[drupal-devel] [task] Extend db_query()
killes
drupal-devel at drupal.org
Mon Feb 21 17:03:59 UTC 2005
Project: Drupal
Version: cvs
Component: database system
Category: tasks
Priority: normal
Assigned to: killes at www.drop.org
Reported by: killes at www.drop.org
Updated by: killes at www.drop.org
-Status: active
+Status: patch
It's a patch.
killes at www.drop.org
Previous comments:
------------------------------------------------------------------------
February 21, 2005 - 13:48 : killes at www.drop.org
Attachment: http://drupal.org/files/issues/db-query.patch (2.16 KB)
We should make our database abstraction layer more robust and ensure
that module authors can use it without string manipulations inside the
query. Several queries use implode() to get their arguments into the
query. This is undesirable as we rely on the module author to check the
keys and values of such arrays for exploitation attempts.
I have created the attached patch which shouldbe able to allow us to
not use implode anymore.
A minor problem is that all inserted values will be treated as strings.
This might be a problem with PostgreSQL at least. However, the same
strategy is already used in Drupal core without any complaints I know
of.
Summary: This patch will alow us to simplify some code in node.module,
user.module, taxonomy.module and probably others.
--
View: http://drupal.org/node/17656
Edit: http://drupal.org/project/comments/add/17656
More information about the drupal-devel
mailing list