Index: includes/database.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/database.inc,v
retrieving revision 1.92.2.1
diff -u -p -r1.92.2.1 database.inc
--- includes/database.inc	8 Feb 2008 22:44:59 -0000	1.92.2.1
+++ includes/database.inc	5 Mar 2008 09:50:12 -0000
@@ -51,19 +51,51 @@ define('DB_ERROR', 'a515ac9c2796ca0e23ad
  */
 
 /**
- * Perform an SQL query and return success or failure.
+ * Run a database update query in the active database and return success or failure.
+ *
+ * User-supplied arguments to the query should be passed in as separate
+ * parameters so that they can be properly escaped to avoid SQL injection
+ * attacks.
+ *
+ * @param $query
+ *   A string containing an SQL query.
+ * @param ...
+ *   A variable number of arguments which are substituted into the query
+ *   using printf() syntax. Instead of a variable number of query arguments,
+ *   you may also pass a single array containing the query arguments.
+ * 
+ *   Valid %-modifiers are: %s, %d, %f, %b (binary data, do not enclose in
+ *   '') and %%.
+ *
+ *   NOTE: using this syntax will cast NULL and FALSE values to decimal 0,
+ *   and TRUE values to decimal 1.
  *
- * @param $sql
- *   A string containing a complete SQL query.  %-substitution
- *   parameters are not supported.
  * @return
  *   An array containing the keys:
  *      success: a boolean indicating whether the query succeeded
  *      query: the SQL query executed, passed through check_plain()
+ *
+ * @see db_query()
  */
-function update_sql($sql) {
-  $result = db_query($sql, true);
-  return array('success' => $result !== FALSE, 'query' => check_plain($sql));
+function update_sql($query) {
+  $args = func_get_args();
+  $result = call_user_func_array('db_query', $args);
+
+  // Parse the query for display on the update page.
+  array_shift($args);
+  
+  $query = db_prefix_tables($query);
+  
+  if (isset($args[0]) and is_array($args[0])) { // 'All arguments in one array' syntax
+    $args = $args[0];
+  }
+  foreach ($args as $i => $value) { // Truncate all values to a length of 32 before displaying them.
+    $args[$i] = substr($value, 0, 32) . (strlen($value) > 32 ? '...' : ''); 
+  }
+
+  _db_query_callback($args, TRUE);
+  $query = preg_replace_callback(DB_QUERY_REGEXP, '_db_query_callback', $query);
+  return array('success' => $result !== FALSE, 'query' => check_plain($query));
 }
 
 /**