From c39562ae036f303f77767f438b89be88a23fe277 Mon Sep 17 00:00:00 2001
From: Dries Buytaert <dries@buytaert.net>
Date: Mon, 21 Jul 2003 15:36:05 +0000
Subject: - Fixed node_save() and user_save() bug introduced by table prefix
 changes.   Modified patches from Gerhard.

- Changed the order of the checks in node_teaser().  Patch from Kobus.
---
 modules/node.module      | 30 ++++++++++++++++++------------
 modules/node/node.module | 30 ++++++++++++++++++------------
 modules/user.module      | 11 +++++++----
 modules/user/user.module | 11 +++++++----
 4 files changed, 50 insertions(+), 32 deletions(-)

(limited to 'modules')

diff --git a/modules/node.module b/modules/node.module
index e1b93cdd3..329f6c3f6 100644
--- a/modules/node.module
+++ b/modules/node.module
@@ -126,14 +126,6 @@ function node_teaser($body) {
     return $body;
   }
 
-  /*
-  ** If we have a short body, return the entire body:
-  */
-
-  if (strlen($body) < $size) {
-    return $body;
-  }
-
   /*
   ** If a valid delimiter has been specified, use it to
   ** chop of the teaser.  The delimiter can be outside
@@ -145,6 +137,14 @@ function node_teaser($body) {
     return substr($body, 0, $delimiter);
   }
 
+  /*
+  ** If we have a short body, return the entire body:
+  */
+
+  if (strlen($body) < $size) {
+    return $body;
+  }
+
   /*
   ** In some cases no delimiter has been specified (eg.
   ** when posting using the Blogger API) in which case
@@ -302,12 +302,17 @@ function node_save($node) {
     foreach ($node as $key => $value) {
       if (in_array($key, $fields)) {
         $k[] = check_query($key);
-        $v[] = "'". check_query($value) ."'";
+        $v[] = $value;
+        $s[] = "'%s'";
       }
     }
 
+    $keysfmt = implode(", ", $s);
+    // need to quote the placeholders for the values
+    $valsfmt = "'". implode("', '", $s) ."'";
+
     // Insert the node into the database:
-    db_query("INSERT INTO {node} (". implode(", ", $k) .") VALUES (". implode(", ", $v) .")");
+    db_query("INSERT INTO {node} (". implode(", ", $k) .") VALUES(". implode(", ", $s) .")", $v);
 
     // Call the node specific callback (if any):
     node_invoke($node, "insert");
@@ -325,12 +330,13 @@ function node_save($node) {
     // Prepare the query:
     foreach ($node as $key => $value) {
       if (in_array($key, $fields)) {
-        $q[] = check_query($key) ." = '". check_query($value) ."'";
+        $q[] = check_query($key) ." = '%s'";
+        $v[] = $value;
       }
     }
 
     // Update the node in the database:
-    db_query("UPDATE {node} SET ". implode(", ", $q) ." WHERE nid = '$node->nid'");
+    db_query("UPDATE {node} SET ". implode(", ", $q) ." WHERE nid = '$node->nid'", $v);
 
     // Call the node specific callback (if any):
     node_invoke($node, "update");
diff --git a/modules/node/node.module b/modules/node/node.module
index e1b93cdd3..329f6c3f6 100644
--- a/modules/node/node.module
+++ b/modules/node/node.module
@@ -126,14 +126,6 @@ function node_teaser($body) {
     return $body;
   }
 
-  /*
-  ** If we have a short body, return the entire body:
-  */
-
-  if (strlen($body) < $size) {
-    return $body;
-  }
-
   /*
   ** If a valid delimiter has been specified, use it to
   ** chop of the teaser.  The delimiter can be outside
@@ -145,6 +137,14 @@ function node_teaser($body) {
     return substr($body, 0, $delimiter);
   }
 
+  /*
+  ** If we have a short body, return the entire body:
+  */
+
+  if (strlen($body) < $size) {
+    return $body;
+  }
+
   /*
   ** In some cases no delimiter has been specified (eg.
   ** when posting using the Blogger API) in which case
@@ -302,12 +302,17 @@ function node_save($node) {
     foreach ($node as $key => $value) {
       if (in_array($key, $fields)) {
         $k[] = check_query($key);
-        $v[] = "'". check_query($value) ."'";
+        $v[] = $value;
+        $s[] = "'%s'";
       }
     }
 
+    $keysfmt = implode(", ", $s);
+    // need to quote the placeholders for the values
+    $valsfmt = "'". implode("', '", $s) ."'";
+
     // Insert the node into the database:
-    db_query("INSERT INTO {node} (". implode(", ", $k) .") VALUES (". implode(", ", $v) .")");
+    db_query("INSERT INTO {node} (". implode(", ", $k) .") VALUES(". implode(", ", $s) .")", $v);
 
     // Call the node specific callback (if any):
     node_invoke($node, "insert");
@@ -325,12 +330,13 @@ function node_save($node) {
     // Prepare the query:
     foreach ($node as $key => $value) {
       if (in_array($key, $fields)) {
-        $q[] = check_query($key) ." = '". check_query($value) ."'";
+        $q[] = check_query($key) ." = '%s'";
+        $v[] = $value;
       }
     }
 
     // Update the node in the database:
-    db_query("UPDATE {node} SET ". implode(", ", $q) ." WHERE nid = '$node->nid'");
+    db_query("UPDATE {node} SET ". implode(", ", $q) ." WHERE nid = '$node->nid'", $v);
 
     // Call the node specific callback (if any):
     node_invoke($node, "update");
diff --git a/modules/user.module b/modules/user.module
index 07f4866f8..ed74776d6 100644
--- a/modules/user.module
+++ b/modules/user.module
@@ -122,12 +122,14 @@ function user_save($account, $array = array()) {
     foreach ($array as $key => $value) {
       if ($key == "pass") {
         $fields[] = check_query($key);
-        $values[] = "'". md5($value) ."'";
+        $values[] = md5($value);
+        $s[] = "'%s'";
       }
       else if (substr($key, 0, 4) !== "auth") {
         if (in_array($key, $user_fields)) {
           $fields[] = check_query($key);
-          $values[] = "'". check_query($value) ."'";
+          $values[] = $value;
+          $s[] = "'%s'";
         }
         else {
           $data[$key] = $value;
@@ -136,9 +138,10 @@ function user_save($account, $array = array()) {
     }
 
     $fields[] = "data";
-    $values[] = "'". check_query(serialize($data)) ."'";
+    $values[] = serialize($data);
+    $s[] = "'%s'";
 
-    db_query("INSERT INTO {users} (". implode(", ", $fields) .") VALUES (". implode(", ", $values) .")");
+    db_query("INSERT INTO {users} (". implde(", ", $fields) .") VALUES (". implde(", ", $s) .")", $values);
 
     $user = user_load(array("name" => $array["name"]));
   }
diff --git a/modules/user/user.module b/modules/user/user.module
index 07f4866f8..ed74776d6 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -122,12 +122,14 @@ function user_save($account, $array = array()) {
     foreach ($array as $key => $value) {
       if ($key == "pass") {
         $fields[] = check_query($key);
-        $values[] = "'". md5($value) ."'";
+        $values[] = md5($value);
+        $s[] = "'%s'";
       }
       else if (substr($key, 0, 4) !== "auth") {
         if (in_array($key, $user_fields)) {
           $fields[] = check_query($key);
-          $values[] = "'". check_query($value) ."'";
+          $values[] = $value;
+          $s[] = "'%s'";
         }
         else {
           $data[$key] = $value;
@@ -136,9 +138,10 @@ function user_save($account, $array = array()) {
     }
 
     $fields[] = "data";
-    $values[] = "'". check_query(serialize($data)) ."'";
+    $values[] = serialize($data);
+    $s[] = "'%s'";
 
-    db_query("INSERT INTO {users} (". implode(", ", $fields) .") VALUES (". implode(", ", $values) .")");
+    db_query("INSERT INTO {users} (". implde(", ", $fields) .") VALUES (". implde(", ", $s) .")", $values);
 
     $user = user_load(array("name" => $array["name"]));
   }
-- 
cgit v1.2.3