- Patch 13180 by chx: renamed check_query() to db_escape_string() and implemtented it properly per database backend.

  Read the manual for pg_escape_string:  "Use of this function is recommended instead of addslashes()." Or read sqlite_escape_string: "addslashes() should NOT be used to quote your strings for SQLite queries; it will lead to strange results when retrieving your data."

1 files changed, 3 insertions, 3 deletions

diff --git a/modules/node/node.module b/modules/node/node.module
index 76270f76e..f56379f04 100644
--- a/modules/node/node.module
+++ b/modules/node/node.module
@@ -386,7 +386,7 @@ function node_load($conditions, $revision = NULL, $reset = NULL) {
 
   // Turn the conditions into a query.
   foreach ($conditions as $key => $value) {
-    $cond[] = 'n.'. check_query($key) ." = '". check_query($value) ."'";
+    $cond[] = 'n.'. db_escape_string($key) ." = '". db_escape_string($value) ."'";
   }
 
   // Retrieve the node.
@@ -452,7 +452,7 @@ function node_save($node) {
     // Prepare the query:
     foreach ($node as $key => $value) {
       if (in_array($key, $fields)) {
-        $k[] = check_query($key);
+        $k[] = db_escape_string($key);
         $v[] = $value;
         $s[] = "'%s'";
       }
@@ -478,7 +478,7 @@ function node_save($node) {
     // Prepare the query:
     foreach ($node as $key => $value) {
       if (in_array($key, $fields)) {
-        $q[] = check_query($key) ." = '%s'";
+        $q[] = db_escape_string($key) ." = '%s'";
         $v[] = $value;
       }
     }