From fa97839088dd0de1df73a990255edce7eddf90d9 Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Sun, 21 Nov 2004 08:25:17 +0000
Subject: - Patch 13180 by chx: renamed check_query() to db_escape_string() and
 implemtented it properly per database backend.

  Read the manual for pg_escape_string:  "Use of this function is recommended instead of addslashes()." Or read sqlite_escape_string: "addslashes() should NOT be used to quote your strings for SQLite queries; it will lead to strange results when retrieving your data."
---
 includes/database.pear.inc | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

(limited to 'includes/database.pear.inc')

diff --git a/includes/database.pear.inc b/includes/database.pear.inc
index fc8da8f91..f06db36a4 100644
--- a/includes/database.pear.inc
+++ b/includes/database.pear.inc
@@ -45,11 +45,11 @@ function db_query($query) {
   $query = db_prefix_tables($query);
   if (count($args) > 1) {
     if(is_array($args[1])){
-      $args1 = array_map('check_query', $args[1]);
+      $args1 = array_map('db_escape_string', $args[1]);
       $nargs = array_merge(array($query), $args1);
     }
     else {
-      $nargs = array_map('check_query', $args);
+      $nargs = array_map('db_escape_string', $args);
       $nargs[0] = $query;
     }
     return _db_query(call_user_func_array('sprintf', $nargs));
@@ -69,11 +69,11 @@ function db_queryd($query) {
   $query = db_prefix_tables($query);
   if (count($args) > 1) {
     if(is_array($args[1])){
-      $args1 = array_map('check_query', $args[1]);
+      $args1 = array_map('db_escape_string', $args[1]);
       $nargs = array_merge(array($query), $args1);
     }
     else {
-      $nargs = array_map('check_query', $args);
+      $nargs = array_map('db_escape_string', $args);
       $nargs[0] = $query;
     }
     return _db_query(call_user_func_array('sprintf', $nargs), 1);
@@ -252,7 +252,7 @@ function db_query_range($query) {
   $count = array_pop($args);
   $from = array_pop($args);
   if (count(func_get_args()) > 3) {
-    $args = array_map('check_query', $args);
+    $args = array_map('db_escape_string', $args);
     $query = db_prefix_tables($query);
     $args[0] = $query;
     $result = $active_db->limitQuery(call_user_func_array('sprintf', $args), $from, $count);
@@ -278,4 +278,11 @@ function db_query_range($query) {
   }
 }
 
+/**
+ * Prepare user input for use in a database query, preventing SQL injection attacks.
+ */
+function db_escape_string($text) {
+  return addslashes($text);
+}
+
 ?>
-- 
cgit v1.2.3