Florian Weimer <fw@deneb.enyo.de> writes:

...

db_query uses sprintf to replace placeholder expressions if passed more than one argument and it seems to me that using %s does the same thing as PHP's string expansion as in 4.5.3.

What about SQL injection? Doesn't db_query protect against it, while PHP's string expansion doesn't?

At second glance, it does seem like it: db_query performs quoting on those arguments which are then added via snprintf(). Do you have any idea how the $key parameter to sess_destroy (includes/session.inc) is generated? Cheers, -Hilko who is once again shocked how little he knows about PHP's internal magic