diff options
author | Gábor Hojtsy <gabor@hojtsy.hu> | 2007-10-12 14:51:23 +0000 |
---|---|---|
committer | Gábor Hojtsy <gabor@hojtsy.hu> | 2007-10-12 14:51:23 +0000 |
commit | 7d8c8d72f1b2f2942af8ea2bfa7c818d090aa3c7 (patch) | |
tree | f0460c82e416f9027f527ad8bf22cf68e2e55e76 /includes/database.mysqli.inc | |
parent | 47095ffb3cc73f45763b707b7f082707fe9180dd (diff) | |
download | brdo-7d8c8d72f1b2f2942af8ea2bfa7c818d090aa3c7.tar.gz brdo-7d8c8d72f1b2f2942af8ea2bfa7c818d090aa3c7.tar.bz2 |
#175117 follow up patch by moshe weitzman: sanitize user name, remove t() because it might not be availabla and comment what is happening
Diffstat (limited to 'includes/database.mysqli.inc')
-rw-r--r-- | includes/database.mysqli.inc | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/includes/database.mysqli.inc b/includes/database.mysqli.inc index 0f225496b..adbbb66ed 100644 --- a/includes/database.mysqli.inc +++ b/includes/database.mysqli.inc @@ -130,8 +130,14 @@ function _db_query($query, $debug = 0) { if (variable_get('dev_query', 0)) { list($usec, $sec) = explode(' ', microtime()); $timer = (float)$usec + (float)$sec; + // If devel.module query logging is enabled, prepend a comment with the username and calling function + // to the SQL string. This is useful when running mysql's SHOW PROCESSLIST to learn what exact + // code is issueing the slow query. $bt = debug_backtrace(); - $name = ($user->uid) ? $user->name : variable_get('anonymous', t('Anonymous')); + // t() may not be available yet so we don't wrap 'Anonymous' + $name = $user->uid ? $user->name : variable_get('anonymous', 'Anonymous'); + // str_replace() to prevent SQL injection via username or anonymous name. + $name = str_replace(array('*', '/'), '', $name); $query = '/* '. $name .' : '. $bt[2]['function'] .' */ '. $query; } |