Merge pull request #486 from narfbg/ci-issue-60
Fix issues #60 (possible MIME-type injection) and #394
diff --git a/application/config/database.php b/application/config/database.php
index b4b34bf..5a84a47 100644
--- a/application/config/database.php
+++ b/application/config/database.php
@@ -17,7 +17,7 @@
| ['password'] The password used to connect to the database
| ['database'] The name of the database you want to connect to
| ['dbdriver'] The database type. ie: mysql. Currently supported:
- mysql, mysqli, postgre, odbc, mssql, sqlite, oci8
+ mysql, mysqli, pdo, postgre, odbc, mssql, sqlite, oci8
| ['dbprefix'] You can add an optional prefix, which will be added
| to the table name when using the Active Record class
| ['pconnect'] TRUE/FALSE - Whether to use a persistent connection
diff --git a/application/config/foreign_chars.php b/application/config/foreign_chars.php
index 14b0d73..0b037d5 100644
--- a/application/config/foreign_chars.php
+++ b/application/config/foreign_chars.php
@@ -18,8 +18,8 @@
'/à|á|â|ã|å|ǻ|ā|ă|ą|ǎ|ª/' => 'a',
'/Ç|Ć|Ĉ|Ċ|Č/' => 'C',
'/ç|ć|ĉ|ċ|č/' => 'c',
- '/Ð|Ď|Đ/' => 'D',
- '/ð|ď|đ/' => 'd',
+ '/Ð|Ď|Đ/' => 'Dj',
+ '/ð|ď|đ/' => 'dj',
'/È|É|Ê|Ë|Ē|Ĕ|Ė|Ę|Ě/' => 'E',
'/è|é|ê|ë|ē|ĕ|ė|ę|ě/' => 'e',
'/Ĝ|Ğ|Ġ|Ģ/' => 'G',
diff --git a/application/errors/error_404.php b/application/errors/error_404.php
index 792726a..bddee6c 100644
--- a/application/errors/error_404.php
+++ b/application/errors/error_404.php
@@ -1,6 +1,7 @@
<!DOCTYPE html>
<html lang="en">
<head>
+<meta charset="utf-8">
<title>404 Page Not Found</title>
<style type="text/css">
diff --git a/application/errors/error_db.php b/application/errors/error_db.php
index b396cda..bc7c447 100644
--- a/application/errors/error_db.php
+++ b/application/errors/error_db.php
@@ -1,6 +1,7 @@
<!DOCTYPE html>
<html lang="en">
<head>
+<meta charset="utf-8">
<title>Database Error</title>
<style type="text/css">
diff --git a/application/errors/error_general.php b/application/errors/error_general.php
index fd63ce2..8b37462 100644
--- a/application/errors/error_general.php
+++ b/application/errors/error_general.php
@@ -1,6 +1,7 @@
<!DOCTYPE html>
<html lang="en">
<head>
+<meta charset="utf-8">
<title>Error</title>
<style type="text/css">
diff --git a/system/core/Security.php b/system/core/Security.php
index 84ecb06..65338ce 100755
--- a/system/core/Security.php
+++ b/system/core/Security.php
@@ -33,7 +33,7 @@
* @access protected
*/
protected $_xss_hash = '';
-
+
/**
* Random Hash for Cross Site Request Forgery Protection Cookie
*
@@ -41,7 +41,7 @@
* @access protected
*/
protected $_csrf_hash = '';
-
+
/**
* Expiration time for Cross Site Request Forgery Protection Cookie
* Defaults to two hours (in seconds)
@@ -50,7 +50,7 @@
* @access protected
*/
protected $_csrf_expire = 7200;
-
+
/**
* Token name for Cross Site Request Forgery Protection Cookie
*
@@ -58,7 +58,7 @@
* @access protected
*/
protected $_csrf_token_name = 'ci_csrf_token';
-
+
/**
* Cookie name for Cross Site Request Forgery Protection Cookie
*
@@ -66,14 +66,14 @@
* @access protected
*/
protected $_csrf_cookie_name = 'ci_csrf_token';
-
+
/**
* List of never allowed strings
*
* @var array
* @access protected
*/
-
+
protected $_never_allowed_str = array(
'document.cookie' => '[removed]',
'document.write' => '[removed]',
@@ -139,7 +139,7 @@
{
return $this->csrf_set_cookie();
}
-
+
// Check if URI has been whitelisted from CSRF checks
if ($exclude_uris = config_item('csrf_exclude_uris'))
{
@@ -172,9 +172,9 @@
$this->_csrf_hash = '';
$this->_csrf_set_hash();
$this->csrf_set_cookie();
-
+
log_message('debug', "CSRF token verified");
-
+
return $this;
}
@@ -188,7 +188,7 @@
public function csrf_set_cookie()
{
$expire = time() + $this->_csrf_expire;
- $secure_cookie = (config_item('cookie_secure') === TRUE) ? 1 : 0;
+ $secure_cookie = (bool) config_item('cookie_secure');
if ($secure_cookie)
{
@@ -385,16 +385,11 @@
foreach ($words as $word)
{
- $temp = '';
-
- for ($i = 0, $wordlen = strlen($word); $i < $wordlen; $i++)
- {
- $temp .= substr($word, $i, 1)."\s*";
- }
+ $word = implode("\s*", str_split($word)) . "\s*";
// We only want to do this when it is followed by a non-word character
// That way valid stuff like "dealer to" does not become "dealerto"
- $str = preg_replace_callback('#('.substr($temp, 0, -3).')(\W)#is', array($this, '_compact_exploded_words'), $str);
+ $str = preg_replace_callback('#('.substr($word, 0, -3).')(\W)#is', array($this, '_compact_exploded_words'), $str);
}
/*
@@ -473,7 +468,7 @@
if ($is_image === TRUE)
{
- return ($str == $converted_string) ? TRUE: FALSE;
+ return ($str === $converted_string) ? TRUE : FALSE;
}
log_message('debug', "XSS Filtering completed");
@@ -513,26 +508,17 @@
*
* This function is a replacement for html_entity_decode()
*
- * In some versions of PHP the native function does not work
- * when UTF-8 is the specified character set, so this gives us
- * a work-around. More info here:
- * http://bugs.php.net/bug.php?id=25670
- *
- * NOTE: html_entity_decode() has a bug in some PHP versions when UTF-8 is the
- * character set, and the PHP developers said they were not back porting the
- * fix to versions other than PHP 5.x.
- *
* @param string
* @param string
* @return string
*/
public function entity_decode($str, $charset = NULL)
{
- if (stristr($str, '&') === FALSE)
+ if (strpos($str, '&') === FALSE)
{
return $str;
}
-
+
if (empty($charset))
{
$charset = config_item('charset');
@@ -543,26 +529,9 @@
// at the end of an entity most browsers will still interpret the entity
// correctly. html_entity_decode() does not convert entities without
// semicolons, so we are left with our own little solution here. Bummer.
-
- if (function_exists('html_entity_decode') &&
- (strtolower($charset) != 'utf-8'))
- {
- $str = html_entity_decode($str, ENT_COMPAT, $charset);
- $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str);
- return preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str);
- }
-
- // Numeric Entities
- $str = preg_replace('~&#x(0*[0-9a-f]{2,5});{0,1}~ei', 'chr(hexdec("\\1"))', $str);
- $str = preg_replace('~&#([0-9]{2,4});{0,1}~e', 'chr(\\1)', $str);
-
- // Literal Entities - Slightly slow so we do another check
- if (stristr($str, '&') === FALSE)
- {
- $str = strtr($str, array_flip(get_html_translation_table(HTML_ENTITIES)));
- }
-
- return $str;
+ $str = html_entity_decode($str, ENT_COMPAT, $charset);
+ $str = preg_replace('~&#x(0*[0-9a-f]{2,5})~ei', 'chr(hexdec("\\1"))', $str);
+ return preg_replace('~&#([0-9]{2,4})~e', 'chr(\\1)', $str);
}
// --------------------------------------------------------------------
@@ -896,4 +865,4 @@
}
/* End of file Security.php */
-/* Location: ./system/libraries/Security.php */
\ No newline at end of file
+/* Location: ./system/core/Security.php */
diff --git a/system/database/DB_driver.php b/system/database/DB_driver.php
index 17649f7..237a4fc 100644
--- a/system/database/DB_driver.php
+++ b/system/database/DB_driver.php
@@ -218,7 +218,7 @@
// Some DBs have functions that return the version, and don't run special
// SQL queries per se. In these instances, just return the result.
- $driver_version_exceptions = array('oci8', 'sqlite', 'cubrid');
+ $driver_version_exceptions = array('oci8', 'sqlite', 'cubrid', 'pdo');
if (in_array($this->dbdriver, $driver_version_exceptions))
{
diff --git a/system/database/drivers/pdo/index.html b/system/database/drivers/pdo/index.html
new file mode 100644
index 0000000..c942a79
--- /dev/null
+++ b/system/database/drivers/pdo/index.html
@@ -0,0 +1,10 @@
+<html>
+<head>
+ <title>403 Forbidden</title>
+</head>
+<body>
+
+<p>Directory access is forbidden.</p>
+
+</body>
+</html>
\ No newline at end of file
diff --git a/system/database/drivers/pdo/pdo_driver.php b/system/database/drivers/pdo/pdo_driver.php
new file mode 100644
index 0000000..c5a215b
--- /dev/null
+++ b/system/database/drivers/pdo/pdo_driver.php
@@ -0,0 +1,691 @@
+<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
+/**
+ * CodeIgniter
+ *
+ * An open source application development framework for PHP 5.1.6 or newer
+ *
+ * @package CodeIgniter
+ * @author ExpressionEngine Dev Team
+ * @copyright Copyright (c) 2008 - 2011, EllisLab, Inc.
+ * @license http://codeigniter.com/user_guide/license.html
+ * @link http://codeigniter.com
+ * @since Version 2.1.0
+ * @filesource
+ */
+
+// ------------------------------------------------------------------------
+
+/**
+ * PDO Database Adapter Class
+ *
+ * Note: _DB is an extender class that the app controller
+ * creates dynamically based on whether the active record
+ * class is being used or not.
+ *
+ * @package CodeIgniter
+ * @subpackage Drivers
+ * @category Database
+ * @author ExpressionEngine Dev Team
+ * @link http://codeigniter.com/user_guide/database/
+ */
+class CI_DB_pdo_driver extends CI_DB {
+
+ var $dbdriver = 'pdo';
+
+ // the character used to excape - not necessary for PDO
+ var $_escape_char = '';
+ var $_like_escape_str;
+ var $_like_escape_chr;
+
+
+ /**
+ * The syntax to count rows is slightly different across different
+ * database engines, so this string appears in each driver and is
+ * used for the count_all() and count_all_results() functions.
+ */
+ var $_count_string = "SELECT COUNT(*) AS ";
+ var $_random_keyword;
+
+
+ function __construct($params)
+ {
+ parent::CI_DB($params);
+
+ // clause and character used for LIKE escape sequences
+ if(strpos($this->hostname, 'mysql') !== FALSE)
+ {
+ $this->_like_escape_str = '';
+ $this->_like_escape_chr = '';
+ }
+ else if(strpos($this->hostname, 'odbc') !== FALSE)
+ {
+ $this->_like_escape_str = " {escape '%s'} ";
+ $this->_like_escape_chr = '!';
+ }
+ else
+ {
+ $this->_like_escape_str = " ESCAPE '%s' ";
+ $this->_like_escape_chr = '!';
+ }
+
+ $this->hostname = $this->hostname . ";dbname=".$this->database;
+ $this->trans_enabled = FALSE;
+
+ $this->_random_keyword = ' RND('.time().')'; // database specific random keyword
+ }
+
+ /**
+ * Non-persistent database connection
+ *
+ * @access private called by the base class
+ * @return resource
+ */
+ function db_connect()
+ {
+ return new PDO($this->hostname,$this->username,$this->password, array(
+ PDO::ATTR_ERRMODE => PDO::ERRMODE_SILENT
+ ));
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Persistent database connection
+ *
+ * @access private called by the base class
+ * @return resource
+ */
+ function db_pconnect()
+ {
+ return new PDO($this->hostname,$this->username,$this->password, array(
+ PDO::ATTR_ERRMODE => PDO::ERRMODE_SILENT,
+ PDO::ATTR_PERSISTENT => true
+ ));
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Reconnect
+ *
+ * Keep / reestablish the db connection if no queries have been
+ * sent for a length of time exceeding the server's idle timeout
+ *
+ * @access public
+ * @return void
+ */
+ function reconnect()
+ {
+ if ($this->db->db_debug)
+ {
+ return $this->db->display_error('db_unsuported_feature');
+ }
+ return FALSE;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Select the database
+ *
+ * @access private called by the base class
+ * @return resource
+ */
+ function db_select()
+ {
+ // Not needed for PDO
+ return TRUE;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Set client character set
+ *
+ * @access public
+ * @param string
+ * @param string
+ * @return resource
+ */
+ function db_set_charset($charset, $collation)
+ {
+ // @todo - add support if needed
+ return TRUE;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Version number query string
+ *
+ * @access public
+ * @return string
+ */
+ function _version()
+ {
+ return $this->conn_id->getAttribute(PDO::ATTR_CLIENT_VERSION);
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Execute the query
+ *
+ * @access private called by the base class
+ * @param string an SQL query
+ * @return object
+ */
+ function _execute($sql)
+ {
+ $sql = $this->_prep_query($sql);
+ $result_id = $this->conn_id->query($sql);
+
+ $this->affect_rows = $result_id->rowCount();
+
+ return $result_id;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Prep the query
+ *
+ * If needed, each database adapter can prep the query string
+ *
+ * @access private called by execute()
+ * @param string an SQL query
+ * @return string
+ */
+ function _prep_query($sql)
+ {
+ return $sql;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Begin Transaction
+ *
+ * @access public
+ * @return bool
+ */
+ function trans_begin($test_mode = FALSE)
+ {
+ if ( ! $this->trans_enabled)
+ {
+ return TRUE;
+ }
+
+ // When transactions are nested we only begin/commit/rollback the outermost ones
+ if ($this->_trans_depth > 0)
+ {
+ return TRUE;
+ }
+
+ // Reset the transaction failure flag.
+ // If the $test_mode flag is set to TRUE transactions will be rolled back
+ // even if the queries produce a successful result.
+ $this->_trans_failure = ($test_mode === TRUE) ? TRUE : FALSE;
+
+ return $this->conn_id->beginTransaction();
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Commit Transaction
+ *
+ * @access public
+ * @return bool
+ */
+ function trans_commit()
+ {
+ if ( ! $this->trans_enabled)
+ {
+ return TRUE;
+ }
+
+ // When transactions are nested we only begin/commit/rollback the outermost ones
+ if ($this->_trans_depth > 0)
+ {
+ return TRUE;
+ }
+
+ $ret = $this->conn->commit();
+ return $ret;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Rollback Transaction
+ *
+ * @access public
+ * @return bool
+ */
+ function trans_rollback()
+ {
+ if ( ! $this->trans_enabled)
+ {
+ return TRUE;
+ }
+
+ // When transactions are nested we only begin/commit/rollback the outermost ones
+ if ($this->_trans_depth > 0)
+ {
+ return TRUE;
+ }
+
+ $ret = $this->conn_id->rollBack();
+ return $ret;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Escape String
+ *
+ * @access public
+ * @param string
+ * @param bool whether or not the string will be used in a LIKE condition
+ * @return string
+ */
+ function escape_str($str, $like = FALSE)
+ {
+ if (is_array($str))
+ {
+ foreach ($str as $key => $val)
+ {
+ $str[$key] = $this->escape_str($val, $like);
+ }
+
+ return $str;
+ }
+
+ // PDO doesn't require escaping
+ $str = remove_invisible_characters($str);
+
+ // escape LIKE condition wildcards
+ if ($like === TRUE)
+ {
+ $str = str_replace( array('%', '_', $this->_like_escape_chr),
+ array($this->_like_escape_chr.'%', $this->_like_escape_chr.'_', $this->_like_escape_chr.$this->_like_escape_chr),
+ $str);
+ }
+
+ return $str;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Affected Rows
+ *
+ * @access public
+ * @return integer
+ */
+ function affected_rows()
+ {
+ return $this->affect_rows;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Insert ID
+ *
+ * @access public
+ * @return integer
+ */
+ function insert_id($name=NULL)
+ {
+ return $this->conn_id->lastInsertId($name);
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * "Count All" query
+ *
+ * Generates a platform-specific query string that counts all records in
+ * the specified database
+ *
+ * @access public
+ * @param string
+ * @return string
+ */
+ function count_all($table = '')
+ {
+ if ($table == '')
+ {
+ return 0;
+ }
+
+ $query = $this->query($this->_count_string . $this->_protect_identifiers('numrows') . " FROM " . $this->_protect_identifiers($table, TRUE, NULL, FALSE));
+
+ if ($query->num_rows() == 0)
+ {
+ return 0;
+ }
+
+ $row = $query->row();
+ $this->_reset_select();
+ return (int) $row->numrows;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Show table query
+ *
+ * Generates a platform-specific query string so that the table names can be fetched
+ *
+ * @access private
+ * @param boolean
+ * @return string
+ */
+ function _list_tables($prefix_limit = FALSE)
+ {
+ $sql = "SHOW TABLES FROM `".$this->database."`";
+
+ if ($prefix_limit !== FALSE AND $this->dbprefix != '')
+ {
+ //$sql .= " LIKE '".$this->escape_like_str($this->dbprefix)."%' ".sprintf($this->_like_escape_str, $this->_like_escape_chr);
+ return FALSE; // not currently supported
+ }
+
+ return $sql;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Show column query
+ *
+ * Generates a platform-specific query string so that the column names can be fetched
+ *
+ * @access public
+ * @param string the table name
+ * @return string
+ */
+ function _list_columns($table = '')
+ {
+ return "SHOW COLUMNS FROM ".$table;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Field data query
+ *
+ * Generates a platform-specific query so that the column data can be retrieved
+ *
+ * @access public
+ * @param string the table name
+ * @return object
+ */
+ function _field_data($table)
+ {
+ return "SELECT TOP 1 FROM ".$table;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * The error message string
+ *
+ * @access private
+ * @return string
+ */
+ function _error_message()
+ {
+ $error_array = $this->conn_id->errorInfo();
+ return $error_array[2];
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * The error message number
+ *
+ * @access private
+ * @return integer
+ */
+ function _error_number()
+ {
+ return $this->conn_id->errorCode();
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Escape the SQL Identifiers
+ *
+ * This function escapes column and table names
+ *
+ * @access private
+ * @param string
+ * @return string
+ */
+ function _escape_identifiers($item)
+ {
+ if ($this->_escape_char == '')
+ {
+ return $item;
+ }
+
+ foreach ($this->_reserved_identifiers as $id)
+ {
+ if (strpos($item, '.'.$id) !== FALSE)
+ {
+ $str = $this->_escape_char. str_replace('.', $this->_escape_char.'.', $item);
+
+ // remove duplicates if the user already included the escape
+ return preg_replace('/['.$this->_escape_char.']+/', $this->_escape_char, $str);
+ }
+ }
+
+ if (strpos($item, '.') !== FALSE)
+ {
+ $str = $this->_escape_char.str_replace('.', $this->_escape_char.'.'.$this->_escape_char, $item).$this->_escape_char;
+
+ }
+ else
+ {
+ $str = $this->_escape_char.$item.$this->_escape_char;
+ }
+
+ // remove duplicates if the user already included the escape
+ return preg_replace('/['.$this->_escape_char.']+/', $this->_escape_char, $str);
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * From Tables
+ *
+ * This function implicitly groups FROM tables so there is no confusion
+ * about operator precedence in harmony with SQL standards
+ *
+ * @access public
+ * @param type
+ * @return type
+ */
+ function _from_tables($tables)
+ {
+ if ( ! is_array($tables))
+ {
+ $tables = array($tables);
+ }
+
+ return (count($tables) == 1) ? $tables[0] : '('.implode(', ', $tables).')';
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Insert statement
+ *
+ * Generates a platform-specific insert string from the supplied data
+ *
+ * @access public
+ * @param string the table name
+ * @param array the insert keys
+ * @param array the insert values
+ * @return string
+ */
+ function _insert($table, $keys, $values)
+ {
+ return "INSERT INTO ".$table." (".implode(', ', $keys).") VALUES (".implode(', ', $values).")";
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Update statement
+ *
+ * Generates a platform-specific update string from the supplied data
+ *
+ * @access public
+ * @param string the table name
+ * @param array the update data
+ * @param array the where clause
+ * @param array the orderby clause
+ * @param array the limit clause
+ * @return string
+ */
+ function _update($table, $values, $where, $orderby = array(), $limit = FALSE)
+ {
+ foreach ($values as $key => $val)
+ {
+ $valstr[] = $key." = ".$val;
+ }
+
+ $limit = ( ! $limit) ? '' : ' LIMIT '.$limit;
+
+ $orderby = (count($orderby) >= 1)?' ORDER BY '.implode(", ", $orderby):'';
+
+ $sql = "UPDATE ".$table." SET ".implode(', ', $valstr);
+
+ $sql .= ($where != '' AND count($where) >=1) ? " WHERE ".implode(" ", $where) : '';
+
+ $sql .= $orderby.$limit;
+
+ return $sql;
+ }
+
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Truncate statement
+ *
+ * Generates a platform-specific truncate string from the supplied data
+ * If the database does not support the truncate() command
+ * This function maps to "DELETE FROM table"
+ *
+ * @access public
+ * @param string the table name
+ * @return string
+ */
+ function _truncate($table)
+ {
+ return $this->_delete($table);
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Delete statement
+ *
+ * Generates a platform-specific delete string from the supplied data
+ *
+ * @access public
+ * @param string the table name
+ * @param array the where clause
+ * @param string the limit clause
+ * @return string
+ */
+ function _delete($table, $where = array(), $like = array(), $limit = FALSE)
+ {
+ $conditions = '';
+
+ if (count($where) > 0 OR count($like) > 0)
+ {
+ $conditions = "\nWHERE ";
+ $conditions .= implode("\n", $this->ar_where);
+
+ if (count($where) > 0 && count($like) > 0)
+ {
+ $conditions .= " AND ";
+ }
+ $conditions .= implode("\n", $like);
+ }
+
+ $limit = ( ! $limit) ? '' : ' LIMIT '.$limit;
+
+ return "DELETE FROM ".$table.$conditions.$limit;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Limit string
+ *
+ * Generates a platform-specific LIMIT clause
+ *
+ * @access public
+ * @param string the sql query string
+ * @param integer the number of rows to limit the query to
+ * @param integer the offset value
+ * @return string
+ */
+ function _limit($sql, $limit, $offset)
+ {
+ if(strpos($this->hostname, 'cubrid') !== FALSE || strpos($this->hostname, 'sqlite') !== FALSE)
+ {
+ if ($offset == 0)
+ {
+ $offset = '';
+ }
+ else
+ {
+ $offset .= ", ";
+ }
+
+ return $sql."LIMIT ".$offset.$limit;
+ }
+ else
+ {
+ $sql .= "LIMIT ".$limit;
+
+ if ($offset > 0)
+ {
+ $sql .= " OFFSET ".$offset;
+ }
+
+ return $sql;
+ }
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Close DB Connection
+ *
+ * @access public
+ * @param resource
+ * @return void
+ */
+ function _close($conn_id)
+ {
+ $this->conn_id = null;
+ }
+
+
+}
+
+
+
+/* End of file pdo_driver.php */
+/* Location: ./system/database/drivers/pdo/pdo_driver.php */
\ No newline at end of file
diff --git a/system/database/drivers/pdo/pdo_forge.php b/system/database/drivers/pdo/pdo_forge.php
new file mode 100644
index 0000000..5516873
--- /dev/null
+++ b/system/database/drivers/pdo/pdo_forge.php
@@ -0,0 +1,266 @@
+<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
+/**
+ * CodeIgniter
+ *
+ * An open source application development framework for PHP 5.1.6 or newer
+ *
+ * @package CodeIgniter
+ * @author ExpressionEngine Dev Team
+ * @copyright Copyright (c) 2008 - 2011, EllisLab, Inc.
+ * @license http://codeigniter.com/user_guide/license.html
+ * @link http://codeigniter.com
+ * @since Version 2.1.0
+ * @filesource
+ */
+
+// ------------------------------------------------------------------------
+
+/**
+ * PDO Forge Class
+ *
+ * @category Database
+ * @author ExpressionEngine Dev Team
+ * @link http://codeigniter.com/database/
+ */
+class CI_DB_pdo_forge extends CI_DB_forge {
+
+ /**
+ * Create database
+ *
+ * @access private
+ * @param string the database name
+ * @return bool
+ */
+ function _create_database()
+ {
+ // PDO has no "create database" command since it's
+ // designed to connect to an existing database
+ if ($this->db->db_debug)
+ {
+ return $this->db->display_error('db_unsuported_feature');
+ }
+ return FALSE;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Drop database
+ *
+ * @access private
+ * @param string the database name
+ * @return bool
+ */
+ function _drop_database($name)
+ {
+ // PDO has no "drop database" command since it's
+ // designed to connect to an existing database
+ if ($this->db->db_debug)
+ {
+ return $this->db->display_error('db_unsuported_feature');
+ }
+ return FALSE;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Create Table
+ *
+ * @access private
+ * @param string the table name
+ * @param array the fields
+ * @param mixed primary key(s)
+ * @param mixed key(s)
+ * @param boolean should 'IF NOT EXISTS' be added to the SQL
+ * @return bool
+ */
+ function _create_table($table, $fields, $primary_keys, $keys, $if_not_exists)
+ {
+ $sql = 'CREATE TABLE ';
+
+ if ($if_not_exists === TRUE)
+ {
+ $sql .= 'IF NOT EXISTS ';
+ }
+
+ $sql .= $this->db->_escape_identifiers($table)." (";
+ $current_field_count = 0;
+
+ foreach ($fields as $field=>$attributes)
+ {
+ // Numeric field names aren't allowed in databases, so if the key is
+ // numeric, we know it was assigned by PHP and the developer manually
+ // entered the field information, so we'll simply add it to the list
+ if (is_numeric($field))
+ {
+ $sql .= "\n\t$attributes";
+ }
+ else
+ {
+ $attributes = array_change_key_case($attributes, CASE_UPPER);
+
+ $sql .= "\n\t".$this->db->_protect_identifiers($field);
+
+ $sql .= ' '.$attributes['TYPE'];
+
+ if (array_key_exists('CONSTRAINT', $attributes))
+ {
+ $sql .= '('.$attributes['CONSTRAINT'].')';
+ }
+
+ if (array_key_exists('UNSIGNED', $attributes) && $attributes['UNSIGNED'] === TRUE)
+ {
+ $sql .= ' UNSIGNED';
+ }
+
+ if (array_key_exists('DEFAULT', $attributes))
+ {
+ $sql .= ' DEFAULT \''.$attributes['DEFAULT'].'\'';
+ }
+
+ if (array_key_exists('NULL', $attributes) && $attributes['NULL'] === TRUE)
+ {
+ $sql .= ' NULL';
+ }
+ else
+ {
+ $sql .= ' NOT NULL';
+ }
+
+ if (array_key_exists('AUTO_INCREMENT', $attributes) && $attributes['AUTO_INCREMENT'] === TRUE)
+ {
+ $sql .= ' AUTO_INCREMENT';
+ }
+ }
+
+ // don't add a comma on the end of the last field
+ if (++$current_field_count < count($fields))
+ {
+ $sql .= ',';
+ }
+ }
+
+ if (count($primary_keys) > 0)
+ {
+ $primary_keys = $this->db->_protect_identifiers($primary_keys);
+ $sql .= ",\n\tPRIMARY KEY (" . implode(', ', $primary_keys) . ")";
+ }
+
+ if (is_array($keys) && count($keys) > 0)
+ {
+ foreach ($keys as $key)
+ {
+ if (is_array($key))
+ {
+ $key = $this->db->_protect_identifiers($key);
+ }
+ else
+ {
+ $key = array($this->db->_protect_identifiers($key));
+ }
+
+ $sql .= ",\n\tFOREIGN KEY (" . implode(', ', $key) . ")";
+ }
+ }
+
+ $sql .= "\n)";
+
+ return $sql;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Drop Table
+ *
+ * @access private
+ * @return bool
+ */
+ function _drop_table($table)
+ {
+ // Not a supported PDO feature
+ if ($this->db->db_debug)
+ {
+ return $this->db->display_error('db_unsuported_feature');
+ }
+ return FALSE;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Alter table query
+ *
+ * Generates a platform-specific query so that a table can be altered
+ * Called by add_column(), drop_column(), and column_alter(),
+ *
+ * @access private
+ * @param string the ALTER type (ADD, DROP, CHANGE)
+ * @param string the column name
+ * @param string the table name
+ * @param string the column definition
+ * @param string the default value
+ * @param boolean should 'NOT NULL' be added
+ * @param string the field after which we should add the new field
+ * @return object
+ */
+ function _alter_table($alter_type, $table, $column_name, $column_definition = '', $default_value = '', $null = '', $after_field = '')
+ {
+ $sql = 'ALTER TABLE '.$this->db->_protect_identifiers($table)." $alter_type ".$this->db->_protect_identifiers($column_name);
+
+ // DROP has everything it needs now.
+ if ($alter_type == 'DROP')
+ {
+ return $sql;
+ }
+
+ $sql .= " $column_definition";
+
+ if ($default_value != '')
+ {
+ $sql .= " DEFAULT \"$default_value\"";
+ }
+
+ if ($null === NULL)
+ {
+ $sql .= ' NULL';
+ }
+ else
+ {
+ $sql .= ' NOT NULL';
+ }
+
+ if ($after_field != '')
+ {
+ $sql .= ' AFTER ' . $this->db->_protect_identifiers($after_field);
+ }
+
+ return $sql;
+
+ }
+
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Rename a table
+ *
+ * Generates a platform-specific query so that a table can be renamed
+ *
+ * @access private
+ * @param string the old table name
+ * @param string the new table name
+ * @return string
+ */
+ function _rename_table($table_name, $new_table_name)
+ {
+ $sql = 'ALTER TABLE '.$this->db->_protect_identifiers($table_name)." RENAME TO ".$this->db->_protect_identifiers($new_table_name);
+ return $sql;
+ }
+
+
+}
+
+/* End of file pdo_forge.php */
+/* Location: ./system/database/drivers/pdo/pdo_forge.php */
\ No newline at end of file
diff --git a/system/database/drivers/pdo/pdo_result.php b/system/database/drivers/pdo/pdo_result.php
new file mode 100644
index 0000000..e3ae0da
--- /dev/null
+++ b/system/database/drivers/pdo/pdo_result.php
@@ -0,0 +1,171 @@
+<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
+/**
+ * CodeIgniter
+ *
+ * An open source application development framework for PHP 5.1.6 or newer
+ *
+ * @package CodeIgniter
+ * @author ExpressionEngine Dev Team
+ * @copyright Copyright (c) 2008 - 2011, EllisLab, Inc.
+ * @license http://codeigniter.com/user_guide/license.html
+ * @link http://codeigniter.com
+ * @since Version 2.1.0
+ * @filesource
+ */
+
+// ------------------------------------------------------------------------
+
+/**
+ * PDO Result Class
+ *
+ * This class extends the parent result class: CI_DB_result
+ *
+ * @category Database
+ * @author ExpressionEngine Dev Team
+ * @link http://codeigniter.com/user_guide/database/
+ */
+class CI_DB_pdo_result extends CI_DB_result {
+
+ /**
+ * Number of rows in the result set
+ *
+ * @access public
+ * @return integer
+ */
+ function num_rows()
+ {
+ return $this->result_id->rowCount();
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Number of fields in the result set
+ *
+ * @access public
+ * @return integer
+ */
+ function num_fields()
+ {
+ return $this->result_id->columnCount();
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Fetch Field Names
+ *
+ * Generates an array of column names
+ *
+ * @access public
+ * @return array
+ */
+ function list_fields()
+ {
+ if ($this->db->db_debug)
+ {
+ return $this->db->display_error('db_unsuported_feature');
+ }
+ return FALSE;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Field data
+ *
+ * Generates an array of objects containing field meta-data
+ *
+ * @access public
+ * @return array
+ */
+ function field_data()
+ {
+ $data = array();
+
+ try
+ {
+ for($i = 0; $i < $this->num_fields(); $i++)
+ {
+ $data[] = $this->result_id->getColumnMeta($i);
+ }
+
+ return $data;
+ }
+ catch (Exception $e)
+ {
+ if ($this->db->db_debug)
+ {
+ return $this->db->display_error('db_unsuported_feature');
+ }
+ return FALSE;
+ }
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Free the result
+ *
+ * @return null
+ */
+ function free_result()
+ {
+ if (is_object($this->result_id))
+ {
+ $this->result_id = FALSE;
+ }
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Data Seek
+ *
+ * Moves the internal pointer to the desired offset. We call
+ * this internally before fetching results to make sure the
+ * result set starts at zero
+ *
+ * @access private
+ * @return array
+ */
+ function _data_seek($n = 0)
+ {
+ return FALSE;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Result - associative array
+ *
+ * Returns the result set as an array
+ *
+ * @access private
+ * @return array
+ */
+ function _fetch_assoc()
+ {
+ return $this->result_id->fetch(PDO::FETCH_ASSOC);
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Result - object
+ *
+ * Returns the result set as an object
+ *
+ * @access private
+ * @return object
+ */
+ function _fetch_object()
+ {
+ return $this->result_id->fetchObject();
+ }
+
+}
+
+
+/* End of file pdo_result.php */
+/* Location: ./system/database/drivers/pdo/pdo_result.php */
\ No newline at end of file
diff --git a/system/database/drivers/pdo/pdo_utility.php b/system/database/drivers/pdo/pdo_utility.php
new file mode 100644
index 0000000..50b9746
--- /dev/null
+++ b/system/database/drivers/pdo/pdo_utility.php
@@ -0,0 +1,103 @@
+<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
+/**
+ * CodeIgniter
+ *
+ * An open source application development framework for PHP 5.1.6 or newer
+ *
+ * @package CodeIgniter
+ * @author ExpressionEngine Dev Team
+ * @copyright Copyright (c) 2008 - 2011, EllisLab, Inc.
+ * @license http://codeigniter.com/user_guide/license.html
+ * @link http://codeigniter.com
+ * @since Version 2.1.0
+ * @filesource
+ */
+
+// ------------------------------------------------------------------------
+
+/**
+ * PDO Utility Class
+ *
+ * @category Database
+ * @author ExpressionEngine Dev Team
+ * @link http://codeigniter.com/database/
+ */
+class CI_DB_pdo_utility extends CI_DB_utility {
+
+ /**
+ * List databases
+ *
+ * @access private
+ * @return bool
+ */
+ function _list_databases()
+ {
+ // Not sure if PDO lets you list all databases...
+ if ($this->db->db_debug)
+ {
+ return $this->db->display_error('db_unsuported_feature');
+ }
+ return FALSE;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Optimize table query
+ *
+ * Generates a platform-specific query so that a table can be optimized
+ *
+ * @access private
+ * @param string the table name
+ * @return object
+ */
+ function _optimize_table($table)
+ {
+ // Not a supported PDO feature
+ if ($this->db->db_debug)
+ {
+ return $this->db->display_error('db_unsuported_feature');
+ }
+ return FALSE;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * Repair table query
+ *
+ * Generates a platform-specific query so that a table can be repaired
+ *
+ * @access private
+ * @param string the table name
+ * @return object
+ */
+ function _repair_table($table)
+ {
+ // Not a supported PDO feature
+ if ($this->db->db_debug)
+ {
+ return $this->db->display_error('db_unsuported_feature');
+ }
+ return FALSE;
+ }
+
+ // --------------------------------------------------------------------
+
+ /**
+ * PDO Export
+ *
+ * @access private
+ * @param array Preferences
+ * @return mixed
+ */
+ function _backup($params = array())
+ {
+ // Currently unsupported
+ return $this->db->display_error('db_unsuported_feature');
+ }
+
+}
+
+/* End of file pdo_utility.php */
+/* Location: ./system/database/drivers/pdo/pdo_utility.php */
\ No newline at end of file
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index db728f5..5bb7f60 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -88,6 +88,7 @@
<li>Database
<ul>
<li>Added a <a href="http://www.cubrid.org/" target="_blank">CUBRID</a> driver to the <a href="database/index.html">Database Driver</a>. Thanks to the CUBRID team for supplying this patch.</li>
+ <li>Added a PDO driver to the <a href="database/index.html">Database Driver</a>.</li>
<li>Typecast limit and offset in the <a href="database/queries.html">Database Driver</a> to integers to avoid possible injection.</li>
<li>
Added additional option 'none' for the optional third argument for <kbd>$this->db->like()</kbd> in the <a href="database/active_record.html">Database Driver</a>.
diff --git a/user_guide/database/connecting.html b/user_guide/database/connecting.html
index 309f2bc..b180881 100644
--- a/user_guide/database/connecting.html
+++ b/user_guide/database/connecting.html
@@ -121,6 +121,8 @@
<p>For information on each of these values please see the <a href="configuration.html">configuration page</a>.</p>
+<p class="important"><strong>Note:</strong> For the PDO driver, $config['hostname'] should look like this: 'mysql:host=localhost'</p>
+
<p>Or you can submit your database values as a Data Source Name. DSNs must have this prototype:</p>
<code>$dsn = 'dbdriver://username:password@hostname/database';<br />
diff --git a/user_guide/database/helpers.html b/user_guide/database/helpers.html
index 6a8aba5..be6c339 100644
--- a/user_guide/database/helpers.html
+++ b/user_guide/database/helpers.html
@@ -64,11 +64,11 @@
<h2>$this->db->insert_id()</h2>
<p>The insert ID number when performing database inserts.</p>
+<p class="important"><strong>Note:</strong> If using the PDO driver with PostgreSQL, this function requires a $name parameter, which specifies the appropriate sequence to check for the insert id.</p>
<h2>$this->db->affected_rows()</h2>
<p>Displays the number of affected rows, when doing "write" type queries (insert, update, etc.).</p>
-<p>Note: In MySQL "DELETE FROM TABLE" returns 0 affected rows. The database class has a small hack that allows it to return the
-correct number of affected rows. By default this hack is enabled but it can be turned off in the database driver file.</p>
+<p>Note: In MySQL "DELETE FROM TABLE" returns 0 affected rows. The database class has a small hack that allows it to return the correct number of affected rows. By default this hack is enabled but it can be turned off in the database driver file.</p>
<h2>$this->db->count_all();</h2>