diff options
| author | Gábor Hojtsy <gabor@hojtsy.hu> | 2007-09-27 16:52:00 +0000 |
|---|---|---|
| committer | Gábor Hojtsy <gabor@hojtsy.hu> | 2007-09-27 16:52:00 +0000 |
| commit | 74def328c8d6ebaa6c46011b8dc9692be4900e7f (patch) | |
| tree | 61d2ec1587743eb9c9eb3b860ee93935022f3e65 /includes | |
| parent | b5b6b32e364b87c87e944968764e212e85d2e10e (diff) | |
| download | brdo-74def328c8d6ebaa6c46011b8dc9692be4900e7f.tar.gz brdo-74def328c8d6ebaa6c46011b8dc9692be4900e7f.tar.bz2 | |
#167284 by Heine and pwolanin: proper field type placeholders in IN() queries, setting a best practice to avoid vulnerabilities
Diffstat (limited to 'includes')
| -rw-r--r-- | includes/database.inc | 31 |
1 files changed, 24 insertions, 7 deletions
diff --git a/includes/database.inc b/includes/database.inc index e5cefded6..d82f94d00 100644 --- a/includes/database.inc +++ b/includes/database.inc @@ -188,6 +188,22 @@ function _db_query_callback($match, $init = FALSE) { } /** + * Generate placeholders for an array of query arguments of a single type. + * + * Given a Schema API field type, return correct %-placeholders to + * embed in a query + * + * @param $arguments + * An array with at least one element. + * @param $type + * The Schema API type of a field (e.g. 'int', 'text', or 'varchar'). + */ +function db_placeholders($arguments, $type = 'int') { + $placeholder = _db_type_placeholder($type); + return implode(',', array_fill(0, count($arguments), $placeholder)); +} + +/** * Indicates the place holders that should be replaced in _db_query_callback(). */ define('DB_QUERY_REGEXP', '/(%d|%s|%%|%f|%b)/'); @@ -437,10 +453,10 @@ function db_create_table(&$ret, $name, $table) { } /** - * Return an array of field names from an array of key/index column - * specifiers. This is usually an identity function but if a - * key/index uses a column prefix specification, this function - * extracts just the name. + * Return an array of field names from an array of key/index column specifiers. + * + * This is usually an identity function but if a key/index uses a column prefix + * specification, this function extracts just the name. * * @param $fields * An array of key/index column specifiers. @@ -461,9 +477,10 @@ function db_field_names($fields) { } /** - * Given a Schema API field type, return the correct %-placeholder to - * embed in a query to be passed to db_query along with a value from a - * column of the specified type. + * Given a Schema API field type, return the correct %-placeholder. + * + * Embed the placeholder in a query to be passed to db_query and and pass as an + * argument to db_query a value of the specified type. * * @param $type * The Schema API type of a field. |