From 43afc71b777b00cfc2638add6fa3c47d333c5e04 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Mon, 20 Jul 2015 12:32:02 +0300
Subject: Fix an internal bug in QB where() escaping

This is not a supported use case, but if QB escaping is force-disabled,
string values passed to where() or having() aren't escaped. That's wrong
because escape-disabling should only be possible for identifiers and not
values.

Reported via the forums: http://forum.codeigniter.com/thread-62478.html
---
 system/database/DB_query_builder.php | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

(limited to 'system/database')

diff --git a/system/database/DB_query_builder.php b/system/database/DB_query_builder.php
index a8b5b3579..8d21c5a1d 100644
--- a/system/database/DB_query_builder.php
+++ b/system/database/DB_query_builder.php
@@ -657,10 +657,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver {
 
 			if ($v !== NULL)
 			{
-				if ($escape === TRUE)
-				{
-					$v = ' '.$this->escape($v);
-				}
+				$v = ' '.$this->escape($v);
 
 				if ( ! $this->_has_operator($k))
 				{
-- 
cgit v1.2.3-24-g4f1b