From fa97839088dd0de1df73a990255edce7eddf90d9 Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Sun, 21 Nov 2004 08:25:17 +0000
Subject: - Patch 13180 by chx: renamed check_query() to db_escape_string() and
 implemtented it properly per database backend.

  Read the manual for pg_escape_string:  "Use of this function is recommended instead of addslashes()." Or read sqlite_escape_string: "addslashes() should NOT be used to quote your strings for SQLite queries; it will lead to strange results when retrieving your data."
---
 modules/forum.module | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'modules/forum.module')

diff --git a/modules/forum.module b/modules/forum.module
index d19961328..1143e21ca 100644
--- a/modules/forum.module
+++ b/modules/forum.module
@@ -380,7 +380,7 @@ function forum_get_forums($tid = 0) {
 
     // This query does not use full ANSI syntax since MySQL 3.x does not support
     // table1 INNER JOIN table2 INNER JOIN table3 ON table2_criteria ON table3_criteria
-    // used to join node_comment_statistics to users
+    // used to join node_comment_statistics to users.
     $topic = db_fetch_object(db_query_range('SELECT DISTINCT(n.nid), l.last_comment_timestamp, IF(l.last_comment_uid, cu.name, l.last_comment_name) as last_comment_name, l.last_comment_uid FROM {node} n ' . node_access_join_sql() . ", {node_comment_statistics} l /*! USE INDEX (node_comment_timestamp) */, {users} cu, {term_node} r WHERE  n.nid = r.nid AND r.tid = %d AND n.status = 1 AND n.type = 'forum' AND l.last_comment_uid = cu.uid AND n.nid = l.nid AND " . node_access_where_sql() . ' ORDER BY l.last_comment_timestamp DESC', $forum->tid, 0, 1));
     $last_post->timestamp = $topic->last_comment_timestamp;
     $last_post->name = $topic->last_comment_name;
@@ -422,7 +422,7 @@ function forum_get_topics($tid, $sortby, $forum_per_page) {
   }
 
   $term = taxonomy_get_term($tid);
-  $check_tid = $tid ? "'". check_query($tid) ."'" : 'NULL';
+  $check_tid = $tid ? "'". db_escape_string($tid) ."'" : 'NULL';
 
   $sql = "SELECT DISTINCT(n.nid), f.tid, n.title, n.sticky, u.name, u.uid, n.created AS timestamp, n.comment AS comment_mode, l.last_comment_timestamp, IF(l.last_comment_uid, cu.name, l.last_comment_name) as last_comment_name, l.last_comment_uid, l.comment_count AS num_comments FROM {node} n ". node_access_join_sql() .", {node_comment_statistics} l, {users} cu, {term_node} r, {users} u, {forum} f WHERE n.status = 1 AND l.last_comment_uid = cu.uid AND n.nid = l.nid AND n.nid = r.nid AND r.tid = $check_tid AND n.uid = u.uid AND n.nid = f.nid AND ". node_access_where_sql();
   $sql .= tablesort_sql($forum_topic_list_header, 'n.sticky DESC,');
-- 
cgit v1.2.3