From fa97839088dd0de1df73a990255edce7eddf90d9 Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Sun, 21 Nov 2004 08:25:17 +0000
Subject: - Patch 13180 by chx: renamed check_query() to db_escape_string() and
 implemtented it properly per database backend.

  Read the manual for pg_escape_string:  "Use of this function is recommended instead of addslashes()." Or read sqlite_escape_string: "addslashes() should NOT be used to quote your strings for SQLite queries; it will lead to strange results when retrieving your data."
---
 modules/user.module | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'modules/user.module')

diff --git a/modules/user.module b/modules/user.module
index 390eb075e..f9337d1d3 100644
--- a/modules/user.module
+++ b/modules/user.module
@@ -152,13 +152,13 @@ function user_save($account, $array = array(), $category = 'account') {
     // because we don't have a fully initialized user object yet.
     foreach ($array as $key => $value) {
       if ($key == 'pass') {
-        $fields[] = check_query($key);
+        $fields[] = db_escape_string($key);
         $values[] = md5($value);
         $s[] = "'%s'";
       }
       else if (substr($key, 0, 4) !== 'auth') {
         if (in_array($key, $user_fields)) {
-          $fields[] = check_query($key);
+          $fields[] = db_escape_string($key);
           $values[] = $value;
           $s[] = "'%s'";
         }
-- 
cgit v1.2.3