Merge pull request #3277 from clawoo/develop

Escape arrays sent as binding values for database queries.
author: Andrey Andreev <narf@devilix.net> 2014-10-22 22:46:38 +0200
committer: Andrey Andreev <narf@devilix.net> 2014-10-22 22:46:38 +0200
commit: aff2fdc8c69c9257422ca325d2018a347309b0b9 (patch)
tree: 57c44ecdfe94d192aeb44f9e7ee93e34e50d0da4 /system
parent: 2b2288dc1ddeb030eb43734683ab3586ac826189 (diff)
parent: 1db369f77a158d72fcb7fe44f84efcfe9ac2f0d7 (diff)
1 files changed, 12 insertions, 2 deletions
diff --git a/system/database/DB_driver.php b/system/database/DB_driver.php
index 62cea758e..fc1d9566c 100644
--- a/system/database/DB_driver.php
+++ b/system/database/DB_driver.php
@@ -922,7 +922,12 @@ abstract class CI_DB_driver {
 		do
 		{
 			$c--;
-			$sql = substr_replace($sql, $this->escape($binds[$c]), $matches[0][$c][1], $ml);
+			$escaped_value = $this->escape($binds[$c]);
+			if (is_array($escaped_value))
+			{
+				$escaped_value = '('.implode(',', $escaped_value).')';
+			}
+			$sql = substr_replace($sql, $escaped_value, $matches[0][$c][1], $ml);
 		}
 		while ($c !== 0);
 
@@ -992,7 +997,12 @@ abstract class CI_DB_driver {
 	 */
 	public function escape($str)
 	{
-		if (is_string($str) OR (is_object($str) && method_exists($str, '__toString')))
+		if (is_array($str))
+		{
+			$str = array_map(array(&$this, 'escape'), $str);
+			return $str;
+		}
+		elseif (is_string($str) OR (is_object($str) && method_exists($str, '__toString')))
 		{
 			return "'".$this->escape_str($str)."'";
 		}
author	Andrey Andreev <narf@devilix.net>	2014-10-22 22:46:38 +0200
committer	Andrey Andreev <narf@devilix.net>	2014-10-22 22:46:38 +0200
commit	aff2fdc8c69c9257422ca325d2018a347309b0b9 (patch)
tree	57c44ecdfe94d192aeb44f9e7ee93e34e50d0da4 /system
parent	2b2288dc1ddeb030eb43734683ab3586ac826189 (diff)
parent	1db369f77a158d72fcb7fe44f84efcfe9ac2f0d7 (diff)