Update_string and Insert_string do not escape the key correctly |
|||
|---|---|---|---|
| Date: | 05/10/2008 | Severity: | Major |
| Status: | New | Reporter: | Cheater |
| Version: | 1.6.2 SVN | ||
| Keywords: | Libraries, Database Class | ||
Description
At least for MySQL, if you use the update_string or insert_string with certain keys (e.g. ‘desc’ for description) then MySQL will barf and it usually takes a couple of days to figure out why if you havent encountered it before. 
The problem is MySQL thinks its DESC from a ORDER BY.
Fields in queries should *always* have backticks around them which tell MySQL that its a field.
The fix is simple. For the update code, change it to this:
foreach($values as $key => $val)
{
$valstr[] = “`$key` = `$val`”;
}
Insert Code:
return “INSERT INTO “.$this->_escape_table($table).” (`”.implode(’`, `’, $keys)."`) VALUES (”.implode(’, ‘, $values).")";
This bug is probably elsewhere in the code but I’ve only stumbled across it here.
