From e77f87506c0355bb357bf32651148768e4a302b8 Mon Sep 17 00:00:00 2001
From: webchick <webchick@24967.no-reply.drupal.org>
Date: Tue, 17 May 2011 23:57:40 -0500
Subject: Issue #1105848 by cafuego: Fixed Unsafe query comments possible via
 UI.

---
 includes/database/pgsql/query.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'includes/database/pgsql/query.inc')

diff --git a/includes/database/pgsql/query.inc b/includes/database/pgsql/query.inc
index fe7909e17..f3783a9ca 100644
--- a/includes/database/pgsql/query.inc
+++ b/includes/database/pgsql/query.inc
@@ -103,8 +103,8 @@ class InsertQuery_pgsql extends InsertQuery {
   }
 
   public function __toString() {
-    // Create a comments string to prepend to the query.
-    $comments = (!empty($this->comments)) ? '/* ' . implode('; ', $this->comments) . ' */ ' : '';
+    // Create a sanitized comment string to prepend to the query.
+    $comments = $this->connection->makeComment($this->comments);
 
     // Default fields are always placed first for consistency.
     $insert_fields = array_merge($this->defaultFields, $this->insertFields);
-- 
cgit v1.2.3