From 43afc71b777b00cfc2638add6fa3c47d333c5e04 Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Mon, 20 Jul 2015 12:32:02 +0300 Subject: Fix an internal bug in QB where() escaping This is not a supported use case, but if QB escaping is force-disabled, string values passed to where() or having() aren't escaped. That's wrong because escape-disabling should only be possible for identifiers and not values. Reported via the forums: http://forum.codeigniter.com/thread-62478.html --- system/database/DB_query_builder.php | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'system') diff --git a/system/database/DB_query_builder.php b/system/database/DB_query_builder.php index a8b5b3579..8d21c5a1d 100644 --- a/system/database/DB_query_builder.php +++ b/system/database/DB_query_builder.php @@ -657,10 +657,7 @@ abstract class CI_DB_query_builder extends CI_DB_driver { if ($v !== NULL) { - if ($escape === TRUE) - { - $v = ' '.$this->escape($v); - } + $v = ' '.$this->escape($v); if ( ! $this->_has_operator($k)) { -- cgit v1.2.3-24-g4f1b