Calls to db_lock_table in bootstrap.inc does not use db_prefix

AFAICT this has been fixed in cvs: db_lock_table() calls db_query() which takes care of prefixing the tables before running the query.

4.7rc3 still has this bug.
The fix is simple:

Replace (database.mysql.inc:356)

db_query('LOCK TABLES {%s} WRITE', $table);

with

db_query('LOCK TABLES {' . $table . '} WRITE');

--
Olav

Olav, can you explain why

db_query('LOCK TABLES {%s} WRITE', $table);

does not work?

Must be in how db_query stuff parses arguments.
I'll bet that anything that gets sprintf'd into the query string is not checked for {table_name} and run through the prefixing routine.

#3 looks safe to me. nohere do we use user generated input as a table name.

Patch attached. For MySQL and MySQLi as well.

Added db_escape_string around $table for safety, and updated PostgreSQL inc file as well.
(New patch attached).

Another patch for all 3 database includes, without escaping.

Using db_escape_string here is useless. The characters are not inserted inside an SQL string, but inside the SQL query itself. You don't need to get out of a " to do bad things.

Using %s is bad because prefixing is done before inserting the data. If you have a table-specific prefix, it will not get applied correctly.

It's safer to restrict table vars using an explicit db_escape_table() function which only allows alphanumerics. Patch attached.

The usual quality from Steven.

Yeah that's the best way to do it. Steven's braver than I in adding core functions ;)

Committed to HEAD.