Project: Drupal Version: cvs Component: database system Category: tasks Priority: normal Assigned to: killes@www.drop.org Reported by: killes@www.drop.org Updated by: killes@www.drop.org -Status: active +Status: patch It's a patch. killes@www.drop.org Previous comments: ------------------------------------------------------------------------ February 21, 2005 - 13:48 : killes@www.drop.org Attachment: http://drupal.org/files/issues/db-query.patch (2.16 KB) We should make our database abstraction layer more robust and ensure that module authors can use it without string manipulations inside the query. Several queries use implode() to get their arguments into the query. This is undesirable as we rely on the module author to check the keys and values of such arrays for exploitation attempts. I have created the attached patch which shouldbe able to allow us to not use implode anymore. A minor problem is that all inserted values will be treated as strings. This might be a problem with PostgreSQL at least. However, the same strategy is already used in Drupal core without any complaints I know of. Summary: This patch will alow us to simplify some code in node.module, user.module, taxonomy.module and probably others. -- View: http://drupal.org/node/17656 Edit: http://drupal.org/project/comments/add/17656