From 74def328c8d6ebaa6c46011b8dc9692be4900e7f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?G=C3=A1bor=20Hojtsy?= <gabor@hojtsy.hu>
Date: Thu, 27 Sep 2007 16:52:00 +0000
Subject: #167284 by Heine and pwolanin: proper field type placeholders in IN()
 queries, setting a best practice to avoid vulnerabilities

---
 modules/node/node.admin.inc | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 'modules/node')

diff --git a/modules/node/node.admin.inc b/modules/node/node.admin.inc
index eeac16e56..115bb486e 100644
--- a/modules/node/node.admin.inc
+++ b/modules/node/node.admin.inc
@@ -116,42 +116,42 @@ function node_node_operations() {
  * Callback function for admin mass publishing nodes.
  */
 function node_operations_publish($nodes) {
-  db_query('UPDATE {node} SET status = 1 WHERE nid IN(%s)', implode(',', $nodes));
+  db_query('UPDATE {node} SET status = 1 WHERE nid IN('. db_placeholders($nodes) .')', $nodes);
 }
 
 /**
  * Callback function for admin mass unpublishing nodes.
  */
 function node_operations_unpublish($nodes) {
-  db_query('UPDATE {node} SET status = 0 WHERE nid IN(%s)', implode(',', $nodes));
+  db_query('UPDATE {node} SET status = 0 WHERE nid IN('. db_placeholders($nodes) .')', $nodes);
 }
 
 /**
  * Callback function for admin mass promoting nodes.
  */
 function node_operations_promote($nodes) {
-  db_query('UPDATE {node} SET status = 1, promote = 1 WHERE nid IN(%s)', implode(',', $nodes));
+  db_query('UPDATE {node} SET status = 1, promote = 1 WHERE nid IN('. db_placeholders($nodes) .')', $nodes);
 }
 
 /**
  * Callback function for admin mass demoting nodes.
  */
 function node_operations_demote($nodes) {
-  db_query('UPDATE {node} SET promote = 0 WHERE nid IN(%s)', implode(',', $nodes));
+  db_query('UPDATE {node} SET promote = 0 WHERE nid IN('. db_placeholders($nodes) .')', $nodes);
 }
 
 /**
  * Callback function for admin mass editing nodes to be sticky.
  */
 function node_operations_sticky($nodes) {
-  db_query('UPDATE {node} SET status = 1, sticky = 1 WHERE nid IN(%s)', implode(',', $nodes));
+  db_query('UPDATE {node} SET status = 1, sticky = 1 WHERE nid IN('. db_placeholders($nodes) .')',  $nodes);
 }
 
 /**
  * Callback function for admin mass editing nodes to remove stickiness.
  */
 function node_operations_unsticky($nodes) {
-  db_query('UPDATE {node} SET sticky = 0 WHERE nid IN(%s)', implode(',', $nodes));
+  db_query('UPDATE {node} SET sticky = 0 WHERE nid IN('. db_placeholders($nodes) .')', $nodes);
 }
 
 /**
-- 
cgit v1.2.3