diff options
author | webchick <webchick@24967.no-reply.drupal.org> | 2011-05-17 23:57:40 -0500 |
---|---|---|
committer | webchick <webchick@24967.no-reply.drupal.org> | 2011-05-17 23:57:40 -0500 |
commit | e77f87506c0355bb357bf32651148768e4a302b8 (patch) | |
tree | 57ee327a006e415b41612807ebe8468f4b03c68f /includes/database/mysql | |
parent | e27392c158c328ab3440c634c99212e302ef2f74 (diff) | |
download | brdo-e77f87506c0355bb357bf32651148768e4a302b8.tar.gz brdo-e77f87506c0355bb357bf32651148768e4a302b8.tar.bz2 |
Issue #1105848 by cafuego: Fixed Unsafe query comments possible via UI.
Diffstat (limited to 'includes/database/mysql')
-rw-r--r-- | includes/database/mysql/query.inc | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/includes/database/mysql/query.inc b/includes/database/mysql/query.inc index f7fb52f04..888b6a5a4 100644 --- a/includes/database/mysql/query.inc +++ b/includes/database/mysql/query.inc @@ -42,8 +42,8 @@ class InsertQuery_mysql extends InsertQuery { } public function __toString() { - // Create a comments string to prepend to the query. - $comments = (!empty($this->comments)) ? '/* ' . implode('; ', $this->comments) . ' */ ' : ''; + // Create a sanitized comment string to prepend to the query. + $comments = $this->connection->makeComment($this->comments); // Default fields are always placed first for consistency. $insert_fields = array_merge($this->defaultFields, $this->insertFields); @@ -92,8 +92,8 @@ class TruncateQuery_mysql extends TruncateQuery { // not transactional, and result in an implicit COMMIT. When we are in a // transaction, fallback to the slower, but transactional, DELETE. if ($this->connection->inTransaction()) { - // Create a comments string to prepend to the query. - $comments = (!empty($this->comments)) ? '/* ' . implode('; ', $this->comments) . ' */ ' : ''; + // Create a comment string to prepend to the query. + $comments = $this->connection->makeComment($this->comments); return $comments . 'DELETE FROM {' . $this->connection->escapeTable($this->table) . '}'; } else { |