Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Update 6103 fails to escape the string $renamed_permission before executing it's update query. If you have a permission with ' in it, this causes the sql query to fail. For example:
Failed: UPDATE {permission} SET perm = 'access 'I created' tab, edit any images, delete any images' WHERE rid = X
Fix is to call db_escape_string on $renamed_permission:
@@ -354,7 +354,7 @@
'edit own images' => 'edit own images, delete own images',
));
if ($renamed_permission != $role->perm) {
- $ret[] = update_sql("UPDATE {permission} SET perm = '$renamed_permission' WHERE rid = $role->rid");
+ $ret[] = update_sql("UPDATE {permission} SET perm = '".db_escape_string($renamed_permission)."' WHERE rid = $role->rid");
}
}
return $ret;
Comments
Comment #1
joachim commentedThanks for reporting this problem.
We've in fact fixed it about five minutes ago at the image sprint at DrupalCon!
Please report any further problems you find.