Hello, i'm using latest version of CI and i noticed that query builder doesn't escape order_by.
Short example:
Quick hack:
Short example:
PHP Code:
$this->db->select()->from('table')->order_by($_POST['o_col'], $_POST['dir']);
Quick hack:
PHP Code:
protected function _compile_order_by()
{
if (is_array($this->qb_orderby) && count($this->qb_orderby) > 0)
{
for ($i = 0, $c = count($this->qb_orderby); $i < $c; $i++)
{
if ($this->qb_orderby[$i]['escape'] !== FALSE && ! $this->_is_literal($this->qb_orderby[$i]['field']))
{
$this->qb_orderby[$i]['field'] = $this->protect_identifiers($this->qb_orderby[$i]['field']);
}
if($this->qb_orderby[$i]['escape'] === TRUE){
$this->qb_orderby[$i]['field'] = str_replace(["'", '""'], "", $this->qb_orderby[$i]['field']);
$this->qb_orderby[$i]['direction'] = str_replace(["'", '""'], "", $this->qb_orderby[$i]['direction']);
}
$this->qb_orderby[$i] = $this->qb_orderby[$i]['field'].$this->qb_orderby[$i]['direction'];
}
return $this->qb_orderby = "\nORDER BY ".implode(', ', $this->qb_orderby);
}
elseif (is_string($this->qb_orderby))
{
return $this->qb_orderby;
}
return '';
}