Using with nmoderation module creates an error at sql query

Hi, thanks for drawing this to my attention. On the face of it the fix is trivial. However, having the quote in the name does not appear to "break" the Drupal API specification for hook_node_info() which states :-

The 'name' value is a human-readable name for the node...

If a value is "human-readable" then if it's to be used in SQL it should be escaped by the "SQL builder" since, as in this case, it contains characters that can break a dynamically built SQL statement.

I've looked at the nmoderation code and can see where it implode()'s the values into a string ready to be placed into an IN() SQL clause. Realistically imho, nmoderation should escape each node name before implosion because it is "human-readable".

I have sent an email to the development list regarding this clarify whether my use of the quote in the name was incorrect or whether nmoderation is at fault.

I'm happy to remove the quote and make things work smoothly. However, I'd like to seek expert advice/clarification from the developers list before changing anything.

If nmoderation turns out to be at fault I can easily supply a patch to "fix" it or just as easily remove the quote from my node name.

Just waiting for some response from experts before deciding which to do.

best regards
--AjK

Hi there,

Have sought advice from the developers list.

I've found that the bug is in nmoderation and the way it handles the returned array from node_get_types() drupal function.

I have filed an issue with them that describes the problem and a patch to fix it also.

http://drupal.org/node/65989

So, the quote in "Jan's guide" is legal and for the time being at least, will be left there.

Regards
--AjK