Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

FIX - Ignores SQL functions on the SELECT statement. #1612

Closed
wants to merge 1 commit into from

4 participants

@borgir

SQL functions can result on unexpected results when there are , (commas) inside.
Thats because the select method (DB_query_builder.php) processes its arguments (the selects - $select) with an explode by , (commas) regardless of the content.

My solution, simply ignores the functions and its parameters. So it won't check the validity of the parameters nor add the database prefix when needed.

Based on this thread:
http://codeigniter.com/forums/viewthread/220573/

@ckdarby

I agree with the functionality this provides but I disagree with the code implementation of throwing [function] into this.
:-1:

@cryode

I also don't think this is the best solution. The do while is just weird syntax.

Related: #634 -- Your solution essentially does the same as mine (temporarily replacing text to preserve the correct explode() results) but in a more convoluted way. Maybe implement something more like that.

@borgir

Thks a lot for your opinion guys.
Cheers!

@narfbg
Owner

I have to agree, the proposed patch is not suitable.

@narfbg narfbg closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Jul 12, 2012
  1. @borgir
This page is out of date. Refresh to see the latest.
Showing with 26 additions and 1 deletion.
  1. +26 −1 system/database/DB_query_builder.php
View
27 system/database/DB_query_builder.php
@@ -75,7 +75,9 @@
protected $qb_cache_set = array();
protected $qb_no_escape = array();
- protected $qb_cache_no_escape = array();
+ protected $qb_cache_no_escape = array();
+
+ protected $qb_function = array();
/**
* Select
@@ -88,6 +90,22 @@
*/
public function select($select = '*', $escape = NULL)
{
+ // is there a function? For ex. date_format('<date>', '<format>')
+ $pattern = '/[\w_]+\s*(\(.*?\))[\s\w]*/';
+
+ do
+ {
+ preg_match($pattern, $select, $matches);
+
+ if (count($matches) > 0)
+ {
+ $this->qb_function[] = $matches[0];
+
+ $select = str_replace($matches[0], '[function]', $select);
+ }
+
+ } while(count($matches) > 0);
+
if (is_string($select))
{
$select = explode(',', $select);
@@ -2048,6 +2066,13 @@ protected function _compile_select($select_override = FALSE)
foreach ($this->qb_select as $key => $val)
{
$no_escape = isset($this->qb_no_escape[$key]) ? $this->qb_no_escape[$key] : NULL;
+
+ if ($this->qb_select[$key] == '[function]')
+ {
+ $this->qb_select[$key] = array_shift($this->qb_function);
+ continue;
+ }
+
$this->qb_select[$key] = $this->protect_identifiers($val, FALSE, $no_escape);
}
Something went wrong with that request. Please try again.