[drupal-devel] [bug] Database update fails if anonymous comment
names contain single quotes
Junyor
drupal-devel at drupal.org
Fri Mar 25 22:50:38 UTC 2005
Issue status update for http://drupal.org/node/19432
Project: Drupal
Version: cvs
Component: database system
Category: bug reports
Priority: critical
Assigned to: Junyor
Reported by: Junyor
Updated by: Junyor
Status: patch
Attachment: http://drupal.org/files/issues/updates-4-5.patch (2.14 KB)
Made the patch a bit better. Here's a new version for CVS.
Junyor
Previous comments:
------------------------------------------------------------------------
March 25, 2005 - 14:23 : Junyor
Attachment: http://drupal.org/files/issues/updates_1.patch (2.22 KB)
Parts of update_124 will fail if an anonymous commentor's name contains
a single quote. To fix this, I updated update_sql to accept additional
parameters that it sends on to db_query. I also moved update_sql to the
top of the file. The only problem I could find with this approach is
that the query displayed by update.php contains the substitute
parameter (%s or %d), not the actual parameter.
I'd appreciate if someone else could take a look and see if there's a
better way to do this. I think that update_sql should have this
functionality anyway, though.
------------------------------------------------------------------------
March 25, 2005 - 14:49 : Junyor
Attachment: http://drupal.org/files/issues/updates_2.patch (2.06 KB)
Here's the same patch for 4.5.2.
BTW, there was an $edit variable in update_sql that appeared to be
unused, so I removed it in both of these patches.
More information about the drupal-devel
mailing list