Merge pull request #3277 from clawoo/develop
Escape arrays sent as binding values for database queries.
diff --git a/system/database/DB_driver.php b/system/database/DB_driver.php
index 62cea75..fc1d956 100644
--- a/system/database/DB_driver.php
+++ b/system/database/DB_driver.php
@@ -922,7 +922,12 @@
do
{
$c--;
- $sql = substr_replace($sql, $this->escape($binds[$c]), $matches[0][$c][1], $ml);
+ $escaped_value = $this->escape($binds[$c]);
+ if (is_array($escaped_value))
+ {
+ $escaped_value = '('.implode(',', $escaped_value).')';
+ }
+ $sql = substr_replace($sql, $escaped_value, $matches[0][$c][1], $ml);
}
while ($c !== 0);
@@ -992,7 +997,12 @@
*/
public function escape($str)
{
- if (is_string($str) OR (is_object($str) && method_exists($str, '__toString')))
+ if (is_array($str))
+ {
+ $str = array_map(array(&$this, 'escape'), $str);
+ return $str;
+ }
+ elseif (is_string($str) OR (is_object($str) && method_exists($str, '__toString')))
{
return "'".$this->escape_str($str)."'";
}
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 0e49302..99cdf4d 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -173,6 +173,7 @@
- Added Interbase/Firebird database support via the *ibase* driver.
- Added ODBC support for ``create_database()``, ``drop_database()`` and ``drop_table()`` in :doc:`Database Forge <database/forge>`.
- Added **save_queries** configuration setting to *application/config/database.php* (defaults to ``TRUE``).
+ - Added support to binding arrays as ``IN()`` sets in ``query()``.
- :doc:`Query Builder <database/query_builder>` changes include:
diff --git a/user_guide_src/source/database/queries.rst b/user_guide_src/source/database/queries.rst
index 90f49af..76ff108 100644
--- a/user_guide_src/source/database/queries.rst
+++ b/user_guide_src/source/database/queries.rst
@@ -132,6 +132,15 @@
The question marks in the query are automatically replaced with the
values in the array in the second parameter of the query function.
+Binding also work with arrays, which will be transformed to IN sets::
+
+ $sql = "SELECT * FROM some_table WHERE id IN ? AND status = ? AND author = ?";
+ $this->db->query($sql, array(array(3, 6), 'live', 'Rick'));
+
+The resulting query will be::
+
+ SELECT * FROM some_table WHERE id IN (3,6) AND status = 'live' AND author = 'Rick'
+
The secondary benefit of using binds is that the values are
automatically escaped, producing safer queries. You don't have to
remember to manually escape data; the engine does it automatically for