Issue status update for http://drupal.org/node/19432 Project: Drupal Version: cvs Component: database system Category: bug reports Priority: critical Assigned to: Junyor Reported by: Junyor Updated by: Junyor Status: patch Attachment: http://drupal.org/files/issues/updates-4-5.patch (2.14 KB) Made the patch a bit better. Here's a new version for CVS. Junyor Previous comments: ------------------------------------------------------------------------ March 25, 2005 - 14:23 : Junyor Attachment: http://drupal.org/files/issues/updates_1.patch (2.22 KB) Parts of update_124 will fail if an anonymous commentor's name contains a single quote. To fix this, I updated update_sql to accept additional parameters that it sends on to db_query. I also moved update_sql to the top of the file. The only problem I could find with this approach is that the query displayed by update.php contains the substitute parameter (%s or %d), not the actual parameter. I'd appreciate if someone else could take a look and see if there's a better way to do this. I think that update_sql should have this functionality anyway, though. ------------------------------------------------------------------------ March 25, 2005 - 14:49 : Junyor Attachment: http://drupal.org/files/issues/updates_2.patch (2.06 KB) Here's the same patch for 4.5.2. BTW, there was an $edit variable in update_sql that appeared to be unused, so I removed it in both of these patches.

Issue status update for http://drupal.org/node/19432 Project: Drupal Version: cvs Component: database system Category: bug reports Priority: critical Assigned to: Junyor Reported by: Junyor Updated by: Steven Status: patch This patch means that db arguments to update_sql() may not be passed as an array, but must be passed literally. Otherwise, an array with an array in it would be passed to db_query. This is confusing and inconsistent with the other db_ functions, so I would say we need to change the patch so it also accepts either syntax, like the rest of the db functions. Steven Previous comments: ------------------------------------------------------------------------ March 25, 2005 - 14:23 : Junyor Attachment: http://drupal.org/files/issues/updates_1.patch (2.22 KB) Parts of update_124 will fail if an anonymous commentor's name contains a single quote. To fix this, I updated update_sql to accept additional parameters that it sends on to db_query. I also moved update_sql to the top of the file. The only problem I could find with this approach is that the query displayed by update.php contains the substitute parameter (%s or %d), not the actual parameter. I'd appreciate if someone else could take a look and see if there's a better way to do this. I think that update_sql should have this functionality anyway, though. ------------------------------------------------------------------------ March 25, 2005 - 14:49 : Junyor Attachment: http://drupal.org/files/issues/updates_2.patch (2.06 KB) Here's the same patch for 4.5.2. BTW, there was an $edit variable in update_sql that appeared to be unused, so I removed it in both of these patches. ------------------------------------------------------------------------ March 25, 2005 - 23:50 : Junyor Attachment: http://drupal.org/files/issues/updates-4-5.patch (2.14 KB) Made the patch a bit better. Here's a new version for CVS. ------------------------------------------------------------------------ March 25, 2005 - 23:51 : Junyor Attachment: http://drupal.org/files/issues/updates-cvs.patch (2.3 KB) That one was actually for 4.5.x. Here's the one for CVS.

Issue status update for http://drupal.org/node/19432 Project: Drupal Version: cvs Component: database system Category: bug reports Priority: critical Assigned to: Junyor Reported by: Junyor Updated by: Junyor Status: patch Attachment: http://drupal.org/files/issues/updates-4-5_0.patch (2.59 KB) Patch for 4.5.2. Junyor Previous comments: ------------------------------------------------------------------------ March 25, 2005 - 14:23 : Junyor Attachment: http://drupal.org/files/issues/updates_1.patch (2.22 KB) Parts of update_124 will fail if an anonymous commentor's name contains a single quote. To fix this, I updated update_sql to accept additional parameters that it sends on to db_query. I also moved update_sql to the top of the file. The only problem I could find with this approach is that the query displayed by update.php contains the substitute parameter (%s or %d), not the actual parameter. I'd appreciate if someone else could take a look and see if there's a better way to do this. I think that update_sql should have this functionality anyway, though. ------------------------------------------------------------------------ March 25, 2005 - 14:49 : Junyor Attachment: http://drupal.org/files/issues/updates_2.patch (2.06 KB) Here's the same patch for 4.5.2. BTW, there was an $edit variable in update_sql that appeared to be unused, so I removed it in both of these patches. ------------------------------------------------------------------------ March 25, 2005 - 23:50 : Junyor Attachment: http://drupal.org/files/issues/updates-4-5.patch (2.14 KB) Made the patch a bit better. Here's a new version for CVS. ------------------------------------------------------------------------ March 25, 2005 - 23:51 : Junyor Attachment: http://drupal.org/files/issues/updates-cvs.patch (2.3 KB) That one was actually for 4.5.x. Here's the one for CVS. ------------------------------------------------------------------------ March 28, 2005 - 00:45 : Steven This patch means that db arguments to update_sql() may not be passed as an array, but must be passed literally. Otherwise, an array with an array in it would be passed to db_query. This is confusing and inconsistent with the other db_ functions, so I would say we need to change the patch so it also accepts either syntax, like the rest of the db functions. ------------------------------------------------------------------------ March 28, 2005 - 12:27 : Junyor Attachment: http://drupal.org/files/issues/updates-cvs_0.patch (2.37 KB) I think this should do it. Patch for HEAD.