diff options
| -rw-r--r-- | includes/database.mysql.inc | 8 | ||||
| -rw-r--r-- | includes/database.mysqli.inc | 8 |
2 files changed, 14 insertions, 2 deletions
diff --git a/includes/database.mysql.inc b/includes/database.mysql.inc index 32f53f4bd..74a5288c9 100644 --- a/includes/database.mysql.inc +++ b/includes/database.mysql.inc @@ -133,8 +133,14 @@ function _db_query($query, $debug = 0) { if (variable_get('dev_query', 0)) { list($usec, $sec) = explode(' ', microtime()); $timer = (float)$usec + (float)$sec; + // If devel.module query logging is enabled, prepend a comment with the username and calling function + // to the SQL string. This is useful when running mysql's SHOW PROCESSLIST to learn what exact + // code is issueing the slow query. $bt = debug_backtrace(); - $name = ($user->uid) ? $user->name : variable_get('anonymous', t('Anonymous'));; + // t() may not be available yet so we don't wrap 'Anonymous'. + $name = $user->uid ? $user->name : variable_get('anonymous', 'Anonymous'); + // str_replace() to prevent SQL injection via username or anonymous name. + $name = str_replace(array('*', '/'), '', $name); $query = '/* '. $name .' : '. $bt[2]['function'] .' */ '. $query; } diff --git a/includes/database.mysqli.inc b/includes/database.mysqli.inc index 0f225496b..adbbb66ed 100644 --- a/includes/database.mysqli.inc +++ b/includes/database.mysqli.inc @@ -130,8 +130,14 @@ function _db_query($query, $debug = 0) { if (variable_get('dev_query', 0)) { list($usec, $sec) = explode(' ', microtime()); $timer = (float)$usec + (float)$sec; + // If devel.module query logging is enabled, prepend a comment with the username and calling function + // to the SQL string. This is useful when running mysql's SHOW PROCESSLIST to learn what exact + // code is issueing the slow query. $bt = debug_backtrace(); - $name = ($user->uid) ? $user->name : variable_get('anonymous', t('Anonymous')); + // t() may not be available yet so we don't wrap 'Anonymous' + $name = $user->uid ? $user->name : variable_get('anonymous', 'Anonymous'); + // str_replace() to prevent SQL injection via username or anonymous name. + $name = str_replace(array('*', '/'), '', $name); $query = '/* '. $name .' : '. $bt[2]['function'] .' */ '. $query; } |