From 89be29505b1ed6146aef314d5524f46cc289cee3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=A1bor=20Hojtsy?= <gabor@hojtsy.hu>
Date: Fri, 4 Jan 2008 09:31:49 +0000
Subject: #198856 by hswong3i: Fix some incorrect use of %s for table name
 escaping, implement better security checks

---
 includes/database.mysql.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'includes/database.mysql.inc')

diff --git a/includes/database.mysql.inc b/includes/database.mysql.inc
index a20486996..01eb22bef 100644
--- a/includes/database.mysql.inc
+++ b/includes/database.mysql.inc
@@ -346,14 +346,14 @@ function db_unlock_tables() {
  * Check if a table exists.
  */
 function db_table_exists($table) {
-  return db_fetch_object(db_query("SHOW TABLES LIKE '{". db_escape_table($table) ."}'")) ? TRUE : FALSE;
+  return (bool) db_fetch_object(db_query("SHOW TABLES LIKE '{". db_escape_table($table) ."}'"));
 }
 
 /**
  * Check if a column exists in the given table.
  */
 function db_column_exists($table, $column) {
-  return db_fetch_object(db_query("SHOW COLUMNS FROM {%s} LIKE '%s'", $table, $column)) ? TRUE : FALSE;
+  return (bool) db_fetch_object(db_query("SHOW COLUMNS FROM {". db_escape_table($table) ."} LIKE '". db_escape_table($column) ."'"));
 }
 
 /**
-- 
cgit v1.2.3