If a join definition extra is numeric and has an array of values, the values are still surrounded by quotes. Patch attach, UNTESTED.

CommentFileSizeAuthor
#1 join-quotes.patch1.97 KBbjaspan
join-quotes.patch1.7 KBbjaspan
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

bjaspan’s picture

bjaspan CreditAttribution: bjaspan commented
FileSize
join-quotes.patch1.97 KB

Add a comment explaining $q.

bjaspan’s picture

bjaspan CreditAttribution: bjaspan commented
Status: Needs review » Needs work

The join code should also validate the input values before adding them to the SQL directly; too big a risk of an injection attack. Furthermore, the documentation should mention this loudly. I don't want to see an SA later in which a value from an argument gets used as an extra join value...

merlinofchaos’s picture

merlinofchaos CreditAttribution: merlinofchaos commented
Status: Needs work » Fixed

Ok, patch cleaned up and committed, along with a method to ensure the type safety of the arguments. I think this could be cleaned up some more, even, but I'm ok with it the way it is for now.

It also goes the extra mile to replace IN () with = for single values, which always prettifies queries.

Anonymous’s picture

Anonymous (not verified) CreditAttribution: Anonymous commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.