summaryrefslogtreecommitdiffstats
path: root/system/database/drivers
diff options
context:
space:
mode:
authorRick Ellis <rick.ellis@ellislab.com>2008-10-17 06:07:40 +0200
committerRick Ellis <rick.ellis@ellislab.com>2008-10-17 06:07:40 +0200
commit59523592c58abc303a6eae1904c80fa6a428c3d3 (patch)
treebb27e7ac32d6b79c1ae5d5ddf33c8bc84436a228 /system/database/drivers
parente3945e9452fdaa155ad3a0ce51b591d3b12ccfe0 (diff)
Fixed a number of bug reports related to table/db names not being escaped or prefixed correctly.
Diffstat (limited to 'system/database/drivers')
-rw-r--r--system/database/drivers/mssql/mssql_driver.php112
-rw-r--r--system/database/drivers/mssql/mssql_forge.php4
-rw-r--r--system/database/drivers/mssql/mssql_result.php6
-rw-r--r--system/database/drivers/oci8/oci8_driver.php109
-rw-r--r--system/database/drivers/sqlite/sqlite_driver.php104
-rw-r--r--system/database/drivers/sqlite/sqlite_forge.php2
-rw-r--r--system/database/drivers/sqlite/sqlite_result.php6
7 files changed, 74 insertions, 269 deletions
diff --git a/system/database/drivers/mssql/mssql_driver.php b/system/database/drivers/mssql/mssql_driver.php
index 02b975ad2..fbc0701c0 100644
--- a/system/database/drivers/mssql/mssql_driver.php
+++ b/system/database/drivers/mssql/mssql_driver.php
@@ -30,6 +30,10 @@
*/
class CI_DB_mssql_driver extends CI_DB {
+ var $dbdriver = 'mssql';
+
+ // The character used for escaping
+ var $_escape_char = '';
/**
* The syntax to count rows is slightly different across different
* database engines, so this string appears in each driver and is
@@ -37,7 +41,6 @@ class CI_DB_mssql_driver extends CI_DB {
*/
var $_count_string = "SELECT COUNT(*) AS ";
var $_random_keyword = ' ASC'; // not currently supported
- var $dbdriver = 'mssql';
/**
* Non-persistent database connection
@@ -301,7 +304,7 @@ class CI_DB_mssql_driver extends CI_DB {
if ($table == '')
return '0';
- $query = $this->query($this->_count_string . $this->_protect_identifiers('numrows'). " FROM " . $this->_protect_identifiers($this->dbprefix.$table));
+ $query = $this->query($this->_count_string . $this->_protect_identifiers('numrows'). " FROM " . $this->_protect_identifiers($table, TRUE, NULL, FALSE));
if ($query->num_rows() == 0)
return '0';
@@ -348,7 +351,7 @@ class CI_DB_mssql_driver extends CI_DB {
*/
function _list_columns($table = '')
{
- return "SELECT * FROM INFORMATION_SCHEMA.Columns WHERE TABLE_NAME = '".$this->_escape_table($table)."'";
+ return "SELECT * FROM INFORMATION_SCHEMA.Columns WHERE TABLE_NAME = '".$table."'";
}
// --------------------------------------------------------------------
@@ -364,7 +367,7 @@ class CI_DB_mssql_driver extends CI_DB {
*/
function _field_data($table)
{
- return "SELECT TOP 1 * FROM ".$this->_escape_table($table);
+ return "SELECT TOP 1 * FROM ".$table;
}
// --------------------------------------------------------------------
@@ -398,99 +401,34 @@ class CI_DB_mssql_driver extends CI_DB {
// --------------------------------------------------------------------
/**
- * Escape Column Name
- *
- * This function adds backticks around supplied column name
- *
- * @access private
- * @param string the column name
- * @return string
- */
- function _escape_column($column)
- {
- // Not necessary with MS SQL so we simply return the value
- return $column;
- }
-
- // --------------------------------------------------------------------
-
- /**
- * Escape Table Name
+ * Escape the SQL Identifiers
*
- * This function adds backticks if the table name has a period
- * in it. Some DBs will get cranky unless periods are escaped
+ * This function escapes column and table names
*
* @access private
- * @param string the table name
+ * @param string
* @return string
*/
- function _escape_table($table)
- {
- // Not necessary with MS SQL so we simply return the value
- return $table;
- }
-
- // --------------------------------------------------------------------
-
- /**
- * Protect Identifiers
- *
- * This function adds backticks if appropriate based on db type
- *
- * @access private
- * @param mixed the item(s)
- * @param boolean should spaces be backticked
- * @param boolean only affect the first word
- * @return mixed the item with backticks
- */
- function _protect_identifiers($item, $first_word_only = FALSE)
+ function _escape_identifiers($item)
{
- if (is_array($item))
+ if ($this->_escape_char == '')
{
- $escaped_array = array();
-
- foreach($item as $k=>$v)
- {
- $escaped_array[$this->_protect_identifiers($k)] = $this->_protect_identifiers($v, $first_word_only);
- }
-
- return $escaped_array;
- }
-
- // This function may get "item1 item2" as a string, and so
- // we may need ""item1" "item2"" and not ""item1 item2""
- if (ctype_alnum($item) === FALSE)
+ return $item;
+ }
+
+ if (strpos($item, '.') !== FALSE)
{
- if (strpos($item, '.') !== FALSE)
- {
- $aliased_tables = implode(".",$this->ar_aliased_tables).'.';
- $table_name = substr($item, 0, strpos($item, '.')+1);
- $item = (strpos($aliased_tables, $table_name) !== FALSE) ? $item = $item : $this->dbprefix.$item;
- }
-
- // This function may get "field >= 1", and need it to return ""field" >= 1"
- $lbound = ($first_word_only === TRUE) ? '' : '|\s|\(';
-
- $item = preg_replace('/(^'.$lbound.')([\w\d\-\_]+?)(\s|\)|$)/iS', '$1$2$3', $item);
+ $str = $this->_escape_char.str_replace('.', $this->_escape_char.'.'.$this->_escape_char, $item).$this->_escape_char;
}
else
{
- return $item;
+ $str = $this->_escape_char.$item.$this->_escape_char;
}
-
- $exceptions = array('AS', '/', '-', '%', '+', '*', 'OR', 'IS');
- foreach ($exceptions as $exception)
- {
-
- if (stristr($item, " \"{$exception}\" ") !== FALSE)
- {
- $item = preg_replace('/ "('.preg_quote($exception).')" /i', ' $1 ', $item);
- }
- }
- return $item;
+ // remove duplicates if the user already included the escape
+ return preg_replace('/['.$this->_escape_char.']+/', $this->_escape_char, $str);
}
-
+
// --------------------------------------------------------------------
/**
@@ -528,7 +466,7 @@ class CI_DB_mssql_driver extends CI_DB {
*/
function _insert($table, $keys, $values)
{
- return "INSERT INTO ".$this->_escape_table($table)." (".implode(', ', $keys).") VALUES (".implode(', ', $values).")";
+ return "INSERT INTO ".$table." (".implode(', ', $keys).") VALUES (".implode(', ', $values).")";
}
// --------------------------------------------------------------------
@@ -557,8 +495,10 @@ class CI_DB_mssql_driver extends CI_DB {
$orderby = (count($orderby) >= 1)?' ORDER BY '.implode(", ", $orderby):'';
- $sql = "UPDATE ".$this->_escape_table($table)." SET ".implode(', ', $valstr);
+ $sql = "UPDATE ".$table." SET ".implode(', ', $valstr);
+
$sql .= ($where != '' AND count($where) >=1) ? " WHERE ".implode(" ", $where) : '';
+
$sql .= $orderby.$limit;
return $sql;
@@ -580,7 +520,7 @@ class CI_DB_mssql_driver extends CI_DB {
*/
function _truncate($table)
{
- return "TRUNCATE ".$this->_escape_table($table);
+ return "TRUNCATE ".$table;
}
// --------------------------------------------------------------------
diff --git a/system/database/drivers/mssql/mssql_forge.php b/system/database/drivers/mssql/mssql_forge.php
index c842ac1e2..8665dc055 100644
--- a/system/database/drivers/mssql/mssql_forge.php
+++ b/system/database/drivers/mssql/mssql_forge.php
@@ -60,7 +60,7 @@ class CI_DB_mssql_forge extends CI_DB_forge {
*/
function _drop_table($table)
{
- return "DROP TABLE ".$this->db->_escape_table($table);
+ return "DROP TABLE ".$this->db->_escape_identifiers($table);
}
// --------------------------------------------------------------------
@@ -85,7 +85,7 @@ class CI_DB_mssql_forge extends CI_DB_forge {
$sql .= 'IF NOT EXISTS ';
}
- $sql .= $this->db->_escape_table($table)." (";
+ $sql .= $this->db->_escape_identifiers($table)." (";
$current_field_count = 0;
foreach ($fields as $field=>$attributes)
diff --git a/system/database/drivers/mssql/mssql_result.php b/system/database/drivers/mssql/mssql_result.php
index b4c22bec9..33fdda9d4 100644
--- a/system/database/drivers/mssql/mssql_result.php
+++ b/system/database/drivers/mssql/mssql_result.php
@@ -70,12 +70,6 @@ class CI_DB_mssql_result extends CI_DB_result {
return $field_names;
}
-
- // Deprecated
- function field_names()
- {
- return $this->list_fields();
- }
// --------------------------------------------------------------------
diff --git a/system/database/drivers/oci8/oci8_driver.php b/system/database/drivers/oci8/oci8_driver.php
index 006e6ef1f..0c51a5ea7 100644
--- a/system/database/drivers/oci8/oci8_driver.php
+++ b/system/database/drivers/oci8/oci8_driver.php
@@ -44,6 +44,9 @@
class CI_DB_oci8_driver extends CI_DB {
var $dbdriver = 'oci8';
+
+ // The character used for excaping
+ var $_escape_char = '"';
/**
* The syntax to count rows is slightly different across different
@@ -419,7 +422,7 @@ class CI_DB_oci8_driver extends CI_DB {
if ($table == '')
return '0';
- $query = $this->query($this->_count_string . $this->_protect_identifiers('numrows'). " FROM " . $this->_protect_identifiers($this->dbprefix.$table));
+ $query = $this->query($this->_count_string . $this->_protect_identifiers('numrows'). " FROM " . $this->_protect_identifiers($table, TRUE, NULL, FALSE));
if ($query == FALSE)
{
@@ -482,7 +485,7 @@ class CI_DB_oci8_driver extends CI_DB {
*/
function _field_data($table)
{
- return "SELECT * FROM ".$this->_escape_table($table)." where rownum = 1";
+ return "SELECT * FROM ".$table." where rownum = 1";
}
// --------------------------------------------------------------------
@@ -516,102 +519,34 @@ class CI_DB_oci8_driver extends CI_DB {
// --------------------------------------------------------------------
/**
- * Escape Column Name
+ * Escape the SQL Identifiers
*
- * This function adds backticks around supplied column name
+ * This function escapes column and table names
*
* @access private
- * @param string the column name
+ * @param string
* @return string
*/
- function _escape_column($column)
+ function _escape_identifiers($item)
{
- // Probably not necessary with Oracle so we simply return the value
- return $column;
- }
-
- // --------------------------------------------------------------------
-
- /**
- * Escape Table Name
- *
- * This function adds backticks if the table name has a period
- * in it. Some DBs will get cranky unless periods are escaped
- *
- * @access private
- * @param string the table name
- * @return string
- */
- function _escape_table($table)
- {
- if (strpos($table, '.') !== FALSE)
+ if ($this->_escape_char == '')
{
- $table = '"' . str_replace('.', '"."', $table) . '"';
+ return $item;
}
-
- return $table;
- }
-
- // --------------------------------------------------------------------
-
- /**
- * Protect Identifiers
- *
- * This function adds backticks if appropriate based on db type
- *
- * @access private
- * @param mixed the item to escape
- * @param boolean only affect the first word
- * @return mixed the item with backticks
- */
- function _protect_identifiers($item, $first_word_only = FALSE)
- {
- if (is_array($item))
- {
- $escaped_array = array();
-
- foreach($item as $k=>$v)
- {
- $escaped_array[$this->_protect_identifiers($k)] = $this->_protect_identifiers($v, $first_word_only);
- }
-
- return $escaped_array;
- }
-
- // This function may get "item1 item2" as a string, and so
- // we may need ""item1" "item2"" and not ""item1 item2""
- if (ctype_alnum($item) === FALSE)
+
+ if (strpos($item, '.') !== FALSE)
{
- if (strpos($item, '.') !== FALSE)
- {
- $aliased_tables = implode(".",$this->ar_aliased_tables).'.';
- $table_name = substr($item, 0, strpos($item, '.')+1);
- $item = (strpos($aliased_tables, $table_name) !== FALSE) ? $item = $item : $this->dbprefix.$item;
- }
-
- // This function may get "field >= 1", and need it to return ""field" >= 1"
- $lbound = ($first_word_only === TRUE) ? '' : '|\s|\(';
-
- $item = preg_replace('/(^'.$lbound.')([\w\d\-\_]+?)(\s|\)|$)/iS', '$1"$2"$3', $item);
+ $str = $this->_escape_char.str_replace('.', $this->_escape_char.'.'.$this->_escape_char, $item).$this->_escape_char;
}
else
{
- return "\"{$item}\"";
+ $str = $this->_escape_char.$item.$this->_escape_char;
}
-
- $exceptions = array('AS', '/', '-', '%', '+', '*', 'OR', 'IS');
-
- foreach ($exceptions as $exception)
- {
- if (stristr($item, " \"{$exception}\" ") !== FALSE)
- {
- $item = preg_replace('/ "('.preg_quote($exception).')" /i', ' $1 ', $item);
- }
- }
- return $item;
+ // remove duplicates if the user already included the escape
+ return preg_replace('/['.$this->_escape_char.']+/', $this->_escape_char, $str);
}
-
+
// --------------------------------------------------------------------
/**
@@ -649,7 +584,7 @@ class CI_DB_oci8_driver extends CI_DB {
*/
function _insert($table, $keys, $values)
{
- return "INSERT INTO ".$this->_escape_table($table)." (".implode(', ', $keys).") VALUES (".implode(', ', $values).")";
+ return "INSERT INTO ".$table." (".implode(', ', $keys).") VALUES (".implode(', ', $values).")";
}
// --------------------------------------------------------------------
@@ -678,8 +613,10 @@ class CI_DB_oci8_driver extends CI_DB {
$orderby = (count($orderby) >= 1)?' ORDER BY '.implode(", ", $orderby):'';
- $sql = "UPDATE ".$this->_escape_table($table)." SET ".implode(', ', $valstr);
+ $sql = "UPDATE ".$table." SET ".implode(', ', $valstr);
+
$sql .= ($where != '' AND count($where) >=1) ? " WHERE ".implode(" ", $where) : '';
+
$sql .= $orderby.$limit;
return $sql;
@@ -700,7 +637,7 @@ class CI_DB_oci8_driver extends CI_DB {
*/
function _truncate($table)
{
- return "TRUNCATE TABLE ".$this->_escape_table($table);
+ return "TRUNCATE TABLE ".$table;
}
// --------------------------------------------------------------------
diff --git a/system/database/drivers/sqlite/sqlite_driver.php b/system/database/drivers/sqlite/sqlite_driver.php
index df19dba78..0ba483f8b 100644
--- a/system/database/drivers/sqlite/sqlite_driver.php
+++ b/system/database/drivers/sqlite/sqlite_driver.php
@@ -33,6 +33,9 @@
class CI_DB_sqlite_driver extends CI_DB {
var $dbdriver = 'sqlite';
+
+ // The character used to escape with - not needed for SQLite
+ var $_escape_char = '';
/**
* The syntax to count rows is slightly different across different
@@ -300,7 +303,7 @@ class CI_DB_sqlite_driver extends CI_DB {
if ($table == '')
return '0';
- $query = $this->query($this->_count_string . $this->_protect_identifiers('numrows'). " FROM " . $this->_protect_identifiers($this->dbprefix.$table));
+ $query = $this->query($this->_count_string . $this->_protect_identifiers('numrows'). " FROM " . $this->_protect_identifiers($table, TRUE, NULL, FALSE));
if ($query->num_rows() == 0)
return '0';
@@ -361,7 +364,7 @@ class CI_DB_sqlite_driver extends CI_DB {
*/
function _field_data($table)
{
- return "SELECT * FROM ".$this->_escape_table($table)." LIMIT 1";
+ return "SELECT * FROM ".$table." LIMIT 1";
}
// --------------------------------------------------------------------
@@ -393,97 +396,32 @@ class CI_DB_sqlite_driver extends CI_DB {
// --------------------------------------------------------------------
/**
- * Escape Column Name
- *
- * This function adds backticks around supplied column name
- *
- * @access private
- * @param string the column name
- * @return string
- */
- function _escape_column($column)
- {
- // Not necessary with SQLite so we simply return the value
- return $column;
- }
-
- // --------------------------------------------------------------------
-
- /**
- * Escape Table Name
+ * Escape the SQL Identifiers
*
- * This function adds backticks if the table name has a period
- * in it. Some DBs will get cranky unless periods are escaped
+ * This function escapes column and table names
*
* @access private
- * @param string the table name
+ * @param string
* @return string
*/
- function _escape_table($table)
+ function _escape_identifiers($item)
{
- // other database drivers use this to add backticks, hence this
- // function is simply going to return the tablename for sqlite
- return $table;
- }
-
- // --------------------------------------------------------------------
-
- /**
- * Protect Identifiers
- *
- * This function adds backticks if appropriate based on db type
- *
- * @access private
- * @param mixed the item to escape
- * @param boolean only affect the first word
- * @return mixed the item with backticks
- */
- function _protect_identifiers($item, $first_word_only = FALSE)
- {
- if (is_array($item))
+ if ($this->_escape_char == '')
{
- $escaped_array = array();
-
- foreach($item as $k=>$v)
- {
- $escaped_array[$this->_protect_identifiers($k)] = $this->_protect_identifiers($v, $first_word_only);
- }
-
- return $escaped_array;
- }
-
- // This function may get "item1 item2" as a string, and so
- // we may need "item1 item2" and not "item1 item2"
- if (ctype_alnum($item) === FALSE)
+ return $item;
+ }
+
+ if (strpos($item, '.') !== FALSE)
{
- if (strpos($item, '.') !== FALSE)
- {
- $aliased_tables = implode(".",$this->ar_aliased_tables).'.';
- $table_name = substr($item, 0, strpos($item, '.')+1);
- $item = (strpos($aliased_tables, $table_name) !== FALSE) ? $item = $item : $this->dbprefix.$item;
- }
-
- // This function may get "field >= 1", and need it to return "field >= 1"
- $lbound = ($first_word_only === TRUE) ? '' : '|\s|\(';
-
- $item = preg_replace('/(^'.$lbound.')([\w\d\-\_]+?)(\s|\)|$)/iS', '$1$2$3', $item);
+ $str = $this->_escape_char.str_replace('.', $this->_escape_char.'.'.$this->_escape_char, $item).$this->_escape_char;
}
else
{
- return "{$item}";
+ $str = $this->_escape_char.$item.$this->_escape_char;
}
-
- $exceptions = array('AS', '/', '-', '%', '+', '*', 'OR', 'IS');
-
- foreach ($exceptions as $exception)
- {
- if (stristr($item, " {$exception} ") !== FALSE)
- {
- $item = preg_replace('/ ('.preg_quote($exception).') /i', ' $1 ', $item);
- }
- }
- return $item;
+ // remove duplicates if the user already included the escape
+ return preg_replace('/['.$this->_escape_char.']+/', $this->_escape_char, $str);
}
// --------------------------------------------------------------------
@@ -523,7 +461,7 @@ class CI_DB_sqlite_driver extends CI_DB {
*/
function _insert($table, $keys, $values)
{
- return "INSERT INTO ".$this->_escape_table($table)." (".implode(', ', $keys).") VALUES (".implode(', ', $values).")";
+ return "INSERT INTO ".$table." (".implode(', ', $keys).") VALUES (".implode(', ', $values).")";
}
// --------------------------------------------------------------------
@@ -552,8 +490,10 @@ class CI_DB_sqlite_driver extends CI_DB {
$orderby = (count($orderby) >= 1)?' ORDER BY '.implode(", ", $orderby):'';
- $sql = "UPDATE ".$this->_escape_table($table)." SET ".implode(', ', $valstr);
+ $sql = "UPDATE ".$table." SET ".implode(', ', $valstr);
+
$sql .= ($where != '' AND count($where) >=1) ? " WHERE ".implode(" ", $where) : '';
+
$sql .= $orderby.$limit;
return $sql;
diff --git a/system/database/drivers/sqlite/sqlite_forge.php b/system/database/drivers/sqlite/sqlite_forge.php
index 631c9c771..2039525be 100644
--- a/system/database/drivers/sqlite/sqlite_forge.php
+++ b/system/database/drivers/sqlite/sqlite_forge.php
@@ -82,7 +82,7 @@ class CI_DB_sqlite_forge extends CI_DB_forge {
$sql .= 'IF NOT EXISTS ';
}
- $sql .= $this->db->_escape_table($table)."(";
+ $sql .= $this->db->_escape_identifiers($table)."(";
$current_field_count = 0;
foreach ($fields as $field=>$attributes)
diff --git a/system/database/drivers/sqlite/sqlite_result.php b/system/database/drivers/sqlite/sqlite_result.php
index 9fbd72556..735a0736a 100644
--- a/system/database/drivers/sqlite/sqlite_result.php
+++ b/system/database/drivers/sqlite/sqlite_result.php
@@ -71,12 +71,6 @@ class CI_DB_sqlite_result extends CI_DB_result {
return $field_names;
}
- // Deprecated
- function field_names()
- {
- return $this->list_fields();
- }
-
// --------------------------------------------------------------------
/**