From 1081ac1b8a3ba06311d1cdcea094214395e3f00e Mon Sep 17 00:00:00 2001 From: Franz Liedke Date: Fri, 5 Oct 2012 14:38:13 +0300 Subject: [PATCH 1/2] Implement DB::escape(). --- laravel/database.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/laravel/database.php b/laravel/database.php index c5e28ac2..60fd09d1 100644 --- a/laravel/database.php +++ b/laravel/database.php @@ -124,6 +124,19 @@ class Database { { return new Expression($value); } + + /** + * Escape a string for usage in a query. + * + * This uses the correct quoting mechanism for the default database connection. + * + * @param string $value + * @return string + */ + public static function escape($value) + { + return static::connection()->pdo->quote($value); + } /** * Get the profiling data for all queries. From d7dfd4f91565f6acbc2199e5d3a52410f039e55e Mon Sep 17 00:00:00 2001 From: Franz Liedke Date: Thu, 11 Oct 2012 18:24:43 +0300 Subject: [PATCH 2/2] Use DB::escape() shortcut in profiler. --- laravel/profiling/profiler.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/laravel/profiling/profiler.php b/laravel/profiling/profiler.php index a26396ee..fe4397e5 100644 --- a/laravel/profiling/profiler.php +++ b/laravel/profiling/profiler.php @@ -145,7 +145,7 @@ class Profiler { { foreach ($bindings as $binding) { - $binding = Database::connection()->pdo->quote($binding); + $binding = Database::escape($binding); $sql = preg_replace('/\?/', $binding, $sql, 1); $sql = htmlspecialchars($sql);