From dc46d99fe8ab2058df15c6a7608e5ae41ffffb2b Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@bofh.bg>
Date: Sat, 24 Sep 2011 16:25:23 +0300
Subject: Escape WHERE clause field names in the DB update_string() method

---
 system/database/DB_driver.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'system/database')

diff --git a/system/database/DB_driver.php b/system/database/DB_driver.php
index 300ca2977..12c0530c5 100644
--- a/system/database/DB_driver.php
+++ b/system/database/DB_driver.php
@@ -950,6 +950,7 @@ class CI_DB_driver {
 			foreach ($where as $key => $val)
 			{
 				$prefix = (count($dest) == 0) ? '' : ' AND ';
+				$key = $this->_protect_identifiers($key);
 
 				if ($val !== '')
 				{
@@ -1390,4 +1391,4 @@ class CI_DB_driver {
 
 
 /* End of file DB_driver.php */
-/* Location: ./system/database/DB_driver.php */
\ No newline at end of file
+/* Location: ./system/database/DB_driver.php */
-- 
cgit v1.2.3-24-g4f1b