Added backticks to column names when using insert_string and update_string. Relates to this bug report: http://codeigniter.com/bug_tracker/bug/4509/

8 files changed, 124 insertions, 19 deletions

diff --git a/system/database/DB_driver.php b/system/database/DB_driver.php
index 1450a0644..b937ffd6a 100644
--- a/system/database/DB_driver.php
+++ b/system/database/DB_driver.php
@@ -911,11 +911,10 @@ class CI_DB_driver {
 		

 		foreach($data as $key => $val)

 		{

-			$fields[] = $key;

+			$fields[] = $this->_escape_column($key);

 			$values[] = $this->escape($val);

 		}

 				

-		

 		return $this->_insert($this->prep_tablename($table), $fields, $values);

 	}	

 	

@@ -940,7 +939,7 @@ class CI_DB_driver {
 		$fields = array();

 		foreach($data as $key => $val)

 		{

-			$fields[$key] = $this->escape($val);

+			$fields[$this->_escape_column($key)] = $this->escape($val);

 		}

 

 		if ( ! is_array($where))

diff --git a/system/database/drivers/mssql/mssql_driver.php b/system/database/drivers/mssql/mssql_driver.php
index 5ac90b451..9a912a320 100644
--- a/system/database/drivers/mssql/mssql_driver.php
+++ b/system/database/drivers/mssql/mssql_driver.php
@@ -390,7 +390,24 @@ class CI_DB_mssql_driver extends CI_DB {
 		// Are error numbers supported?

 		return '';

 	}

-	

+

+	// --------------------------------------------------------------------

+

+	/**

+	 * Escape Column Name

+	 *

+	 * This function adds backticks around supplied column name

+	 *

+	 * @access	private

+	 * @param	string	the column name

+	 * @return	string

+	 */

+	function _escape_column($column)

+	{

+		// Not necessary with MS SQL so we simply return the value

+		return $column;

+	}

+

 	// --------------------------------------------------------------------

 

 	/**

@@ -405,15 +422,7 @@ class CI_DB_mssql_driver extends CI_DB {
 	 */

 	function _escape_table($table)

 	{

-		// I don't believe this is necessary with MS SQL.  Not sure, though. - Rick

-	

-		/*

-		if (strpos($table, '.') !== FALSE)

-		{

-			$table = '"' . str_replace('.', '"."', $table) . '"';

-		}

-		*/

-		

+		// Not necessary with MS SQL so we simply return the value

 		return $table;

 	}	

 	

diff --git a/system/database/drivers/mysql/mysql_driver.php b/system/database/drivers/mysql/mysql_driver.php
index 9d9b6512b..de372e669 100644
--- a/system/database/drivers/mysql/mysql_driver.php
+++ b/system/database/drivers/mysql/mysql_driver.php
@@ -398,6 +398,22 @@ class CI_DB_mysql_driver extends CI_DB {
 	{

 		return mysql_errno($this->conn_id);

 	}

+

+	// --------------------------------------------------------------------

+

+	/**

+	 * Escape Column Name

+	 *

+	 * This function adds backticks around supplied column name

+	 *

+	 * @access	private

+	 * @param	string	the column name

+	 * @return	string

+	 */

+	function _escape_column($column)

+	{

+		return '`' .$column. '`';

+	}

 	

 	// --------------------------------------------------------------------

 

diff --git a/system/database/drivers/mysqli/mysqli_driver.php b/system/database/drivers/mysqli/mysqli_driver.php
index cd683dfe7..35a7fc077 100644
--- a/system/database/drivers/mysqli/mysqli_driver.php
+++ b/system/database/drivers/mysqli/mysqli_driver.php
@@ -394,6 +394,22 @@ class CI_DB_mysqli_driver extends CI_DB {
 	{

 		return mysqli_errno($this->conn_id);

 	}

+

+	// --------------------------------------------------------------------

+

+	/**

+	 * Escape Column Name

+	 *

+	 * This function adds backticks around supplied column name

+	 *

+	 * @access	private

+	 * @param	string	the column name

+	 * @return	string

+	 */

+	function _escape_column($column)

+	{

+		return '`' .$column. '`';

+	}

 	

 	// --------------------------------------------------------------------

 

diff --git a/system/database/drivers/oci8/oci8_driver.php b/system/database/drivers/oci8/oci8_driver.php
index 765c3f6c9..b45b00326 100644
--- a/system/database/drivers/oci8/oci8_driver.php
+++ b/system/database/drivers/oci8/oci8_driver.php
@@ -506,6 +506,23 @@ class CI_DB_oci8_driver extends CI_DB {
 		$error = ocierror($this->conn_id);

 		return $error['code'];

 	}

+	

+	// --------------------------------------------------------------------

+

+	/**

+	 * Escape Column Name

+	 *

+	 * This function adds backticks around supplied column name

+	 *

+	 * @access	private

+	 * @param	string	the column name

+	 * @return	string

+	 */

+	function _escape_column($column)

+	{

+		// Probably not necessary with Oracle so we simply return the value

+		return $column;

+	}

 

 	// --------------------------------------------------------------------

 

diff --git a/system/database/drivers/odbc/odbc_driver.php b/system/database/drivers/odbc/odbc_driver.php
index f89000d83..ed8f81cb9 100644
--- a/system/database/drivers/odbc/odbc_driver.php
+++ b/system/database/drivers/odbc/odbc_driver.php
@@ -371,7 +371,23 @@ class CI_DB_odbc_driver extends CI_DB {
 	{

 		return odbc_error($this->conn_id);

 	}

-	

+	// --------------------------------------------------------------------

+

+	/**

+	 * Escape Column Name

+	 *

+	 * This function adds backticks around supplied column name

+	 *

+	 * @access	private

+	 * @param	string	the column name

+	 * @return	string

+	 */

+	function _escape_column($column)

+	{

+		// Not necessary with ODBC so we simply return the value

+		return $column;

+	}

+

 	// --------------------------------------------------------------------

 

 	/**

@@ -386,9 +402,9 @@ class CI_DB_odbc_driver extends CI_DB {
 	 */

 	function _escape_table($table)

 	{

-		// used to add backticks in other db drivers		

+		// Not necessary with ODBC so we simply return the value

 		return $table;

-	}

+	}	

 		

 	// --------------------------------------------------------------------

 

diff --git a/system/database/drivers/postgre/postgre_driver.php b/system/database/drivers/postgre/postgre_driver.php
index 7574ded13..3d006d3d6 100644
--- a/system/database/drivers/postgre/postgre_driver.php
+++ b/system/database/drivers/postgre/postgre_driver.php
@@ -391,7 +391,23 @@ class CI_DB_postgre_driver extends CI_DB {
 	{

 		return '';

 	}

-	

+	// --------------------------------------------------------------------

+

+	/**

+	 * Escape Column Name

+	 *

+	 * This function adds backticks around supplied column name

+	 *

+	 * @access	private

+	 * @param	string	the column name

+	 * @return	string

+	 */

+	function _escape_column($column)

+	{

+		// Probably not necessary with Postgres so we simply return the value

+		return $column;

+	}

+

 	// --------------------------------------------------------------------

 

 	/**

diff --git a/system/database/drivers/sqlite/sqlite_driver.php b/system/database/drivers/sqlite/sqlite_driver.php
index 5cac04dfa..46e0fae49 100644
--- a/system/database/drivers/sqlite/sqlite_driver.php
+++ b/system/database/drivers/sqlite/sqlite_driver.php
@@ -387,7 +387,24 @@ class CI_DB_sqlite_driver extends CI_DB {
 	{

 		return sqlite_last_error($this->conn_id);

 	}

-		

+

+	// --------------------------------------------------------------------

+

+	/**

+	 * Escape Column Name

+	 *

+	 * This function adds backticks around supplied column name

+	 *

+	 * @access	private

+	 * @param	string	the column name

+	 * @return	string

+	 */

+	function _escape_column($column)

+	{

+		// Not necessary with SQLite so we simply return the value

+		return $column;

+	}

+			

 	// --------------------------------------------------------------------

 

 	/**

@@ -402,7 +419,6 @@ class CI_DB_sqlite_driver extends CI_DB {
 	 */

 	function _escape_table($table)

 	{

-

 		// other database drivers use this to add backticks, hence this

 		// function is simply going to return the tablename for sqlite		

 		return $table;