Issue status update for http://drupal.org/node/19432 Project: Drupal Version: cvs Component: database system Category: bug reports Priority: critical Assigned to: Junyor Reported by: Junyor Updated by: Junyor Status: patch Attachment: http://drupal.org/files/issues/updates_1.patch (2.22 KB) Parts of update_124 will fail if an anonymous commentor's name contains a single quote. To fix this, I updated update_sql to accept additional parameters that it sends on to db_query. I also moved update_sql to the top of the file. The only problem I could find with this approach is that the query displayed by update.php contains the substitute parameter (%s or %d), not the actual parameter. I'd appreciate if someone else could take a look and see if there's a better way to do this. I think that update_sql should have this functionality anyway, though. Junyor