#167284 by Heine and pwolanin: proper field type placeholders in IN() queries, setting a best practice to avoid vulnerabilities

author: Gábor Hojtsy <gabor@hojtsy.hu> 2007-09-27 16:52:00 +0000
committer: Gábor Hojtsy <gabor@hojtsy.hu> 2007-09-27 16:52:00 +0000
commit: 74def328c8d6ebaa6c46011b8dc9692be4900e7f (patch)
tree: 61d2ec1587743eb9c9eb3b860ee93935022f3e65 /modules/user/user.module
parent: b5b6b32e364b87c87e944968764e212e85d2e10e (diff)
download: brdo-74def328c8d6ebaa6c46011b8dc9692be4900e7f.tar.gz
brdo-74def328c8d6ebaa6c46011b8dc9692be4900e7f.tar.bz2
1 files changed, 1 insertions, 1 deletions
diff --git a/modules/user/user.module b/modules/user/user.module
index f82cdde5e..b215c7efd 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -453,7 +453,7 @@ function user_access($string, $account = NULL) {
   // To reduce the number of SQL queries, we cache the user's permissions
   // in a static variable.
   if (!isset($perm[$account->uid])) {
-    $result = db_query("SELECT DISTINCT(p.perm) FROM {role} r INNER JOIN {permission} p ON p.rid = r.rid WHERE r.rid IN (%s)", implode(',', array_keys($account->roles)));
+    $result = db_query("SELECT DISTINCT(p.perm) FROM {role} r INNER JOIN {permission} p ON p.rid = r.rid WHERE r.rid IN (". db_placeholders($account->roles) .")", array_keys($account->roles));
 
     $perm[$account->uid] = '';
     while ($row = db_fetch_object($result)) {
author	Gábor Hojtsy <gabor@hojtsy.hu>	2007-09-27 16:52:00 +0000
committer	Gábor Hojtsy <gabor@hojtsy.hu>	2007-09-27 16:52:00 +0000
commit	74def328c8d6ebaa6c46011b8dc9692be4900e7f (patch)
tree	61d2ec1587743eb9c9eb3b860ee93935022f3e65 /modules/user/user.module
parent	b5b6b32e364b87c87e944968764e212e85d2e10e (diff)
download	brdo-74def328c8d6ebaa6c46011b8dc9692be4900e7f.tar.gz brdo-74def328c8d6ebaa6c46011b8dc9692be4900e7f.tar.bz2