When I edit (UPDATE) a field that contains curly braces, they disappear from the final value.

I suppose this is due to calling db_query which, in turn, calls db_prefix_tables, which seems to be overzealous at times.

If I explicitely run the following INSERT:

INSERT INTO {variable} (name, value) VALUES ('test', 'val{ue}s{}');

Then what is actually retrieved when I query looks like this:

SELECT * FROM {variable} WHERE name='test';

Result
name	value
test	values

As you see, "val{ue}s{}" gets turned into "values" upon INSERTion. This is particularly painful when attempting to edit a record containing serialized data, as it removes the braces (thus, corrupting the serialized data).

The only potential fix that I could see for it would be to separate out the INSERTed (or UPDATEd) fields into args for db_query (only the $query part passed to db_query is passed to db_prefix_tables). This would be useful for form-based edits, but freeform SQL would be more problematic to fix.

-Mark

Comments

gábor hojtsy’s picture

gábor hojtsy
he/him
Primary language Hungarian
Location Hungary
commented
Project: Database Administration » Drupal core
Component: Code » database system

If you use db_query() properly, there is no problem:

  db_query("INSERT INTO {variable} (name, value) VALUES ('%s', '%s');", "test", "val{ue}s{}");

Curly braces only get handled specially in the first parameter passed to db_query(). This prevents the system from SQL injections, it is designed to encourage proper coding style.

javanaut’s picture

javanaut commented
Title: Curly Braces are removed from UPDATES (and probably INSERTs) » Curly Braces are removed from UPDATEs and INSERTs
Project: Drupal core » Database Administration
Component: database system » Code

I'm sorry, this was supposed to go to the dba (Database Administration) module, not project drupal. The problem is in the editable table record interface and also the fact that it allows free-form SQL statements to be passed to db_query.

javanaut’s picture

javanaut commented
jeremy’s picture

jeremy commented

I'll give this some thought, but it'll be a while until I can provide a fix as I'm going on vacation soon. Maybe in December...

jeremy’s picture

jeremy commented
Assigned: Unassigned » jeremy
Status: Active » Fixed

Fixed. We now call _db_query() directly where appropriate.

Anonymous’s picture

(not verified) commented
Anonymous’s picture

(not verified) commented
jeremy’s picture

jeremy commented
Status: Fixed » Closed (fixed)

Manually closing, the project module doesn't seem to do this automatically anymore.