[eluser]barbazul[/eluser]
Nothing is "guaranteed". I just put myself in the shoes of whoever first wrote those methods to see the logic they've used.
In the case of SET operations, I can't think of something like:
Code:
SET CONCAT(field1,field2) = 'some value'
so you'll always be passing real field names in the first parameter (or array key) and they get correctly escaped
but you might be passing something weird on the value like
Code:
SET field1 = (field2+field3)/2
in which case you might or not want the value to be escaped
In the case of WHERE it gets tricker as the SQL syntax is more flexible, so the number of possible combinations is enormous.
The solution the guys at EllisLab came up with is pretty flexible, and they say in the docs:
Quote:Note: All values passed to this function are escaped automatically, producing safer queries.
So basically that's the way they decided it should work.
It might not be the most ellegant solution but it works fine in the vast majority of cases and if you want to do something that hasn't been covered up, you can write your own clause:
Code:
$this->db->where("date > NOW()");
and you can always write your entire query if you don't like how they get generated by CI:
Quote:$this->db->query("UPDATE mytable SET name='barbazul', `order`=3 WHERE date > NOW() AND `status`='active'");
Now, on a different discussion topic I'd really like to see some important keywords to be implemented as part of CI. NOW() is definitely one of them.
I've previously worked on the implementation of random ordering, and though I can still be improved It got released.
So as you see whatever it is that you don't like or feel there is room for improvement, you can always propose a different solution and, if the community likes it it will eventually show up in the core
Regarding the date() example... it was just to illustrate how I always try yo keep the specifics of MySQL out of the way.