Fix PDO field and table escaping
diff --git a/system/database/drivers/pdo/pdo_driver.php b/system/database/drivers/pdo/pdo_driver.php
index aec39c8..bd9edde 100644
--- a/system/database/drivers/pdo/pdo_driver.php
+++ b/system/database/drivers/pdo/pdo_driver.php
@@ -46,8 +46,8 @@
protected $_escape_char = '';
// clause and character used for LIKE escape sequences
- protected $_like_escape_str;
- protected $_like_escape_chr;
+ protected $_like_escape_str = " ESCAPE '%s' ";
+ protected $_like_escape_chr = '!';
/**
* The syntax to count rows is slightly different across different
@@ -81,18 +81,17 @@
// this one depends on the driver being used
if ($this->pdodriver == 'mysql')
{
+ $this->_escape_char = '`';
$this->_like_escape_str = '';
$this->_like_escape_chr = '';
}
elseif ($this->pdodriver == 'odbc')
{
$this->_like_escape_str = " {escape '%s'} ";
- $this->_like_escape_chr = '!';
}
- else
+ elseif ( ! in_array($this->pdodriver, array('sqlsrv', 'mssql', 'dblib', 'sybase')))
{
- $this->_like_escape_str = " ESCAPE '%s' ";
- $this->_like_escape_chr = '!';
+ $this->_escape_char = '"';
}
$this->trans_enabled = FALSE;
@@ -268,8 +267,6 @@
*/
protected function _execute($sql)
{
- $sql = $this->_prep_query($sql);
-
$result_id = $this->conn_id->query($sql);
if (is_object($result_id))
@@ -287,32 +284,6 @@
// --------------------------------------------------------------------
/**
- * Prep the query
- *
- * If needed, each database adapter can prep the query string
- *
- * @param string an SQL query
- * @return string
- */
- protected function _prep_query($sql)
- {
- if ($this->pdodriver === 'pgsql')
- {
- // Change the backtick(s) for Postgre
- $sql = str_replace('`', '"', $sql);
- }
- elseif ($this->pdodriver === 'sqlite')
- {
- // Change the backtick(s) for SQLite
- $sql = str_replace('`', '', $sql);
- }
-
- return $sql;
- }
-
- // --------------------------------------------------------------------
-
- /**
* Begin Transaction
*
* @return bool
@@ -516,7 +487,7 @@
}
else
{
- $sql = "SHOW TABLES FROM `".$this->database."`";
+ $sql = 'SHOW TABLES FROM '.$this->_escape_identifiers($this->database);
}
if ($prefix_limit !== FALSE AND $this->dbprefix != '')
@@ -539,7 +510,7 @@
*/
protected function _list_columns($table = '')
{
- return 'SHOW COLUMNS FROM '.$this->_from_tables($table);
+ return 'SHOW COLUMNS FROM '.$this->_escape_identifiers($table);
}
// --------------------------------------------------------------------
@@ -557,20 +528,20 @@
if ($this->pdodriver == 'mysql' or $this->pdodriver == 'pgsql')
{
// Analog function for mysql and postgre
- return 'SELECT * FROM '.$this->_from_tables($table).' LIMIT 1';
+ return 'SELECT * FROM '.$this->_escape_identifiers($table).' LIMIT 1';
}
elseif ($this->pdodriver == 'oci')
{
// Analog function for oci
- return 'SELECT * FROM '.$this->_from_tables($table).' WHERE ROWNUM <= 1';
+ return 'SELECT * FROM '.$this->_escape_identifiers($table).' WHERE ROWNUM <= 1';
}
elseif ($this->pdodriver == 'sqlite')
{
// Analog function for sqlite
- return 'PRAGMA table_info('.$this->_from_tables($table).')';
+ return 'PRAGMA table_info('.$this->_escape_identifiers($table).')';
}
- return 'SELECT TOP 1 FROM '.$this->_from_tables($table);
+ return 'SELECT TOP 1 FROM '.$this->_escape_identifiers($table);
}
// --------------------------------------------------------------------
@@ -623,25 +594,20 @@
{
if (strpos($item, '.'.$id) !== FALSE)
{
- $str = $this->_escape_char. str_replace('.', $this->_escape_char.'.', $item);
+ $item = str_replace('.', $this->_escape_char.'.', $item);
// remove duplicates if the user already included the escape
- return preg_replace('/['.$this->_escape_char.']+/', $this->_escape_char, $str);
+ return preg_replace('/['.$this->_escape_char.']+/', $this->_escape_char, $this->_escape_char.$item);
}
}
if (strpos($item, '.') !== FALSE)
{
- $str = $this->_escape_char.str_replace('.', $this->_escape_char.'.'.$this->_escape_char, $item);
- $str .= $this->_escape_char;
- }
- else
- {
- $str = $this->_escape_char.$item.$this->_escape_char;
+ $item = str_replace('.', $this->_escape_char.'.'.$this->_escape_char, $item);
}
// remove duplicates if the user already included the escape
- return preg_replace('/['.$this->_escape_char.']+/', $this->_escape_char, $str);
+ return preg_replace('/['.$this->_escape_char.']+/', $this->_escape_char, $this->_escape_char.$item.$this->_escape_char);
}
// --------------------------------------------------------------------
@@ -662,7 +628,7 @@
$tables = array($tables);
}
- return (count($tables) == 1) ? '`'.$tables[0].'`' : '('.implode(', ', $tables).')';
+ return (count($tables) === 1) ? $tables[0] : '('.implode(', ', $tables).')';
}
// --------------------------------------------------------------------
@@ -695,7 +661,7 @@
}
}
- $sql = 'UPDATE '.$this->_from_tables($table).' SET ';
+ $sql = 'UPDATE '.$table.' SET ';
$cases = '';
foreach ($final as $k => $v)
@@ -765,7 +731,7 @@
$limit = ( ! $limit) ? '' : ' LIMIT '.$limit;
- return 'DELETE FROM '.$this->_from_tables($table).$conditions.$limit;
+ return 'DELETE FROM '.$table.$conditions.$limit;
}
// --------------------------------------------------------------------