summaryrefslogtreecommitdiffstats
path: root/system/database/drivers/mysqli/mysqli_driver.php
diff options
context:
space:
mode:
authorDerek Jones <derek.jones@ellislab.com>2009-02-20 22:44:59 +0100
committerDerek Jones <derek.jones@ellislab.com>2009-02-20 22:44:59 +0100
commite4ed583067095144eb20aefc61d4499d8386532a (patch)
treeb156a0305e5c1e84466bcb0ca84787b234be3cfd /system/database/drivers/mysqli/mysqli_driver.php
parent436e6e2583c574a4628984c4a95c5d3da5fcce1f (diff)
added LIKE condition escaping to all drivers and Active Record
updated all DB drivers to accept arrays in escape_str()
Diffstat (limited to 'system/database/drivers/mysqli/mysqli_driver.php')
-rw-r--r--system/database/drivers/mysqli/mysqli_driver.php31
1 files changed, 27 insertions, 4 deletions
diff --git a/system/database/drivers/mysqli/mysqli_driver.php b/system/database/drivers/mysqli/mysqli_driver.php
index 9ef18e025..92d871111 100644
--- a/system/database/drivers/mysqli/mysqli_driver.php
+++ b/system/database/drivers/mysqli/mysqli_driver.php
@@ -35,6 +35,10 @@ class CI_DB_mysqli_driver extends CI_DB {
// The character used for escaping
var $_escape_char = '`';
+ // clause and character used for LIKE escape sequences - not used in MySQL
+ var $_like_escape_str = '';
+ var $_like_escape_chr = '';
+
/**
* The syntax to count rows is slightly different across different
* database engines, so this string appears in each driver and is
@@ -257,22 +261,41 @@ class CI_DB_mysqli_driver extends CI_DB {
*
* @access public
* @param string
+ * @param bool whether or not the string will be used in a LIKE condition
* @return string
*/
- function escape_str($str)
+ function escape_str($str, $like = FALSE)
{
+ if (is_array($str))
+ {
+ foreach($str as $key => $val)
+ {
+ $str[$key] = $this->escape_str($val, $like);
+ }
+
+ return $str;
+ }
+
if (function_exists('mysqli_real_escape_string') AND is_object($this->conn_id))
{
- return mysqli_real_escape_string($this->conn_id, $str);
+ $str = mysqli_real_escape_string($this->conn_id, $str);
}
elseif (function_exists('mysql_escape_string'))
{
- return mysql_escape_string($str);
+ $str = mysql_escape_string($str);
}
else
{
- return addslashes($str);
+ $str = addslashes($str);
}
+
+ // escape LIKE condition wildcards
+ if ($like === TRUE)
+ {
+ $str = str_replace(array('%', '_'), array('\\%', '\\_'), $str);
+ }
+
+ return $str;
}
// --------------------------------------------------------------------