### Eclipse Workspace Patch 1.0
#P Drupal HEAD (Core)
Index: update.php
===================================================================
RCS file: /cvs/drupal/drupal/update.php,v
retrieving revision 1.206
diff -u -r1.206 update.php
--- update.php	28 Nov 2006 20:52:51 -0000	1.206
+++ update.php	4 Dec 2006 18:57:36 -0000
@@ -17,10 +17,45 @@
 // Enforce access checking?
 $access_check = TRUE;
 
-
-function update_sql($sql) {
-  $result = db_query($sql);
-  return array('success' => $result !== FALSE, 'query' => check_plain($sql));
+/**
+ * Runs a basic database update query in the active database.
+ *
+ * User-supplied arguments to the query should be passed in as separate
+ * parameters so that they can be properly escaped to avoid SQL injection
+ * attacks.
+ *
+ * @param $query
+ *   A string containing an SQL query.
+ * @param ...
+ *   A variable number of arguments which are substituted into the query
+ *   using printf() syntax. Instead of a variable number of query arguments,
+ *   you may also pass a single array containing the query arguments.
+ *
+ *   Valid %-modifiers are: %s, %d, %f, %b (binary data, do not enclose in
+ *   '') and %%.
+ *
+ *   NOTE: using this syntax will cast NULL and FALSE values to decimal 0,
+ *   and TRUE values to decimal 1.
+ *
+ * @return
+ *   An array with keys 'success' and 'query' to be used in determining
+ *   whether the given update query was executed successfully.
+ */
+function update_sql($query) {
+  $args = func_get_args();
+  array_shift($args);
+
+  // Check for 'all arguments in one array' syntax.
+  if (isset($args[0]) and is_array($args[0])) {
+    $args = $args[0];
+  }
+  $result = db_query($query, $args);
+
+  // Parse the query for display on the update page.
+  $query = db_prefix_tables($query);
+  _db_query_callback($args, TRUE);
+  $query = preg_replace_callback(DB_QUERY_REGEXP, '_db_query_callback', $query);
+  return array('success' => $result !== FALSE, 'query' => check_plain($query));
 }
 
 /**