[eluser]OverZealous[/eluser]
The updated protect_identifiers excellently detects and stops processing anything inside parentheses - which is great for NOT protecting functions, etc.
I recommend that this method get placed directly below the array check, to prevent any modification happening to items that don't need to be (or shouldn't be) protected.
Code:
...
return $escaped_array;
}
// around line 1215
// This is basically a bug fix for queries that use MAX, MIN, etc.
// If a parenthesis is found we know that we do not need to
// escape the data or add a prefix. There's probably a more graceful
// way to deal with this, but I'm not thinking of it -- Rick
if (strpos($item, '(') !== FALSE)
{
return $item;
}
// Convert tabs or multiple spaces into single spaces
$item = preg_replace('/[\t ]+/', ' ', $item);
...
This would pretty much resolve any remaining issues (for me) with protect_identifiers, because I could disable it by encapsulating items I do not want to be escaped in parentheses:
Code:
// note: just examples, not necessarily real-world usage...
// This won't be "protected"
$this->db->select('(DATABASE_CONSTANT)');
// nor will this
$this->db->select('now()');
// this might still be changed by the current placement of the check
$this->db->select("('two spaces [ ]') as two_spaces");
