From d16bab12339fe2746e1ead72ba96351c3423c27c Mon Sep 17 00:00:00 2001
From: Derek Jones <derek.jones@ellislab.com>
Date: Wed, 24 Sep 2008 18:22:03 +0000
Subject: added removal of non-printing characters to escape_str() of drivers
 that do not have native PHP escaping mechanisms

---
 system/database/drivers/mssql/mssql_driver.php | 2 +-
 system/database/drivers/oci8/oci8_driver.php   | 2 +-
 system/database/drivers/odbc/odbc_driver.php   | 2 +-
 user_guide/changelog.html                      | 6 ++++++
 4 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/system/database/drivers/mssql/mssql_driver.php b/system/database/drivers/mssql/mssql_driver.php
index 98c03c56e..5ac90b451 100644
--- a/system/database/drivers/mssql/mssql_driver.php
+++ b/system/database/drivers/mssql/mssql_driver.php
@@ -214,7 +214,7 @@ class CI_DB_mssql_driver extends CI_DB {
 	function escape_str($str)	
 	{	
 		// Escape single quotes
-		return str_replace("'", "''", $str);
+		return str_replace("'", "''", $this->input->_remove_invisible_characters($str));
 	}
 	
 	// --------------------------------------------------------------------
diff --git a/system/database/drivers/oci8/oci8_driver.php b/system/database/drivers/oci8/oci8_driver.php
index d6bc512be..765c3f6c9 100644
--- a/system/database/drivers/oci8/oci8_driver.php
+++ b/system/database/drivers/oci8/oci8_driver.php
@@ -366,7 +366,7 @@ class CI_DB_oci8_driver extends CI_DB {
 	 */
 	function escape_str($str)
 	{
-		return $str;
+		return $this->input->_remove_invisible_characters($str);
 	}
 
 	// --------------------------------------------------------------------
diff --git a/system/database/drivers/odbc/odbc_driver.php b/system/database/drivers/odbc/odbc_driver.php
index 647171696..f89000d83 100644
--- a/system/database/drivers/odbc/odbc_driver.php
+++ b/system/database/drivers/odbc/odbc_driver.php
@@ -235,7 +235,7 @@ class CI_DB_odbc_driver extends CI_DB {
 	function escape_str($str)	
 	{
 		// ODBC doesn't require escaping
-		return $str;
+		return $this->input->_remove_invisible_characters($str);
 	}
 	
 	// --------------------------------------------------------------------
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index bad3d089e..94e41a893 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -74,6 +74,12 @@ SVN Revision: XXXX</p>
 			<li>Changed the output of the profiler to use style attribute rather than clear, and added the id "codeigniter_profiler" to the container div</li>
 		</ul>
 	</li>
+	<li>Database
+		<ul>
+			<li>Added removal of non-printing control characters in escape_str() of DB drivers that do not have native PHP escaping mechanisms (mssql, oci8, odbc), to avoid
+				potential SQL errors, and possible sources of SQL injection.</li>
+		</ul>
+	</li>
 	<li>Helpers
 		<ul>
 			<li>Added several new "setting" functions to the <a href="helpers/form_helper.html">Form helper</a> that allow POST data to be retrieved and set into forms.  These are intended to be used on their own, or with the new <a href="libraries/form_validation.html">Form Validation Class</a>.</li>
-- 
cgit v1.2.3-24-g4f1b