1 files changed, 11 insertions, 12 deletions

diff --git a/includes/database/query.inc b/includes/database/query.inc
index de421b30c..23b652f9b 100644
--- a/includes/database/query.inc
+++ b/includes/database/query.inc
@@ -1,5 +1,4 @@
 <?php
-// $Id$
 
 /**
  * @ingroup database
@@ -362,6 +361,9 @@ abstract class Query implements QueryPlaceholderInterface {
    * for easier debugging and allows you to more easily find where a query
    * with a performance problem is being generated.
    *
+   * The comment string will be sanitized to remove * / and other characters
+   * that may terminate the string early so as to avoid SQL injection attacks.
+   *
    * @param $comment
    *   The comment string to be inserted into the query.
    *
@@ -624,9 +626,8 @@ class InsertQuery extends Query {
    *   The prepared statement.
    */
   public function __toString() {
-
-    // Create a comments string to prepend to the query.
-    $comments = (!empty($this->comments)) ? '/* ' . implode('; ', $this->comments) . ' */ ' : '';
+    // Create a sanitized comment string to prepend to the query.
+    $comments = $this->connection->makeComment($this->comments);
 
     // Default fields are always placed first for consistency.
     $insert_fields = array_merge($this->defaultFields, $this->insertFields);
@@ -816,9 +817,8 @@ class DeleteQuery extends Query implements QueryConditionInterface {
    *   The prepared statement.
    */
   public function __toString() {
-
-    // Create a comments string to prepend to the query.
-    $comments = (!empty($this->comments)) ? '/* ' . implode('; ', $this->comments) . ' */ ' : '';
+    // Create a sanitized comment string to prepend to the query.
+    $comments = $this->connection->makeComment($this->comments);
 
     $query = $comments . 'DELETE FROM {' . $this->connection->escapeTable($this->table) . '} ';
 
@@ -885,8 +885,8 @@ class TruncateQuery extends Query {
    *   The prepared statement.
    */
   public function __toString() {
-    // Create a comments string to prepend to the query.
-    $comments = (!empty($this->comments)) ? '/* ' . implode('; ', $this->comments) . ' */ ' : '';
+    // Create a sanitized comment string to prepend to the query.
+    $comments = $this->connection->makeComment($this->comments);
 
     return $comments . 'TRUNCATE {' . $this->connection->escapeTable($this->table) . '} ';
   }
@@ -1112,9 +1112,8 @@ class UpdateQuery extends Query implements QueryConditionInterface {
    *   The prepared statement.
    */
   public function __toString() {
-
-    // Create a comments string to prepend to the query.
-    $comments = (!empty($this->comments)) ? '/* ' . implode('; ', $this->comments) . ' */ ' : '';
+    // Create a sanitized comment string to prepend to the query.
+    $comments = $this->connection->makeComment($this->comments);
 
     // Expressions take priority over literal fields, so we process those first
     // and remove any literal fields that conflict.