? drupal-667714-advanced.patch
? drupal-667714-simple.patch
? drupal-667714.patch
Index: includes/database.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/Attic/database.inc,v
retrieving revision 1.92.2.8
diff -u -p -r1.92.2.8 database.inc
--- includes/database.inc	14 Sep 2009 10:49:34 -0000	1.92.2.8
+++ includes/database.inc	7 Jan 2010 20:34:29 -0000
@@ -54,15 +54,28 @@ define('DB_ERROR', 'a515ac9c2796ca0e23ad
  * Perform an SQL query and return success or failure.
  *
  * @param $sql
- *   A string containing a complete SQL query.  %-substitution
- *   parameters are not supported.
+ *   A string containing an SQL query.
+ * @param ...
+ *   A variable number of arguments which are substituted into the query
+ *   using printf() syntax. Instead of a variable number of query arguments,
+ *   you may also pass a single array containing the query arguments.
+ *
+ *   Valid %-modifiers are: %s, %d, %f, %b (binary data, do not enclose
+ *   in '') and %%.
+ *
+ *   NOTE: using this syntax will cast NULL and FALSE values to decimal 0,
+ *   and TRUE values to decimal 1.
+ *
  * @return
  *   An array containing the keys:
  *      success: a boolean indicating whether the query succeeded
  *      query: the SQL query executed, passed through check_plain()
  */
 function update_sql($sql) {
-  $result = db_query($sql, true);
+  $args = func_get_args();
+  array_shift($args);
+  $result = db_query($sql, $args);
+  $sql = db_query_get_string($sql, $args);
   return array('success' => $result !== FALSE, 'query' => check_plain($sql));
 }
 
Index: includes/database.pgsql.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/Attic/database.pgsql.inc,v
retrieving revision 1.68.2.7
diff -u -p -r1.68.2.7 database.pgsql.inc
--- includes/database.pgsql.inc	14 Sep 2009 10:49:34 -0000	1.68.2.7
+++ includes/database.pgsql.inc	7 Jan 2010 20:34:29 -0000
@@ -126,6 +126,41 @@ function db_query($query) {
 }
 
 /**
+ * Builds a query, returns string.
+ *
+ * User-supplied arguments to the query should be passed in as separate
+ * parameters so that they can be properly escaped to avoid SQL injection
+ * attacks.
+ *
+ * @param $query
+ *   A string containing an SQL query.
+ * @param ...
+ *   A variable number of arguments which are substituted into the query
+ *   using printf() syntax. Instead of a variable number of query arguments,
+ *   you may also pass a single array containing the query arguments.
+ *
+ *   Valid %-modifiers are: %s, %d, %f, %b (binary data, do not enclose
+ *   in '') and %%.
+ *
+ *   NOTE: using this syntax will cast NULL and FALSE values to decimal 0,
+ *   and TRUE values to decimal 1.
+ *
+ * @return
+ *   String of query fully escaped and ready to run.
+ */
+function db_query_get_string($query) {
+  $args = func_get_args();
+  array_shift($args);
+  $query = db_prefix_tables($query);
+  if (isset($args[0]) and is_array($args[0])) { // 'All arguments in one array' syntax
+    $args = $args[0];
+  }
+  _db_query_callback($args, TRUE);
+  $query = preg_replace_callback(DB_QUERY_REGEXP, '_db_query_callback', $query);
+  return $query;
+}
+
+/**
  * Helper function for db_query().
  */
 function _db_query($query, $debug = 0) {