From e4ed583067095144eb20aefc61d4499d8386532a Mon Sep 17 00:00:00 2001
From: Derek Jones <derek.jones@ellislab.com>
Date: Fri, 20 Feb 2009 21:44:59 +0000
Subject: added LIKE condition escaping to all drivers and Active Record
 updated all DB drivers to accept arrays in escape_str()

---
 system/database/drivers/mysql/mysql_driver.php | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

(limited to 'system/database/drivers/mysql')

diff --git a/system/database/drivers/mysql/mysql_driver.php b/system/database/drivers/mysql/mysql_driver.php
index a0cdb58af..5b2ba62b8 100644
--- a/system/database/drivers/mysql/mysql_driver.php
+++ b/system/database/drivers/mysql/mysql_driver.php
@@ -34,7 +34,11 @@ class CI_DB_mysql_driver extends CI_DB {
 
 	// The character used for escaping
 	var	$_escape_char = '`';
-	
+
+	// clause and character used for LIKE escape sequences - not used in MySQL
+	var $_like_escape_str = '';
+	var $_like_escape_chr = '';
+
 	/**
 	 * Whether to use the MySQL "delete hack" which allows the number
 	 * of affected rows to be shown. Uses a preg_replace when enabled,
@@ -256,15 +260,16 @@ class CI_DB_mysql_driver extends CI_DB {
 	 *
 	 * @access	public
 	 * @param	string
+	 * @param	bool	whether or not the string will be used in a LIKE condition
 	 * @return	string
 	 */
-	function escape_str($str)	
+	function escape_str($str, $like = FALSE)	
 	{	
 		if (is_array($str))
 		{
 			foreach($str as $key => $val)
 	   		{
-				$str[$key] = $this->escape_str($val);
+				$str[$key] = $this->escape_str($val, $like);
 	   		}
    		
 	   		return $str;
@@ -272,16 +277,24 @@ class CI_DB_mysql_driver extends CI_DB {
 
 		if (function_exists('mysql_real_escape_string') AND is_resource($this->conn_id))
 		{
-			return mysql_real_escape_string($str, $this->conn_id);
+			$str = mysql_real_escape_string($str, $this->conn_id);
 		}
 		elseif (function_exists('mysql_escape_string'))
 		{
-			return mysql_escape_string($str);
+			$str = mysql_escape_string($str);
 		}
 		else
 		{
-			return addslashes($str);
+			$str = addslashes($str);
 		}
+		
+		// escape LIKE condition wildcards
+		if ($like === TRUE)
+		{
+			$str = str_replace(array('%', '_'), array('\\%', '\\_'), $str);
+		}
+		
+		return $str;
 	}
 		
 	// --------------------------------------------------------------------
-- 
cgit v1.2.3-24-g4f1b