diff options
| author | Andrey Andreev <narf@devilix.net> | 2015-07-20 11:32:02 +0200 |
|---|---|---|
| committer | Andrey Andreev <narf@devilix.net> | 2015-07-20 11:32:02 +0200 |
| commit | 43afc71b777b00cfc2638add6fa3c47d333c5e04 (patch) | |
| tree | c81e63c99b683cfc1643a3ad2f6cc6d46a3625a4 /system/database/DB_query_builder.php | |
| parent | e17dbe6000a7f5ab3efe42c80bee7ca80dcc23c3 (diff) | |
Fix an internal bug in QB where() escaping
This is not a supported use case, but if QB escaping is force-disabled,
string values passed to where() or having() aren't escaped. That's wrong
because escape-disabling should only be possible for identifiers and not
values.
Reported via the forums: http://forum.codeigniter.com/thread-62478.html
Diffstat (limited to 'system/database/DB_query_builder.php')
| -rw-r--r-- | system/database/DB_query_builder.php | 5 |
1 files changed, 1 insertions, 4 deletions
diff --git a/system/database/DB_query_builder.php b/system/database/DB_query_builder.php index a8b5b3579..8d21c5a1d 100644 --- a/system/database/DB_query_builder.php +++ b/system/database/DB_query_builder.php @@ -657,10 +657,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver { if ($v !== NULL) { - if ($escape === TRUE) - { - $v = ' '.$this->escape($v); - } + $v = ' '.$this->escape($v); if ( ! $this->_has_operator($k)) { |