[drupal-devel] [bug] Database update fails if anonymous comment names contain single quotes

Junyor drupal-devel at drupal.org
Mon Mar 28 11:28:15 UTC 2005

Issue status update for http://drupal.org/node/19432

 Project:      Drupal
 Version:      cvs
 Component:    database system
 Category:     bug reports
 Priority:     critical
 Assigned to:  Junyor
 Reported by:  Junyor
 Updated by:   Junyor
 Status:       patch
 Attachment:   http://drupal.org/files/issues/updates-4-5_0.patch (2.59 KB)

Patch for 4.5.2.


Previous comments:

March 25, 2005 - 14:23 : Junyor

Attachment: http://drupal.org/files/issues/updates_1.patch (2.22 KB)

Parts of update_124 will fail if an anonymous commentor's name contains
a single quote.  To fix this, I updated update_sql to accept additional
parameters that it sends on to db_query.  I also moved update_sql to the
top of the file.  The only problem I could find with this approach is
that the query displayed by update.php contains the substitute
parameter (%s or %d), not the actual parameter.
I'd appreciate if someone else could take a look and see if there's a
better way to do this.  I think that update_sql should have this
functionality anyway, though.


March 25, 2005 - 14:49 : Junyor

Attachment: http://drupal.org/files/issues/updates_2.patch (2.06 KB)

Here's the same patch for 4.5.2.
BTW, there was an $edit variable in update_sql that appeared to be
unused, so I removed it in both of these patches.


March 25, 2005 - 23:50 : Junyor

Attachment: http://drupal.org/files/issues/updates-4-5.patch (2.14 KB)

Made the patch a bit better.  Here's a new version for CVS.


March 25, 2005 - 23:51 : Junyor

Attachment: http://drupal.org/files/issues/updates-cvs.patch (2.3 KB)

That one was actually for 4.5.x.  Here's the one for CVS.


March 28, 2005 - 00:45 : Steven

This patch means that db arguments to update_sql() may not be passed as
an array, but must be passed literally. Otherwise, an array with an
array in it would be passed to db_query.
This is confusing and inconsistent with the other db_ functions, so I
would say we need to change the patch so it also accepts either syntax,
like the rest of the db functions.


March 28, 2005 - 12:27 : Junyor

Attachment: http://drupal.org/files/issues/updates-cvs_0.patch (2.37 KB)

I think this should do it.  Patch for HEAD.

More information about the drupal-devel mailing list