From 9f5316e96ea635a15aa5906bfd2abaea19520970 Mon Sep 17 00:00:00 2001 From: Timothy Warren Date: Wed, 14 Sep 2011 12:25:14 -0400 Subject: Fixed LIKE statement escaping issues --- system/database/drivers/pdo/pdo_driver.php | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/system/database/drivers/pdo/pdo_driver.php b/system/database/drivers/pdo/pdo_driver.php index 19e069b06..4c911aa6e 100644 --- a/system/database/drivers/pdo/pdo_driver.php +++ b/system/database/drivers/pdo/pdo_driver.php @@ -28,6 +28,7 @@ * @author ExpressionEngine Dev Team * @link http://codeigniter.com/user_guide/database/ */ + class CI_DB_pdo_driver extends CI_DB { var $dbdriver = 'pdo'; @@ -36,7 +37,7 @@ class CI_DB_pdo_driver extends CI_DB { var $_escape_char = ''; var $_like_escape_str; var $_like_escape_chr; - + /** * The syntax to count rows is slightly different across different @@ -50,7 +51,7 @@ class CI_DB_pdo_driver extends CI_DB { function __construct($params) { parent::__construct($params); - + // clause and character used for LIKE escape sequences if (strpos($this->hostname, 'mysql') !== FALSE) { @@ -67,7 +68,7 @@ class CI_DB_pdo_driver extends CI_DB { $this->_like_escape_str = " ESCAPE '%s' "; $this->_like_escape_chr = '!'; } - + $this->hostname = $this->hostname . ";dbname=".$this->database; $this->trans_enabled = FALSE; @@ -179,7 +180,7 @@ class CI_DB_pdo_driver extends CI_DB { { $sql = $this->_prep_query($sql); $result_id = $this->conn_id->query($sql); - + if (is_object($result_id)) { $this->affect_rows = $result_id->rowCount(); @@ -188,7 +189,7 @@ class CI_DB_pdo_driver extends CI_DB { { $this->affect_rows = 0; } - + return $result_id; } @@ -308,16 +309,16 @@ class CI_DB_pdo_driver extends CI_DB { return $str; } - + //Escape the string $str = $this->conn_id->quote($str); - + //If there are duplicated quotes, trim them away if (strpos($str, "'") === 0) { $str = substr($str, 1, -1); } - + // escape LIKE condition wildcards if ($like === TRUE) { @@ -519,7 +520,7 @@ class CI_DB_pdo_driver extends CI_DB { if (strpos($item, '.') !== FALSE) { $str = $this->_escape_char.str_replace('.', $this->_escape_char.'.'.$this->_escape_char, $item).$this->_escape_char; - + } else { @@ -569,7 +570,7 @@ class CI_DB_pdo_driver extends CI_DB { { return "INSERT INTO ".$table." (".implode(', ', $keys).") VALUES (".implode(', ', $values).")"; } - + // -------------------------------------------------------------------- /** @@ -622,7 +623,7 @@ class CI_DB_pdo_driver extends CI_DB { return $sql; } - + // -------------------------------------------------------------------- /** @@ -764,7 +765,7 @@ class CI_DB_pdo_driver extends CI_DB { { $sql .= " OFFSET ".$offset; } - + return $sql; } } -- cgit v1.2.3-24-g4f1b