Escape behaviour in where() clauses has changed; values in those with the "FALSE" argument are no longer escaped (ie: quoted).
diff --git a/system/database/DB_active_rec.php b/system/database/DB_active_rec.php
index 9a7ef5d..b531585 100644
--- a/system/database/DB_active_rec.php
+++ b/system/database/DB_active_rec.php
@@ -69,14 +69,14 @@
* @access public
* @param string the table
* @return string
- */
+ */
function dbprefix($table = '')
{
if ($table == '')
{
$this->display_error('db_table_name_required');
}
-
+
return $this->dbprefix.$table;
}
@@ -104,7 +104,7 @@
$select = array($select);
}
}
-
+
foreach ($select as $val)
{
$val = trim($val);
@@ -120,7 +120,7 @@
$val = $this->_protect_identifiers($val);
}
}
-
+
if ($val != '')
{
$this->ar_select[] = $val;
@@ -183,7 +183,7 @@
{
$this->display_error('db_invalid_query');
}
-
+
$alias = ($alias != '') ? $alias : $select;
$sql = 'MIN('.$this->_protect_identifiers(trim($select)).') AS '.$this->_protect_identifiers(trim($alias));
@@ -217,7 +217,7 @@
}
$alias = ($alias != '') ? $alias : $select;
-
+
$sql = 'AVG('.$this->_protect_identifiers(trim($select)).') AS '.$this->_protect_identifiers(trim($alias));
$this->ar_select[] = $sql;
@@ -230,7 +230,7 @@
}
// --------------------------------------------------------------------
-
+
/**
* Select Sum
*
@@ -302,7 +302,7 @@
return $this;
}
-
+
// --------------------------------------------------------------------
/**
@@ -339,10 +339,10 @@
// First we remove any existing prefixes in the condition to avoid duplicates
$cond = preg_replace('|('.$this->dbprefix.')([\w\.]+)([\W\s]+)|', "$2$3", $cond);
-
+
// Next we add the prefixes to the condition
$cond = preg_replace('|([\w\.]+)([\W\s]+)(.+)|', $this->dbprefix . "$1$2" . $this->dbprefix . "$3", $cond);
- }
+ }
$join = $type.'JOIN '.$this->_protect_identifiers($this->dbprefix.$table, TRUE).' ON '.$cond;
@@ -354,7 +354,7 @@
return $this;
}
-
+
// --------------------------------------------------------------------
/**
@@ -453,15 +453,18 @@
{
$k .= ' =';
}
-
+
if ($v !== '' AND $v !== NULL)
{
- $v = ' '.$this->escape($v);
+ if ($escape === TRUE)
+ {
+ $v = ' '.$this->escape($v);
+ }
}
}
else
{
-
+
if ($escape === TRUE)
{
$k = $this->_protect_identifiers($k, TRUE);
@@ -511,7 +514,7 @@
* @return object
*/
function or_where_in($key = NULL, $values = NULL)
- {
+ {
return $this->_where_in($key, $values, FALSE, 'OR ');
}
@@ -529,7 +532,7 @@
* @return object
*/
function where_not_in($key = NULL, $values = NULL)
- {
+ {
return $this->_where_in($key, $values, TRUE);
}
@@ -547,7 +550,7 @@
* @return object
*/
function or_where_not_in($key = NULL, $values = NULL)
- {
+ {
return $this->_where_in($key, $values, TRUE, 'OR ');
}
@@ -566,7 +569,7 @@
* @return object
*/
function _where_in($key = NULL, $values = NULL, $not = FALSE, $type = 'AND ')
- {
+ {
if ($key === NULL || !is_array($values))
{
return;
@@ -580,7 +583,7 @@
}
$prefix = (count($this->ar_where) == 0) ? '' : $type;
-
+
$where_in = $prefix . $this->_protect_identifiers($key) . $not . " IN (" . implode(", ", $this->ar_wherein) . ") ";
$this->ar_where[] = $where_in;
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index 7d06f79..83ce9a6 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -72,7 +72,8 @@
<li>Database
<ul>
<li>Added <a href="./database/transactions.html">Strict Mode</a> to database transactions.</li>
- </ul>
+ <li>Escape behaviour in where() clauses has changed; values in those with the "FALSE" argument are no longer escaped (ie: quoted).</li>
+ </ul>
</li>
<li>Config
<ul>