Database update fails if anonymous comment names contain single quotes [#19432]

Parts of update_124 will fail if an anonymous commentor's name contains a single quote. To fix this, I updated update_sql to accept additional parameters that it sends on to db_query. I also moved update_sql to the top of the file. The only problem I could find with this approach is that the query displayed by update.php contains the substitute parameter (%s or %d), not the actual parameter.

I'd appreciate if someone else could take a look and see if there's a better way to do this. I think that update_sql should have this functionality anyway, though.

Comment	File	Size	Author
#6	updates-4-5_0.patch	2.59 KB	Junyor
#6
#5	updates-cvs_0.patch	2.37 KB	Junyor
#5
#3	updates-cvs.patch	2.3 KB	Junyor
#3
#2	updates-4-5.patch	2.14 KB	Junyor
#2
#1	updates_2.patch	2.06 KB	Junyor
#1
	updates_1.patch	2.22 KB	Junyor

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

Junyor CreditAttribution: Junyor commented 25 March 2005 at 13:49

File	Size
updates_2.patch	2.06 KB

Here's the same patch for 4.5.2.

BTW, there was an $edit variable in update_sql that appeared to be unused, so I removed it in both of these patches.

Comment #2

Junyor CreditAttribution: Junyor commented 25 March 2005 at 22:50

File	Size
updates-4-5.patch	2.14 KB

Made the patch a bit better. Here's a new version for CVS.

Comment #3

Junyor CreditAttribution: Junyor commented 25 March 2005 at 22:51

File	Size
updates-cvs.patch	2.3 KB

That one was actually for 4.5.x. Here's the one for CVS.

Comment #4

Steven CreditAttribution: Steven commented 27 March 2005 at 23:45

This patch means that db arguments to update_sql() may not be passed as an array, but must be passed literally. Otherwise, an array with an array in it would be passed to db_query.

This is confusing and inconsistent with the other db_ functions, so I would say we need to change the patch so it also accepts either syntax, like the rest of the db functions.