- Patch 13180 by chx: renamed check_query() to db_escape_string() and implemtented it properly per database backend.

Read the manual for pg_escape_string: "Use of this function is recommended instead of addslashes()." Or read sqlite_escape_string: "addslashes() should NOT be used to quote your strings for SQLite queries; it will lead to strange results when retrieving your data."
author: Dries Buytaert <dries@buytaert.net> 2004-11-21 08:25:17 +0000
committer: Dries Buytaert <dries@buytaert.net> 2004-11-21 08:25:17 +0000
commit: fa97839088dd0de1df73a990255edce7eddf90d9 (patch)
tree: ddea053e39d55040400026ce1886464403b6f491 /modules/profile/profile.module
parent: dc32e54f31e2b1308d5a6813dd644477076ec48d (diff)
download: brdo-fa97839088dd0de1df73a990255edce7eddf90d9.tar.gz
brdo-fa97839088dd0de1df73a990255edce7eddf90d9.tar.bz2
1 files changed, 2 insertions, 2 deletions
diff --git a/modules/profile/profile.module b/modules/profile/profile.module
index 3bf611a03..44d283167 100644
--- a/modules/profile/profile.module
+++ b/modules/profile/profile.module
@@ -86,10 +86,10 @@ function profile_browse() {
         $query = 'v.value = 1';
         break;
       case 'selection':
-        $query = "v.value = '". check_query($value) ."'";
+        $query = "v.value = '". db_escape_string($value) ."'";
         break;
       case 'list':
-        $query = "v.value LIKE '%%". check_query($value) ."%%'";
+        $query = "v.value LIKE '%%". db_escape_string($value) ."%%'";
         break;
       default:
         drupal_not_found();
author	Dries Buytaert <dries@buytaert.net>	2004-11-21 08:25:17 +0000
committer	Dries Buytaert <dries@buytaert.net>	2004-11-21 08:25:17 +0000
commit	fa97839088dd0de1df73a990255edce7eddf90d9 (patch)
tree	ddea053e39d55040400026ce1886464403b6f491 /modules/profile/profile.module
parent	dc32e54f31e2b1308d5a6813dd644477076ec48d (diff)
download	brdo-fa97839088dd0de1df73a990255edce7eddf90d9.tar.gz brdo-fa97839088dd0de1df73a990255edce7eddf90d9.tar.bz2