From e9f2095056a579bad9bf2ad80116cc8454f6520e Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Fri, 6 Apr 2012 19:30:41 +0300 Subject: Fix PDO field and table escaping --- system/database/drivers/pdo/pdo_driver.php | 70 ++++++++---------------------- 1 file changed, 18 insertions(+), 52 deletions(-) diff --git a/system/database/drivers/pdo/pdo_driver.php b/system/database/drivers/pdo/pdo_driver.php index aec39c819..bd9eddee3 100644 --- a/system/database/drivers/pdo/pdo_driver.php +++ b/system/database/drivers/pdo/pdo_driver.php @@ -46,8 +46,8 @@ class CI_DB_pdo_driver extends CI_DB { protected $_escape_char = ''; // clause and character used for LIKE escape sequences - protected $_like_escape_str; - protected $_like_escape_chr; + protected $_like_escape_str = " ESCAPE '%s' "; + protected $_like_escape_chr = '!'; /** * The syntax to count rows is slightly different across different @@ -81,18 +81,17 @@ class CI_DB_pdo_driver extends CI_DB { // this one depends on the driver being used if ($this->pdodriver == 'mysql') { + $this->_escape_char = '`'; $this->_like_escape_str = ''; $this->_like_escape_chr = ''; } elseif ($this->pdodriver == 'odbc') { $this->_like_escape_str = " {escape '%s'} "; - $this->_like_escape_chr = '!'; } - else + elseif ( ! in_array($this->pdodriver, array('sqlsrv', 'mssql', 'dblib', 'sybase'))) { - $this->_like_escape_str = " ESCAPE '%s' "; - $this->_like_escape_chr = '!'; + $this->_escape_char = '"'; } $this->trans_enabled = FALSE; @@ -268,8 +267,6 @@ class CI_DB_pdo_driver extends CI_DB { */ protected function _execute($sql) { - $sql = $this->_prep_query($sql); - $result_id = $this->conn_id->query($sql); if (is_object($result_id)) @@ -286,32 +283,6 @@ class CI_DB_pdo_driver extends CI_DB { // -------------------------------------------------------------------- - /** - * Prep the query - * - * If needed, each database adapter can prep the query string - * - * @param string an SQL query - * @return string - */ - protected function _prep_query($sql) - { - if ($this->pdodriver === 'pgsql') - { - // Change the backtick(s) for Postgre - $sql = str_replace('`', '"', $sql); - } - elseif ($this->pdodriver === 'sqlite') - { - // Change the backtick(s) for SQLite - $sql = str_replace('`', '', $sql); - } - - return $sql; - } - - // -------------------------------------------------------------------- - /** * Begin Transaction * @@ -516,7 +487,7 @@ class CI_DB_pdo_driver extends CI_DB { } else { - $sql = "SHOW TABLES FROM `".$this->database."`"; + $sql = 'SHOW TABLES FROM '.$this->_escape_identifiers($this->database); } if ($prefix_limit !== FALSE AND $this->dbprefix != '') @@ -539,7 +510,7 @@ class CI_DB_pdo_driver extends CI_DB { */ protected function _list_columns($table = '') { - return 'SHOW COLUMNS FROM '.$this->_from_tables($table); + return 'SHOW COLUMNS FROM '.$this->_escape_identifiers($table); } // -------------------------------------------------------------------- @@ -557,20 +528,20 @@ class CI_DB_pdo_driver extends CI_DB { if ($this->pdodriver == 'mysql' or $this->pdodriver == 'pgsql') { // Analog function for mysql and postgre - return 'SELECT * FROM '.$this->_from_tables($table).' LIMIT 1'; + return 'SELECT * FROM '.$this->_escape_identifiers($table).' LIMIT 1'; } elseif ($this->pdodriver == 'oci') { // Analog function for oci - return 'SELECT * FROM '.$this->_from_tables($table).' WHERE ROWNUM <= 1'; + return 'SELECT * FROM '.$this->_escape_identifiers($table).' WHERE ROWNUM <= 1'; } elseif ($this->pdodriver == 'sqlite') { // Analog function for sqlite - return 'PRAGMA table_info('.$this->_from_tables($table).')'; + return 'PRAGMA table_info('.$this->_escape_identifiers($table).')'; } - return 'SELECT TOP 1 FROM '.$this->_from_tables($table); + return 'SELECT TOP 1 FROM '.$this->_escape_identifiers($table); } // -------------------------------------------------------------------- @@ -623,25 +594,20 @@ class CI_DB_pdo_driver extends CI_DB { { if (strpos($item, '.'.$id) !== FALSE) { - $str = $this->_escape_char. str_replace('.', $this->_escape_char.'.', $item); + $item = str_replace('.', $this->_escape_char.'.', $item); // remove duplicates if the user already included the escape - return preg_replace('/['.$this->_escape_char.']+/', $this->_escape_char, $str); + return preg_replace('/['.$this->_escape_char.']+/', $this->_escape_char, $this->_escape_char.$item); } } if (strpos($item, '.') !== FALSE) { - $str = $this->_escape_char.str_replace('.', $this->_escape_char.'.'.$this->_escape_char, $item); - $str .= $this->_escape_char; - } - else - { - $str = $this->_escape_char.$item.$this->_escape_char; + $item = str_replace('.', $this->_escape_char.'.'.$this->_escape_char, $item); } // remove duplicates if the user already included the escape - return preg_replace('/['.$this->_escape_char.']+/', $this->_escape_char, $str); + return preg_replace('/['.$this->_escape_char.']+/', $this->_escape_char, $this->_escape_char.$item.$this->_escape_char); } // -------------------------------------------------------------------- @@ -662,7 +628,7 @@ class CI_DB_pdo_driver extends CI_DB { $tables = array($tables); } - return (count($tables) == 1) ? '`'.$tables[0].'`' : '('.implode(', ', $tables).')'; + return (count($tables) === 1) ? $tables[0] : '('.implode(', ', $tables).')'; } // -------------------------------------------------------------------- @@ -695,7 +661,7 @@ class CI_DB_pdo_driver extends CI_DB { } } - $sql = 'UPDATE '.$this->_from_tables($table).' SET '; + $sql = 'UPDATE '.$table.' SET '; $cases = ''; foreach ($final as $k => $v) @@ -765,7 +731,7 @@ class CI_DB_pdo_driver extends CI_DB { $limit = ( ! $limit) ? '' : ' LIMIT '.$limit; - return 'DELETE FROM '.$this->_from_tables($table).$conditions.$limit; + return 'DELETE FROM '.$table.$conditions.$limit; } // -------------------------------------------------------------------- -- cgit v1.2.3-24-g4f1b