diff options
| author | Dries Buytaert <dries@buytaert.net> | 2007-05-30 09:11:21 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2007-05-30 09:11:21 +0000 |
| commit | 86e09fa4013073d9293b1468101d794022a1dfca (patch) | |
| tree | 38655364202e5362de02f989dbdd29a94364ba4f | |
| parent | 682c4cc2e714d08f1080e6bd7f1ba9e58c6975ec (diff) | |
| download | brdo-86e09fa4013073d9293b1468101d794022a1dfca.tar.gz brdo-86e09fa4013073d9293b1468101d794022a1dfca.tar.bz2 | |
- Patch #147692 by hswong3i: gives SQL backends more control over db_query().
| -rw-r--r-- | includes/database.inc | 36 | ||||
| -rw-r--r-- | includes/database.mysql-common.inc | 36 | ||||
| -rw-r--r-- | includes/database.pgsql.inc | 36 |
3 files changed, 72 insertions, 36 deletions
diff --git a/includes/database.inc b/includes/database.inc index 6e4bdeace..12a529a1c 100644 --- a/includes/database.inc +++ b/includes/database.inc @@ -186,42 +186,6 @@ function _db_query_callback($match, $init = FALSE) { define('DB_QUERY_REGEXP', '/(%d|%s|%%|%f|%b)/'); /** - * Runs a basic query in the active database. - * - * User-supplied arguments to the query should be passed in as separate - * parameters so that they can be properly escaped to avoid SQL injection - * attacks. - * - * @param $query - * A string containing an SQL query. - * @param ... - * A variable number of arguments which are substituted into the query - * using printf() syntax. Instead of a variable number of query arguments, - * you may also pass a single array containing the query arguments. - * - * Valid %-modifiers are: %s, %d, %f, %b (binary data, do not enclose - * in '') and %%. - * - * NOTE: using this syntax will cast NULL and FALSE values to decimal 0, - * and TRUE values to decimal 1. - * - * @return - * A database query result resource, or FALSE if the query was not - * executed correctly. - */ -function db_query($query) { - $args = func_get_args(); - array_shift($args); - $query = db_prefix_tables($query); - if (isset($args[0]) and is_array($args[0])) { // 'All arguments in one array' syntax - $args = $args[0]; - } - _db_query_callback($args, TRUE); - $query = preg_replace_callback(DB_QUERY_REGEXP, '_db_query_callback', $query); - return _db_query($query); -} - -/** * Helper function for db_rewrite_sql. * * Collects JOIN and WHERE statements via hook_db_rewrite_sql() diff --git a/includes/database.mysql-common.inc b/includes/database.mysql-common.inc index d3fc793bd..80f78ff36 100644 --- a/includes/database.mysql-common.inc +++ b/includes/database.mysql-common.inc @@ -13,6 +13,42 @@ */ /** + * Runs a basic query in the active database. + * + * User-supplied arguments to the query should be passed in as separate + * parameters so that they can be properly escaped to avoid SQL injection + * attacks. + * + * @param $query + * A string containing an SQL query. + * @param ... + * A variable number of arguments which are substituted into the query + * using printf() syntax. Instead of a variable number of query arguments, + * you may also pass a single array containing the query arguments. + * + * Valid %-modifiers are: %s, %d, %f, %b (binary data, do not enclose + * in '') and %%. + * + * NOTE: using this syntax will cast NULL and FALSE values to decimal 0, + * and TRUE values to decimal 1. + * + * @return + * A database query result resource, or FALSE if the query was not + * executed correctly. + */ +function db_query($query) { + $args = func_get_args(); + array_shift($args); + $query = db_prefix_tables($query); + if (isset($args[0]) and is_array($args[0])) { // 'All arguments in one array' syntax + $args = $args[0]; + } + _db_query_callback($args, TRUE); + $query = preg_replace_callback(DB_QUERY_REGEXP, '_db_query_callback', $query); + return _db_query($query); +} + +/** * Generate SQL to create a new table from a Drupal schema definition. * * @param $table diff --git a/includes/database.pgsql.inc b/includes/database.pgsql.inc index 0602b3500..deb6bfe58 100644 --- a/includes/database.pgsql.inc +++ b/includes/database.pgsql.inc @@ -112,6 +112,42 @@ function db_connect($url) { } /** + * Runs a basic query in the active database. + * + * User-supplied arguments to the query should be passed in as separate + * parameters so that they can be properly escaped to avoid SQL injection + * attacks. + * + * @param $query + * A string containing an SQL query. + * @param ... + * A variable number of arguments which are substituted into the query + * using printf() syntax. Instead of a variable number of query arguments, + * you may also pass a single array containing the query arguments. + * + * Valid %-modifiers are: %s, %d, %f, %b (binary data, do not enclose + * in '') and %%. + * + * NOTE: using this syntax will cast NULL and FALSE values to decimal 0, + * and TRUE values to decimal 1. + * + * @return + * A database query result resource, or FALSE if the query was not + * executed correctly. + */ +function db_query($query) { + $args = func_get_args(); + array_shift($args); + $query = db_prefix_tables($query); + if (isset($args[0]) and is_array($args[0])) { // 'All arguments in one array' syntax + $args = $args[0]; + } + _db_query_callback($args, TRUE); + $query = preg_replace_callback(DB_QUERY_REGEXP, '_db_query_callback', $query); + return _db_query($query); +} + +/** * Helper function for db_query(). */ function _db_query($query, $debug = 0) { |