Index: includes/database.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/Attic/database.inc,v
retrieving revision 1.92.2.3
diff -u -p -r1.92.2.3 database.inc
--- includes/database.inc	20 Oct 2008 09:13:04 -0000	1.92.2.3
+++ includes/database.inc	26 Jan 2009 13:32:51 -0000
@@ -51,19 +51,55 @@ define('DB_ERROR', 'a515ac9c2796ca0e23ad
  */
 
 /**
- * Perform an SQL query and return success or failure.
+ * Run a database update query in the active database and return success or failure.
+ *
+ * User-supplied arguments to the query should be passed in as separate
+ * parameters so that they can be properly escaped to avoid SQL injection
+ * attacks.
+ *
+ * @param $query
+ *   A string containing an SQL query.
+ * @param ...
+ *   A variable number of arguments which are substituted into the query
+ *   using printf() syntax. Instead of a variable number of query arguments,
+ *   you may also pass a single array containing the query arguments.
+ *
+ *   Valid %-modifiers are: %s, %d, %f, %b (binary data, do not enclose in
+ *   '') and %%.
+ *
+ *   NOTE: using this syntax will cast NULL and FALSE values to decimal 0,
+ *   and TRUE values to decimal 1.
  *
- * @param $sql
- *   A string containing a complete SQL query.  %-substitution
- *   parameters are not supported.
  * @return
  *   An array containing the keys:
  *      success: a boolean indicating whether the query succeeded
  *      query: the SQL query executed, passed through check_plain()
+ *
+ * @see db_query()
  */
-function update_sql($sql) {
-  $result = db_query($sql, true);
-  return array('success' => $result !== FALSE, 'query' => check_plain($sql));
+function update_sql($query) {
+  $args = func_get_args();
+
+  // Execute the query
+  $result = call_user_func_array('db_query', $args);
+
+  array_shift($args);
+  // 'All arguments in one array' syntax
+  if (isset($args[0]) && is_array($args[0])) {
+    $args = $args[0];
+  }
+
+  // Truncate values exceeding a length of 32 characters
+  foreach ($args as $key => $value) {
+    if (drupal_strlen($value)>32) {
+      $args[$key] = drupal_substr($value, 0, 32) . '...';
+    }
+  }
+  // Insert values into query
+  _db_query_callback($args, TRUE);
+  $query = preg_replace_callback(DB_QUERY_REGEXP, '_db_query_callback', $query);
+
+  return array('success' => $result !== FALSE, 'query' => check_plain($query));
 }
 
 /**