summaryrefslogtreecommitdiff
path: root/includes/database.pgsql.inc
diff options
context:
space:
mode:
authorGábor Hojtsy <gabor@hojtsy.hu>2008-01-04 09:31:49 +0000
committerGábor Hojtsy <gabor@hojtsy.hu>2008-01-04 09:31:49 +0000
commit89be29505b1ed6146aef314d5524f46cc289cee3 (patch)
tree6be929fa5d9b84c48f0a5682bc6f95cb09b3bde3 /includes/database.pgsql.inc
parent52f95c981bbf7588aedd1b5cb3ef74641572e39e (diff)
downloadbrdo-89be29505b1ed6146aef314d5524f46cc289cee3.tar.gz
brdo-89be29505b1ed6146aef314d5524f46cc289cee3.tar.bz2
#198856 by hswong3i: Fix some incorrect use of %s for table name escaping, implement better security checks
Diffstat (limited to 'includes/database.pgsql.inc')
-rw-r--r--includes/database.pgsql.inc6
1 files changed, 3 insertions, 3 deletions
diff --git a/includes/database.pgsql.inc b/includes/database.pgsql.inc
index 65e049263..f5196fb91 100644
--- a/includes/database.pgsql.inc
+++ b/includes/database.pgsql.inc
@@ -228,7 +228,7 @@ function db_error() {
* The name of the autoincrement field.
*/
function db_last_insert_id($table, $field) {
- return db_result(db_query("SELECT currval('%s_seq')", db_prefix_tables('{'. $table .'}') .'_'. $field));
+ return db_result(db_query("SELECT CURRVAL('{". db_escape_table($table) ."}_". db_escape_table($field) ."_seq')"));
}
/**
@@ -384,14 +384,14 @@ function db_unlock_tables() {
* Check if a table exists.
*/
function db_table_exists($table) {
- return db_result(db_query("SELECT COUNT(*) FROM pg_class WHERE relname = '{". db_escape_table($table) ."}'"));
+ return (bool) db_result(db_query("SELECT COUNT(*) FROM pg_class WHERE relname = '{". db_escape_table($table) ."}'"));
}
/**
* Check if a column exists in the given table.
*/
function db_column_exists($table, $column) {
- return db_result(db_query("SELECT COUNT(pg_attribute.attname) FROM pg_class, pg_attribute WHERE pg_attribute.attrelid = pg_class.oid AND pg_class.relname = '{". db_escape_table($table) ."}' AND attname='%s'", $column));
+ return (bool) db_result(db_query("SELECT COUNT(pg_attribute.attname) FROM pg_class, pg_attribute WHERE pg_attribute.attrelid = pg_class.oid AND pg_class.relname = '{". db_escape_table($table) ."}' AND attname = '". db_escape_table($column) ."'"));
}
/**