- Patch #9478 by JonBob: allow printf-style arguments in pager_query.

  Currently pager_query() is the black sheep of the database query family, because it does not allow for printf-style arguments to be inserted in the query. This is a problem because it introduces developer confusion when moving from an unpaged query to a paged one, and it encourages substitution of variables directly into the query, which can bypass our check_query() security feature.

  This patch adds this ability to pager_query(). The change is backwards-compatible, but a couple calls to the function in core have been changed to use the new capability.

1 files changed, 1 insertions, 1 deletions

diff --git a/modules/blog/blog.module b/modules/blog/blog.module
index 90ed4252e..ba9a38600 100644
--- a/modules/blog/blog.module
+++ b/modules/blog/blog.module
@@ -143,7 +143,7 @@ function blog_page_user($uid) {
   $title = t("%name's blog", array('%name' => $account->name));
   $output = '';
 
-  $result = pager_query("SELECT nid FROM {node} WHERE type = 'blog' AND uid = '$account->uid' AND status = 1 ORDER BY sticky DESC, created DESC", variable_get('default_nodes_main', 10));
+  $result = pager_query("SELECT nid FROM {node} WHERE type = 'blog' AND uid = %d AND status = 1 ORDER BY sticky DESC, created DESC", variable_get('default_nodes_main', 10), 0, NULL, $account->uid);
   while ($node = db_fetch_object($result)) {
     $output .= node_view(node_load(array('nid' => $node->nid)), 1);
   }