Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I wanted to test a multi-site setup by making copies of the variable-table and prefixing one for each site. This causes errors related to locking the variable-table (no prefix) when editing settings on any of the sites.
The code that causes this behavior is in includes/bootstrap.inc line 237 and 324
This has previously been discussed here: http://drupal.org/node/47135
I think hitka's proposed solution is ok, simply add the prefix before calling db_lock_table, but maybe this should be handled in database.*.inc.
Comment | File | Size | Author |
---|---|---|---|
#10 | lock.table.prefix.patch | 2.41 KB | Steven |
#9 | db_lock_table_3.patch | 1.67 KB | rkerr |
#8 | db_lock_table_2.patch | 1.72 KB | rkerr |
#7 | db_lock_table.patch | 1.07 KB | rkerr |
Comments
Comment #1
arkepp CreditAttribution: arkepp commentedJust a small clarification: If you keep the original table named 'variable' you do not get any error messages, but that of course means you lock and unlock the wrong table.
Comment #2
wulff CreditAttribution: wulff commentedAFAICT this has been fixed in cvs:
db_lock_table()
callsdb_query()
which takes care of prefixing the tables before running the query.Comment #3
olav CreditAttribution: olav commented4.7rc3 still has this bug.
The fix is simple:
Replace (database.mysql.inc:356)
db_query('LOCK TABLES {%s} WRITE', $table);
with
db_query('LOCK TABLES {' . $table . '} WRITE');
--
Olav
Comment #4
Gerhard Killesreiter CreditAttribution: Gerhard Killesreiter commentedOlav, can you explain why
db_query('LOCK TABLES {%s} WRITE', $table);
does not work?
Comment #5
rkerr CreditAttribution: rkerr commentedMust be in how db_query stuff parses arguments.
I'll bet that anything that gets sprintf'd into the query string is not checked for {table_name} and run through the prefixing routine.
Comment #6
moshe weitzman CreditAttribution: moshe weitzman commented#3 looks safe to me. nohere do we use user generated input as a table name.
Comment #7
rkerr CreditAttribution: rkerr commentedPatch attached. For MySQL and MySQLi as well.
Comment #8
rkerr CreditAttribution: rkerr commentedAdded db_escape_string around $table for safety, and updated PostgreSQL inc file as well.
(New patch attached).
Comment #9
rkerr CreditAttribution: rkerr commentedAnother patch for all 3 database includes, without escaping.
Comment #10
Steven CreditAttribution: Steven commentedUsing db_escape_string here is useless. The characters are not inserted inside an SQL string, but inside the SQL query itself. You don't need to get out of a
"
to do bad things.Using %s is bad because prefixing is done before inserting the data. If you have a table-specific prefix, it will not get applied correctly.
It's safer to restrict table vars using an explicit db_escape_table() function which only allows alphanumerics. Patch attached.
Comment #11
chx CreditAttribution: chx commentedThe usual quality from Steven.
Comment #12
rkerr CreditAttribution: rkerr commentedYeah that's the best way to do it. Steven's braver than I in adding core functions ;)
Comment #13
Steven CreditAttribution: Steven commentedCommitted to HEAD.
Comment #14
(not verified) CreditAttribution: commented