diff options
author | Dries Buytaert <dries@buytaert.net> | 2004-11-21 08:25:17 +0000 |
---|---|---|
committer | Dries Buytaert <dries@buytaert.net> | 2004-11-21 08:25:17 +0000 |
commit | fa97839088dd0de1df73a990255edce7eddf90d9 (patch) | |
tree | ddea053e39d55040400026ce1886464403b6f491 /includes/database.pgsql.inc | |
parent | dc32e54f31e2b1308d5a6813dd644477076ec48d (diff) | |
download | brdo-fa97839088dd0de1df73a990255edce7eddf90d9.tar.gz brdo-fa97839088dd0de1df73a990255edce7eddf90d9.tar.bz2 |
- Patch 13180 by chx: renamed check_query() to db_escape_string() and implemtented it properly per database backend.
Read the manual for pg_escape_string: "Use of this function is recommended instead of addslashes()." Or read sqlite_escape_string: "addslashes() should NOT be used to quote your strings for SQLite queries; it will lead to strange results when retrieving your data."
Diffstat (limited to 'includes/database.pgsql.inc')
-rw-r--r-- | includes/database.pgsql.inc | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/includes/database.pgsql.inc b/includes/database.pgsql.inc index 3829b0920..2d5399018 100644 --- a/includes/database.pgsql.inc +++ b/includes/database.pgsql.inc @@ -51,11 +51,11 @@ function db_query($query) { $query = db_prefix_tables($query); if (count($args) > 1) { if(is_array($args[1])){ - $args1 = array_map('check_query', $args[1]); + $args1 = array_map('db_escape_string', $args[1]); $nargs = array_merge(array($query), $args1); } else { - $nargs = array_map('check_query', $args); + $nargs = array_map('db_escape_string', $args); $nargs[0] = $query; } return _db_query(call_user_func_array('sprintf', $nargs)); @@ -75,11 +75,11 @@ function db_queryd($query) { $query = db_prefix_tables($query); if (count($args) > 1) { if(is_array($args[1])){ - $args1 = array_map('check_query', $args[1]); + $args1 = array_map('db_escape_string', $args[1]); $nargs = array_merge(array($query), $args1); } else { - $nargs = array_map('check_query', $args); + $nargs = array_map('db_escape_string', $args); $nargs[0] = $query; } return _db_query(call_user_func_array('sprintf', $nargs), 1); @@ -242,7 +242,7 @@ function db_query_range($query) { $count = array_pop($args); $from = array_pop($args); if (count(func_get_args()) > 3) { - $args = array_map('check_query', $args); + $args = array_map('db_escape_string', $args); $query = db_prefix_tables($query); $args[0] = $query; $query = call_user_func_array('sprintf', $args); @@ -280,6 +280,14 @@ function db_decode_blob($data) { } /** + * Prepare user input for use in a database query, preventing SQL injection attacks. + * Note: This function requires PostgreSQL 7.2 or later. + */ +function db_escape_string($text) { + return pg_escape_string($text); +} + +/** * @} End of "ingroup database". */ |