diff options
| author | Steven Wittens <steven@10.no-reply.drupal.org> | 2004-09-24 20:04:54 +0000 |
|---|---|---|
| committer | Steven Wittens <steven@10.no-reply.drupal.org> | 2004-09-24 20:04:54 +0000 |
| commit | eecbda5635a1621e323d8b7328a253ff945cb96c (patch) | |
| tree | 2d9955bde9e20c96f6af333406faf8e53830202d /modules | |
| parent | 309b41180374df7ef88342ae6efaa19fdb518dd7 (diff) | |
| download | brdo-eecbda5635a1621e323d8b7328a253ff945cb96c.tar.gz brdo-eecbda5635a1621e323d8b7328a253ff945cb96c.tar.bz2 | |
- Fixing user_load() to use sprintf db_query syntax. Uglier, but safer.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/user.module | 15 | ||||
| -rw-r--r-- | modules/user/user.module | 15 |
2 files changed, 22 insertions, 8 deletions
diff --git a/modules/user.module b/modules/user.module index d780cd6df..d616f21b3 100644 --- a/modules/user.module +++ b/modules/user.module @@ -44,18 +44,25 @@ function user_load($array = array()) { // Dynamically compose a SQL query: $query = ''; + $params = array(); foreach ($array as $key => $value) { if ($key == 'pass') { - $query .= "u.$key = '". md5($value) ."' AND "; + $query .= "u.$key = '%s' AND "; + $params[] = md5($value); } else if ($key == 'uid') { - $query .= "u.uid = ". check_query($value) ." AND "; + $query .= "u.uid = %d AND "; + $params[] = $value; } else { - $query .= "LOWER(u.$key) = '". strtolower(check_query($value)) ."' AND "; + $query .= "LOWER(u.$key) = '%s' AND "; + $params[] = strtolower($value); } } - $result = db_query_range("SELECT u.* FROM {users} u WHERE $query u.status < 3", 0, 1); + array_unshift($params, "SELECT u.* FROM {users} u WHERE $query u.status < 3"); + $params[] = 0; + $params[] = 1; + $result = call_user_func_array('db_query_range', $params); if (db_num_rows($result)) { $user = db_fetch_object($result); diff --git a/modules/user/user.module b/modules/user/user.module index d780cd6df..d616f21b3 100644 --- a/modules/user/user.module +++ b/modules/user/user.module @@ -44,18 +44,25 @@ function user_load($array = array()) { // Dynamically compose a SQL query: $query = ''; + $params = array(); foreach ($array as $key => $value) { if ($key == 'pass') { - $query .= "u.$key = '". md5($value) ."' AND "; + $query .= "u.$key = '%s' AND "; + $params[] = md5($value); } else if ($key == 'uid') { - $query .= "u.uid = ". check_query($value) ." AND "; + $query .= "u.uid = %d AND "; + $params[] = $value; } else { - $query .= "LOWER(u.$key) = '". strtolower(check_query($value)) ."' AND "; + $query .= "LOWER(u.$key) = '%s' AND "; + $params[] = strtolower($value); } } - $result = db_query_range("SELECT u.* FROM {users} u WHERE $query u.status < 3", 0, 1); + array_unshift($params, "SELECT u.* FROM {users} u WHERE $query u.status < 3"); + $params[] = 0; + $params[] = 1; + $result = call_user_func_array('db_query_range', $params); if (db_num_rows($result)) { $user = db_fetch_object($result); |