#198856 by hswong3i: Fix some incorrect use of %s for table name escaping, implement better security checks

2 files changed, 5 insertions, 2 deletions

diff --git a/modules/statistics/statistics.module b/modules/statistics/statistics.module
index 831a0d5c7..1242e973b 100644
--- a/modules/statistics/statistics.module
+++ b/modules/statistics/statistics.module
@@ -206,7 +206,10 @@ function statistics_cron() {
  *   or FALSE if the query could not be executed correctly.
  */
 function statistics_title_list($dbfield, $dbrows) {
-  return db_query_range(db_rewrite_sql("SELECT n.nid, n.title, u.uid, u.name FROM {node} n INNER JOIN {node_counter} s ON n.nid = s.nid INNER JOIN {users} u ON n.uid = u.uid WHERE %s <> '0' AND n.status = 1 ORDER BY %s DESC"), 's.'. $dbfield, 's.'. $dbfield, 0, $dbrows);
+  if (in_array($dbfield, array('totalcount', 'daycount', 'timestamp'))) {
+    return db_query_range(db_rewrite_sql("SELECT n.nid, n.title, u.uid, u.name FROM {node} n INNER JOIN {node_counter} s ON n.nid = s.nid INNER JOIN {users} u ON n.uid = u.uid WHERE s.". $dbfield ." != 0 AND n.status = 1 ORDER BY s.". $dbfield ." DESC"), 0, $dbrows);
+  }
+  return FALSE;
 }
 
 
diff --git a/modules/system/system.module b/modules/system/system.module
index edf3a3bff..2431ef613 100644
--- a/modules/system/system.module
+++ b/modules/system/system.module
@@ -1213,7 +1213,7 @@ function system_cron() {
   db_query('DELETE FROM {batch} WHERE timestamp < %d', time() - 864000);
 
   // Remove temporary files that are older than DRUPAL_MAXIMUM_TEMP_FILE_AGE.
-  $result = db_query('SELECT * FROM {files} WHERE status = %s and timestamp < %d', FILE_STATUS_TEMPORARY, time() - DRUPAL_MAXIMUM_TEMP_FILE_AGE);
+  $result = db_query('SELECT * FROM {files} WHERE status = %d and timestamp < %d', FILE_STATUS_TEMPORARY, time() - DRUPAL_MAXIMUM_TEMP_FILE_AGE);
   while ($file = db_fetch_object($result)) {
     if (file_exists($file->filepath)) {
       // If files that exist cannot be deleted, continue so the database remains