diff options
| author | Gábor Hojtsy <gabor@hojtsy.hu> | 2008-01-04 09:31:49 +0000 |
|---|---|---|
| committer | Gábor Hojtsy <gabor@hojtsy.hu> | 2008-01-04 09:31:49 +0000 |
| commit | 89be29505b1ed6146aef314d5524f46cc289cee3 (patch) | |
| tree | 6be929fa5d9b84c48f0a5682bc6f95cb09b3bde3 /includes/database.mysql.inc | |
| parent | 52f95c981bbf7588aedd1b5cb3ef74641572e39e (diff) | |
| download | brdo-89be29505b1ed6146aef314d5524f46cc289cee3.tar.gz brdo-89be29505b1ed6146aef314d5524f46cc289cee3.tar.bz2 | |
#198856 by hswong3i: Fix some incorrect use of %s for table name escaping, implement better security checks
Diffstat (limited to 'includes/database.mysql.inc')
| -rw-r--r-- | includes/database.mysql.inc | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/includes/database.mysql.inc b/includes/database.mysql.inc index a20486996..01eb22bef 100644 --- a/includes/database.mysql.inc +++ b/includes/database.mysql.inc @@ -346,14 +346,14 @@ function db_unlock_tables() { * Check if a table exists. */ function db_table_exists($table) { - return db_fetch_object(db_query("SHOW TABLES LIKE '{". db_escape_table($table) ."}'")) ? TRUE : FALSE; + return (bool) db_fetch_object(db_query("SHOW TABLES LIKE '{". db_escape_table($table) ."}'")); } /** * Check if a column exists in the given table. */ function db_column_exists($table, $column) { - return db_fetch_object(db_query("SHOW COLUMNS FROM {%s} LIKE '%s'", $table, $column)) ? TRUE : FALSE; + return (bool) db_fetch_object(db_query("SHOW COLUMNS FROM {". db_escape_table($table) ."} LIKE '". db_escape_table($column) ."'")); } /** |