diff options
| author | Dries Buytaert <dries@buytaert.net> | 2004-11-21 08:25:17 +0000 |
|---|---|---|
| committer | Dries Buytaert <dries@buytaert.net> | 2004-11-21 08:25:17 +0000 |
| commit | fa97839088dd0de1df73a990255edce7eddf90d9 (patch) | |
| tree | ddea053e39d55040400026ce1886464403b6f491 /includes/database.mysql.inc | |
| parent | dc32e54f31e2b1308d5a6813dd644477076ec48d (diff) | |
| download | brdo-fa97839088dd0de1df73a990255edce7eddf90d9.tar.gz brdo-fa97839088dd0de1df73a990255edce7eddf90d9.tar.bz2 | |
- Patch 13180 by chx: renamed check_query() to db_escape_string() and implemtented it properly per database backend.
Read the manual for pg_escape_string: "Use of this function is recommended instead of addslashes()." Or read sqlite_escape_string: "addslashes() should NOT be used to quote your strings for SQLite queries; it will lead to strange results when retrieving your data."
Diffstat (limited to 'includes/database.mysql.inc')
| -rw-r--r-- | includes/database.mysql.inc | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/includes/database.mysql.inc b/includes/database.mysql.inc index e3c46557d..dbae5254d 100644 --- a/includes/database.mysql.inc +++ b/includes/database.mysql.inc @@ -55,11 +55,11 @@ function db_query($query) { $query = db_prefix_tables($query); if (count($args) > 1) { if(is_array($args[1])){ - $args1 = array_map('check_query', $args[1]); + $args1 = array_map('db_escape_string', $args[1]); $nargs = array_merge(array($query), $args1); } else { - $nargs = array_map('check_query', $args); + $nargs = array_map('db_escape_string', $args); $nargs[0] = $query; } return _db_query(call_user_func_array('sprintf', $nargs)); @@ -79,11 +79,11 @@ function db_queryd($query) { $query = db_prefix_tables($query); if (count($args) > 1) { if(is_array($args[1])){ - $args1 = array_map('check_query', $args[1]); + $args1 = array_map('db_escape_string', $args[1]); $nargs = array_merge(array($query), $args1); } else { - $nargs = array_map('check_query', $args); + $nargs = array_map('db_escape_string', $args); $nargs[0] = $query; } return _db_query(call_user_func_array('sprintf', $nargs), 1); @@ -248,7 +248,7 @@ function db_query_range($query) { $count = array_pop($args); $from = array_pop($args); if (count(func_get_args()) > 3) { - $args = array_map('check_query', $args); + $args = array_map('db_escape_string', $args); $query = db_prefix_tables($query); $args[0] = $query; $query = call_user_func_array('sprintf', $args); @@ -286,6 +286,13 @@ function db_decode_blob($data) { } /** + * Prepare user input for use in a database query, preventing SQL injection attacks. + */ +function db_escape_string($text) { + return addslashes($text); +} + +/** * @} End of "ingroup database". */ |