Not all active record where( ) queries are escaped. User Guide needs correction

[eluser]kylehase[/eluser]
The following needs correcting the following page
http://ellislab.com/codeigniter/user-gui...ecord.html

Under the section: $this->db->where(); it states:
Note: All values passed to this function are escaped automatically, producing safer queries.

This is not the case when using the custom string method described in #4. If you pass a variable, for example

Code:

$where = "name=$name AND status='boss' OR status='active'";
$this->db->where($where);

The first parameter in the where method is never escaped so $name will be passed to your DB as is.

[eluser]xwero[/eluser]
It only applies for the key/value and array form.
DB_active_rec.php _where

Code:

if ( ! is_array($key))
        {
            $key = array($key => $value);
        }

Possible change

Code:

if ( ! is_array($key))
{
    $key = (is_null($value))?array($this->escape($key) => $value):array($key => $value);
}

But then i don't think your custom string will function.

[eluser]kylehase[/eluser]
Yes, I realized for such a situation such as mine you'd need to escape the variable before passing it to the where() method. Attempting to escape the string passed in the first parameter would break the query as those other quotes are necessary.

Might I just suggest updating the user guide to mention that queries are not escaped when using the custom string method #4.

[eluser]Derek Allard[/eluser]
thanks linuxamp. Could I ask that you submit a bug report for this? Thanks.