fix: resolve subquery bare alias escape bypass regression and restore test expectations

gr8man · gr8man · commit 1a9882aba69c · 2026-06-08T23:43:16.000+02:00
diff --git a/system/Database/BaseConnection.php b/system/Database/BaseConnection.php
@@ -1306,6 +1306,10 @@ public function protectIdentifiers($item, bool $prefixSingle = false, ?bool $pro
             $alias = '';
         }
 
+        if ($alias !== '' && strcspn($item, "()'") !== strlen($item) && $this->isIdentifierEscapeExempt($item)) {
+            return $item . $alias;
+        }
+
         // Break the string apart if it contains periods, then insert the table prefix
         // in the correct location, assuming the period doesn't indicate that we're dealing
         // with an alias. While we're at it, we will escape the components
diff --git a/tests/system/Database/BaseConnectionTest.php b/tests/system/Database/BaseConnectionTest.php
@@ -430,7 +430,7 @@ public static function provideProtectIdentifiers(): iterable
                 true,
                 true,
                 '(SELECT SUM(payments.amount) FROM payments WHERE payments.invoice_id=4) AS amount_paid)',
-                '(SELECT SUM(payments.test_amount) FROM payments WHERE payments.invoice_id=4) AS "amount_paid)"',
+                '(SELECT SUM(payments.amount) FROM payments WHERE payments.invoice_id=4) AS "amount_paid)"',
             ],
             'sub query with missing `)` at the end' => [
                 false,
