ActiveRecord implementation produces erroneous queries wihen custom operator is used |
|||
|---|---|---|---|
| Date: | 07/08/2008 | Severity: | Major |
| Status: | New | Reporter: | Maxaon |
| Version: | 1.6.3 | ||
| Keywords: | Libraries, Database Class | ||
Description
in my code(PHP5) (where CI is a codeigniter instance)
$this->CI->db->where("left >”, (int)$record[$this->left_column]);
produces: ...WHERE left > 11…
$this->CI->db->where("left", (int)$record[$this->left_column]);
produces: ...WHERE `left` = 11…
In the former case, where I am using a custom operator the backticks are not produced and I have to insert them myself. So unless I do something like $this->CI->db->where("`left` >”, (int)$record[$this->left_column]) and erroneous query will be produced because the table name is escaped with backticks and the field name is not and MySQL gets confused.
Suggested fix:
change line 444 in DB_active_rec.php from
$k = preg_replace("/([A-Za-z_0-9]+)/", $this->_protect_identifiers(’$1’), $k);
to
$k = preg_replace("/([A-Za-z_0-9]+)/e", ‘$this->_protect_identifiers("\\1")’, $k);
Code Sample
$this->CI->db->where("left >”, (int)$record[$this->left_column]);
Expected Result
WHERE `left` > 11…
Actual Result
WHERE left > 11…
