diff options
| author | Gábor Hojtsy <gabor@hojtsy.hu> | 2007-09-27 16:52:00 +0000 |
|---|---|---|
| committer | Gábor Hojtsy <gabor@hojtsy.hu> | 2007-09-27 16:52:00 +0000 |
| commit | 74def328c8d6ebaa6c46011b8dc9692be4900e7f (patch) | |
| tree | 61d2ec1587743eb9c9eb3b860ee93935022f3e65 /modules/node | |
| parent | b5b6b32e364b87c87e944968764e212e85d2e10e (diff) | |
| download | brdo-74def328c8d6ebaa6c46011b8dc9692be4900e7f.tar.gz brdo-74def328c8d6ebaa6c46011b8dc9692be4900e7f.tar.bz2 | |
#167284 by Heine and pwolanin: proper field type placeholders in IN() queries, setting a best practice to avoid vulnerabilities
Diffstat (limited to 'modules/node')
| -rw-r--r-- | modules/node/node.admin.inc | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/modules/node/node.admin.inc b/modules/node/node.admin.inc index eeac16e56..115bb486e 100644 --- a/modules/node/node.admin.inc +++ b/modules/node/node.admin.inc @@ -116,42 +116,42 @@ function node_node_operations() { * Callback function for admin mass publishing nodes. */ function node_operations_publish($nodes) { - db_query('UPDATE {node} SET status = 1 WHERE nid IN(%s)', implode(',', $nodes)); + db_query('UPDATE {node} SET status = 1 WHERE nid IN('. db_placeholders($nodes) .')', $nodes); } /** * Callback function for admin mass unpublishing nodes. */ function node_operations_unpublish($nodes) { - db_query('UPDATE {node} SET status = 0 WHERE nid IN(%s)', implode(',', $nodes)); + db_query('UPDATE {node} SET status = 0 WHERE nid IN('. db_placeholders($nodes) .')', $nodes); } /** * Callback function for admin mass promoting nodes. */ function node_operations_promote($nodes) { - db_query('UPDATE {node} SET status = 1, promote = 1 WHERE nid IN(%s)', implode(',', $nodes)); + db_query('UPDATE {node} SET status = 1, promote = 1 WHERE nid IN('. db_placeholders($nodes) .')', $nodes); } /** * Callback function for admin mass demoting nodes. */ function node_operations_demote($nodes) { - db_query('UPDATE {node} SET promote = 0 WHERE nid IN(%s)', implode(',', $nodes)); + db_query('UPDATE {node} SET promote = 0 WHERE nid IN('. db_placeholders($nodes) .')', $nodes); } /** * Callback function for admin mass editing nodes to be sticky. */ function node_operations_sticky($nodes) { - db_query('UPDATE {node} SET status = 1, sticky = 1 WHERE nid IN(%s)', implode(',', $nodes)); + db_query('UPDATE {node} SET status = 1, sticky = 1 WHERE nid IN('. db_placeholders($nodes) .')', $nodes); } /** * Callback function for admin mass editing nodes to remove stickiness. */ function node_operations_unsticky($nodes) { - db_query('UPDATE {node} SET sticky = 0 WHERE nid IN(%s)', implode(',', $nodes)); + db_query('UPDATE {node} SET sticky = 0 WHERE nid IN('. db_placeholders($nodes) .')', $nodes); } /** |