period doesn't indicate that we're dealing // with an alias. While we're at it, we will escape the components @@ -1220,7 +1229,7 @@ class CI_DB_driver { // one of the aliases previously identified? If so, // we have nothing more to do other than escape the item if (in_array($parts[0], $this->ar_aliased_tables)) - { + { if ($protect_identifiers === TRUE) { foreach ($parts as $key => $val) @@ -1284,15 +1293,6 @@ class CI_DB_driver { return $item.$alias; } - // This is basically a bug fix for queries that use MAX, MIN, etc. - // If a parenthesis is found we know that we do not need to - // escape the data or add a prefix. There's probably a more graceful - // way to deal with this, but I'm not thinking of it -- Rick - if (strpos($item, '(') !== FALSE) - { - return $item.$alias; - } - // Is there a table prefix? If not, no need to insert it if ($this->dbprefix != '') { diff --git a/user_guide/changelog.html b/user_guide/changelog.html index 3b9c73e5f..1801a46b2 100644 --- a/user_guide/changelog.html +++ b/user_guide/changelog.html @@ -97,8 +97,9 @@ SVN Revision: </p> <li>Changed a few docblock comments to reflect actual return values.</li> <li>Fixed a bug with high ascii characters in subject and from email headers.</li> <li>Fixed a bug in xss_clean() where whitespace following a validated character entity would not be preserved.</li> - <li>Fixed a bug where HTML comments and <pre> tags were being parsed in Typography::auto_typography()</li> - <li>Fixed a bug with non-breaking space cleanup in Typography::auto_typography()</li> + <li>Fixed a bug where HTML comments and <pre> tags were being parsed in Typography::auto_typography().</li> + <li>Fixed a bug with non-breaking space cleanup in Typography::auto_typography().</li> + <li>Fixed a bug in database escaping where a compound statement (ie: SUM()) wasn't handled correctly with database prefixes.</li> </ul> |