Posted by turkanis on June 16, 2010 at 3:08am
2 followers
Jump to:
| Project: | Update API |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | needs work |
Issue Summary
Some modules, such as module_grants, define permissions containing single quote characters, e.g., "access 'I can edit' tab". The permissions cause syntax errors in the queries constructed in update_api_permissions_grant() and update_api_permissions_revoke().
The attached patch fixes this by escaping single quote characters. You might want to consider additional precautions; I'm not sure exactly what strings are legal permissions.
| Attachment | Size |
|---|---|
| escape-permissions.patch | 1.69 KB |
Comments
#1
Hi! Good catch, and thanks for the patch! I would prefer we use
db_escape_string().#2
Yeah, that's obviously correct. I rarely use that function and forget that it exists.