From 89be29505b1ed6146aef314d5524f46cc289cee3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=A1bor=20Hojtsy?= Date: Fri, 4 Jan 2008 09:31:49 +0000 Subject: #198856 by hswong3i: Fix some incorrect use of %s for table name escaping, implement better security checks --- includes/database.pgsql.inc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'includes/database.pgsql.inc') diff --git a/includes/database.pgsql.inc b/includes/database.pgsql.inc index 65e049263..f5196fb91 100644 --- a/includes/database.pgsql.inc +++ b/includes/database.pgsql.inc @@ -228,7 +228,7 @@ function db_error() { * The name of the autoincrement field. */ function db_last_insert_id($table, $field) { - return db_result(db_query("SELECT currval('%s_seq')", db_prefix_tables('{'. $table .'}') .'_'. $field)); + return db_result(db_query("SELECT CURRVAL('{". db_escape_table($table) ."}_". db_escape_table($field) ."_seq')")); } /** @@ -384,14 +384,14 @@ function db_unlock_tables() { * Check if a table exists. */ function db_table_exists($table) { - return db_result(db_query("SELECT COUNT(*) FROM pg_class WHERE relname = '{". db_escape_table($table) ."}'")); + return (bool) db_result(db_query("SELECT COUNT(*) FROM pg_class WHERE relname = '{". db_escape_table($table) ."}'")); } /** * Check if a column exists in the given table. */ function db_column_exists($table, $column) { - return db_result(db_query("SELECT COUNT(pg_attribute.attname) FROM pg_class, pg_attribute WHERE pg_attribute.attrelid = pg_class.oid AND pg_class.relname = '{". db_escape_table($table) ."}' AND attname='%s'", $column)); + return (bool) db_result(db_query("SELECT COUNT(pg_attribute.attname) FROM pg_class, pg_attribute WHERE pg_attribute.attrelid = pg_class.oid AND pg_class.relname = '{". db_escape_table($table) ."}' AND attname = '". db_escape_table($column) ."'")); } /** -- cgit v1.2.3