diff options
| author | Dries Buytaert <dries@buytaert.net> | 2004-11-21 08:25:17 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2004-11-21 08:25:17 +0000 |
| commit | fa97839088dd0de1df73a990255edce7eddf90d9 (patch) | |
| tree | ddea053e39d55040400026ce1886464403b6f491 /modules/user/user.module | |
| parent | dc32e54f31e2b1308d5a6813dd644477076ec48d (diff) | |
| download | brdo-fa97839088dd0de1df73a990255edce7eddf90d9.tar.gz brdo-fa97839088dd0de1df73a990255edce7eddf90d9.tar.bz2 | |
- Patch 13180 by chx: renamed check_query() to db_escape_string() and implemtented it properly per database backend.
Read the manual for pg_escape_string: "Use of this function is recommended instead of addslashes()." Or read sqlite_escape_string: "addslashes() should NOT be used to quote your strings for SQLite queries; it will lead to strange results when retrieving your data."
Diffstat (limited to 'modules/user/user.module')
| -rw-r--r-- | modules/user/user.module | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/modules/user/user.module b/modules/user/user.module index 390eb075e..f9337d1d3 100644 --- a/modules/user/user.module +++ b/modules/user/user.module @@ -152,13 +152,13 @@ function user_save($account, $array = array(), $category = 'account') { // because we don't have a fully initialized user object yet. foreach ($array as $key => $value) { if ($key == 'pass') { - $fields[] = check_query($key); + $fields[] = db_escape_string($key); $values[] = md5($value); $s[] = "'%s'"; } else if (substr($key, 0, 4) !== 'auth') { if (in_array($key, $user_fields)) { - $fields[] = check_query($key); + $fields[] = db_escape_string($key); $values[] = $value; $s[] = "'%s'"; } |