Closed (fixed)
Project:
Drupal core
Component:
database system
Priority:
Critical
Category:
Bug report
Assigned:
Reporter:
Created:
25 Mar 2005 at 13:23 UTC
Updated:
22 Apr 2005 at 13:15 UTC
Jump to comment: Most recent file
Parts of update_124 will fail if an anonymous commentor's name contains a single quote. To fix this, I updated update_sql to accept additional parameters that it sends on to db_query. I also moved update_sql to the top of the file. The only problem I could find with this approach is that the query displayed by update.php contains the substitute parameter (%s or %d), not the actual parameter.
I'd appreciate if someone else could take a look and see if there's a better way to do this. I think that update_sql should have this functionality anyway, though.
| Comment | File | Size | Author |
|---|---|---|---|
| #6 | updates-4-5_0.patch | 2.59 KB | junyor |
| #5 | updates-cvs_0.patch | 2.37 KB | junyor |
| #3 | updates-cvs.patch | 2.3 KB | junyor |
| #2 | updates-4-5.patch | 2.14 KB | junyor |
| #1 | updates_2.patch | 2.06 KB | junyor |
Comments
Comment #1
junyor commentedHere's the same patch for 4.5.2.
BTW, there was an $edit variable in update_sql that appeared to be unused, so I removed it in both of these patches.
Comment #2
junyor commentedMade the patch a bit better. Here's a new version for CVS.
Comment #3
junyor commentedThat one was actually for 4.5.x. Here's the one for CVS.
Comment #4
Steven commentedThis patch means that db arguments to update_sql() may not be passed as an array, but must be passed literally. Otherwise, an array with an array in it would be passed to db_query.
This is confusing and inconsistent with the other db_ functions, so I would say we need to change the patch so it also accepts either syntax, like the rest of the db functions.
Comment #5
junyor commentedI think this should do it. Patch for HEAD.
Comment #6
junyor commentedPatch for 4.5.2.
Comment #7
dries commentedCommitted a modified patch to HEAD and DRUPAL-4-6. Thanks.
Comment #8
(not verified) commented