Commit fa978390 authored by Dries's avatar Dries

- Patch 13180 by chx: renamed check_query() to db_escape_string() and implemtented it properly per database backend.

  Read the manual for pg_escape_string:  "Use of this function is recommended instead of addslashes()." Or read sqlite_escape_string: "addslashes() should NOT be used to quote your strings for SQLite queries; it will lead to strange results when retrieving your data."
parent dc32e54f
......@@ -345,13 +345,6 @@ function arg($index) {
}
}
/**
* Prepare user input for use in a database query, preventing SQL injection attacks.
*/
function check_query($text) {
return addslashes($text);
}
/**
* Prepare user input for use in a URI.
*
......
......@@ -228,7 +228,7 @@ function drupal_goto($path = '', $query = NULL, $fragment = NULL) {
*/
function drupal_not_found() {
header('HTTP/1.0 404 Not Found');
watchdog('httpd', t('404 error: %page not found.', array('%page' => '<em>'. check_query($_GET['q']) .'</em>')));
watchdog('httpd', t('404 error: %page not found.', array('%page' => '<em>'. db_escape_string($_GET['q']) .'</em>')));
$path = drupal_get_normal_path(variable_get('site_404', ''));
$status = MENU_NOT_FOUND;
......
......@@ -55,11 +55,11 @@ function db_query($query) {
$query = db_prefix_tables($query);
if (count($args) > 1) {
if(is_array($args[1])){
$args1 = array_map('check_query', $args[1]);
$args1 = array_map('db_escape_string', $args[1]);
$nargs = array_merge(array($query), $args1);
}
else {
$nargs = array_map('check_query', $args);
$nargs = array_map('db_escape_string', $args);
$nargs[0] = $query;
}
return _db_query(call_user_func_array('sprintf', $nargs));
......@@ -79,11 +79,11 @@ function db_queryd($query) {
$query = db_prefix_tables($query);
if (count($args) > 1) {
if(is_array($args[1])){
$args1 = array_map('check_query', $args[1]);
$args1 = array_map('db_escape_string', $args[1]);
$nargs = array_merge(array($query), $args1);
}
else {
$nargs = array_map('check_query', $args);
$nargs = array_map('db_escape_string', $args);
$nargs[0] = $query;
}
return _db_query(call_user_func_array('sprintf', $nargs), 1);
......@@ -248,7 +248,7 @@ function db_query_range($query) {
$count = array_pop($args);
$from = array_pop($args);
if (count(func_get_args()) > 3) {
$args = array_map('check_query', $args);
$args = array_map('db_escape_string', $args);
$query = db_prefix_tables($query);
$args[0] = $query;
$query = call_user_func_array('sprintf', $args);
......@@ -285,6 +285,13 @@ function db_decode_blob($data) {
return $data;
}
/**
* Prepare user input for use in a database query, preventing SQL injection attacks.
*/
function db_escape_string($text) {
return addslashes($text);
}
/**
* @} End of "ingroup database".
*/
......
......@@ -45,11 +45,11 @@ function db_query($query) {
$query = db_prefix_tables($query);
if (count($args) > 1) {
if(is_array($args[1])){
$args1 = array_map('check_query', $args[1]);
$args1 = array_map('db_escape_string', $args[1]);
$nargs = array_merge(array($query), $args1);
}
else {
$nargs = array_map('check_query', $args);
$nargs = array_map('db_escape_string', $args);
$nargs[0] = $query;
}
return _db_query(call_user_func_array('sprintf', $nargs));
......@@ -69,11 +69,11 @@ function db_queryd($query) {
$query = db_prefix_tables($query);
if (count($args) > 1) {
if(is_array($args[1])){
$args1 = array_map('check_query', $args[1]);
$args1 = array_map('db_escape_string', $args[1]);
$nargs = array_merge(array($query), $args1);
}
else {
$nargs = array_map('check_query', $args);
$nargs = array_map('db_escape_string', $args);
$nargs[0] = $query;
}
return _db_query(call_user_func_array('sprintf', $nargs), 1);
......@@ -252,7 +252,7 @@ function db_query_range($query) {
$count = array_pop($args);
$from = array_pop($args);
if (count(func_get_args()) > 3) {
$args = array_map('check_query', $args);
$args = array_map('db_escape_string', $args);
$query = db_prefix_tables($query);
$args[0] = $query;
$result = $active_db->limitQuery(call_user_func_array('sprintf', $args), $from, $count);
......@@ -278,4 +278,11 @@ function db_query_range($query) {
}
}
/**
* Prepare user input for use in a database query, preventing SQL injection attacks.
*/
function db_escape_string($text) {
return addslashes($text);
}
?>
......@@ -51,11 +51,11 @@ function db_query($query) {
$query = db_prefix_tables($query);
if (count($args) > 1) {
if(is_array($args[1])){
$args1 = array_map('check_query', $args[1]);
$args1 = array_map('db_escape_string', $args[1]);
$nargs = array_merge(array($query), $args1);
}
else {
$nargs = array_map('check_query', $args);
$nargs = array_map('db_escape_string', $args);
$nargs[0] = $query;
}
return _db_query(call_user_func_array('sprintf', $nargs));
......@@ -75,11 +75,11 @@ function db_queryd($query) {
$query = db_prefix_tables($query);
if (count($args) > 1) {
if(is_array($args[1])){
$args1 = array_map('check_query', $args[1]);
$args1 = array_map('db_escape_string', $args[1]);
$nargs = array_merge(array($query), $args1);
}
else {
$nargs = array_map('check_query', $args);
$nargs = array_map('db_escape_string', $args);
$nargs[0] = $query;
}
return _db_query(call_user_func_array('sprintf', $nargs), 1);
......@@ -242,7 +242,7 @@ function db_query_range($query) {
$count = array_pop($args);
$from = array_pop($args);
if (count(func_get_args()) > 3) {
$args = array_map('check_query', $args);
$args = array_map('db_escape_string', $args);
$query = db_prefix_tables($query);
$args[0] = $query;
$query = call_user_func_array('sprintf', $args);
......@@ -279,6 +279,14 @@ function db_decode_blob($data) {
return stripcslashes($data);
}
/**
* Prepare user input for use in a database query, preventing SQL injection attacks.
* Note: This function requires PostgreSQL 7.2 or later.
*/
function db_escape_string($text) {
return pg_escape_string($text);
}
/**
* @} End of "ingroup database".
*/
......
......@@ -1012,16 +1012,16 @@ function _locale_string_seek() {
// Compute LIKE section
switch ($query->searchin) {
case 'translated':
$where = "WHERE (t.translation LIKE '%". check_query($query->string) ."%' AND t.translation != '')";
$where = "WHERE (t.translation LIKE '%". db_escape_string($query->string) ."%' AND t.translation != '')";
$orderby = "ORDER BY t.translation";
break;
case 'untranslated':
$where = "WHERE (s.source LIKE '%". check_query($query->string) ."%' AND t.translation = '')";
$where = "WHERE (s.source LIKE '%". db_escape_string($query->string) ."%' AND t.translation = '')";
$orderby = "ORDER BY s.source";
break;
case 'all' :
default:
$where = "WHERE (s.source LIKE '%". check_query($query->string) ."%' OR t.translation LIKE '%". check_query($query->string) ."%')";
$where = "WHERE (s.source LIKE '%". db_escape_string($query->string) ."%' OR t.translation LIKE '%". db_escape_string($query->string) ."%')";
$orderby = '';
break;
}
......@@ -1029,7 +1029,7 @@ function _locale_string_seek() {
switch ($query->language) {
// Force search in source strings
case "en":
$sql = $join ." WHERE s.source LIKE '%". check_query($query->string) ."%' ORDER BY s.source";
$sql = $join ." WHERE s.source LIKE '%". db_escape_string($query->string) ."%' ORDER BY s.source";
break;
// Search in all languages
case "all":
......@@ -1037,7 +1037,7 @@ function _locale_string_seek() {
break;
// Some different language
default:
$sql = "$join $where AND t.locale = '". check_query($query->language) ."' $orderby";
$sql = "$join $where AND t.locale = '". db_escape_string($query->language) ."' $orderby";
}
$result = pager_query($sql, 50);
......
......@@ -51,8 +51,8 @@ function tablesort_pager() {
function tablesort_sql($header, $before = '') {
$ts = tablesort_init($header);
if ($ts['sql']) {
$sql = check_query($ts['sql']);
$sort = strtoupper(check_query($ts['sort']));
$sql = db_escape_string($ts['sql']);
$sort = strtoupper(db_escape_string($ts['sort']));
return " ORDER BY $before $sql $sort";
}
}
......
......@@ -226,7 +226,7 @@ function book_form(&$node) {
global $user;
$op = $_POST['op'];
$output = form_select(t('Parent'), 'parent', ($node->parent ? $node->parent : arg(4)), book_toc($node->nid), t('The parent that this page belongs in. Note that pages whose parent is &lt;top-level&gt; are regarded as independent, top-level books.'));
if (function_exists('taxonomy_node_form')) {
......
......@@ -226,7 +226,7 @@ function book_form(&$node) {
global $user;
$op = $_POST['op'];
$output = form_select(t('Parent'), 'parent', ($node->parent ? $node->parent : arg(4)), book_toc($node->nid), t('The parent that this page belongs in. Note that pages whose parent is &lt;top-level&gt; are regarded as independent, top-level books.'));
if (function_exists('taxonomy_node_form')) {
......
......@@ -751,7 +751,7 @@ function comment_render($node, $cid = 0) {
else {
// Multiple comment view
$query .= "SELECT c.cid as cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name , c.mail, c.homepage, u.uid, u.name AS registered_name, u.picture, u.data, c.score, c.users, c.thread FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.nid = '". check_query($nid) ."' AND c.status = 0";
$query .= "SELECT c.cid as cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name , c.mail, c.homepage, u.uid, u.name AS registered_name, u.picture, u.data, c.score, c.users, c.thread FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.nid = '". db_escape_string($nid) ."' AND c.status = 0";
$query .= ' GROUP BY c.cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, u.picture, c.homepage, u.uid, u.name, u.picture, u.data, c.score, c.users, c.thread';
......@@ -843,7 +843,7 @@ function comment_render($node, $cid = 0) {
}
// Start a form, for use with comment control and moderation.
$result = pager_query($query, $comments_per_page, 0, "SELECT COUNT(*) FROM {comments} WHERE nid = '". check_query($nid) ."'");
$result = pager_query($query, $comments_per_page, 0, "SELECT COUNT(*) FROM {comments} WHERE nid = '". db_escape_string($nid) ."'");
if (db_num_rows($result) && (variable_get('comment_controls', 0) == 0 || variable_get('comment_controls', 0) == 2)) {
$output .= '<form method="post" action="'. url('comment') ."\"><div>\n";
$output .= theme('comment_controls', $threshold, $mode, $order, $comments_per_page);
......@@ -1001,7 +1001,7 @@ function comment_admin_overview($type = 'new') {
);
$status = ($type == 'approval') ? 1 : 0;
$sql = 'SELECT c.subject, c.nid, c.cid, c.comment, c.timestamp, c.status, c.name, c.homepage, u.name AS registered_name, u.uid FROM {comments} c INNER JOIN {users} u ON u.uid = c.uid WHERE c.status = '. check_query($status);
$sql = 'SELECT c.subject, c.nid, c.cid, c.comment, c.timestamp, c.status, c.name, c.homepage, u.name AS registered_name, u.uid FROM {comments} c INNER JOIN {users} u ON u.uid = c.uid WHERE c.status = '. db_escape_string($status);
$sql .= tablesort_sql($header);
$result = pager_query($sql, 50);
......@@ -1276,10 +1276,10 @@ function comment_moderate() {
}
function comment_save_settings() {
$mode = check_query($_POST['mode']);
$order = check_query($_POST['order']);
$threshold = check_query($_POST['threshold']);
$comments_per_page = check_query($_POST['comments_per_page']);
$mode = db_escape_string($_POST['mode']);
$order = db_escape_string($_POST['order']);
$threshold = db_escape_string($_POST['threshold']);
$comments_per_page = db_escape_string($_POST['comments_per_page']);
global $user;
$edit = $_POST['edit'];
......
......@@ -751,7 +751,7 @@ function comment_render($node, $cid = 0) {
else {
// Multiple comment view
$query .= "SELECT c.cid as cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name , c.mail, c.homepage, u.uid, u.name AS registered_name, u.picture, u.data, c.score, c.users, c.thread FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.nid = '". check_query($nid) ."' AND c.status = 0";
$query .= "SELECT c.cid as cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name , c.mail, c.homepage, u.uid, u.name AS registered_name, u.picture, u.data, c.score, c.users, c.thread FROM {comments} c INNER JOIN {users} u ON c.uid = u.uid WHERE c.nid = '". db_escape_string($nid) ."' AND c.status = 0";
$query .= ' GROUP BY c.cid, c.pid, c.nid, c.subject, c.comment, c.format, c.timestamp, c.name, c.mail, u.picture, c.homepage, u.uid, u.name, u.picture, u.data, c.score, c.users, c.thread';
......@@ -843,7 +843,7 @@ function comment_render($node, $cid = 0) {
}
// Start a form, for use with comment control and moderation.
$result = pager_query($query, $comments_per_page, 0, "SELECT COUNT(*) FROM {comments} WHERE nid = '". check_query($nid) ."'");
$result = pager_query($query, $comments_per_page, 0, "SELECT COUNT(*) FROM {comments} WHERE nid = '". db_escape_string($nid) ."'");
if (db_num_rows($result) && (variable_get('comment_controls', 0) == 0 || variable_get('comment_controls', 0) == 2)) {
$output .= '<form method="post" action="'. url('comment') ."\"><div>\n";
$output .= theme('comment_controls', $threshold, $mode, $order, $comments_per_page);
......@@ -1001,7 +1001,7 @@ function comment_admin_overview($type = 'new') {
);
$status = ($type == 'approval') ? 1 : 0;
$sql = 'SELECT c.subject, c.nid, c.cid, c.comment, c.timestamp, c.status, c.name, c.homepage, u.name AS registered_name, u.uid FROM {comments} c INNER JOIN {users} u ON u.uid = c.uid WHERE c.status = '. check_query($status);
$sql = 'SELECT c.subject, c.nid, c.cid, c.comment, c.timestamp, c.status, c.name, c.homepage, u.name AS registered_name, u.uid FROM {comments} c INNER JOIN {users} u ON u.uid = c.uid WHERE c.status = '. db_escape_string($status);
$sql .= tablesort_sql($header);
$result = pager_query($sql, 50);
......@@ -1276,10 +1276,10 @@ function comment_moderate() {
}
function comment_save_settings() {
$mode = check_query($_POST['mode']);
$order = check_query($_POST['order']);
$threshold = check_query($_POST['threshold']);
$comments_per_page = check_query($_POST['comments_per_page']);
$mode = db_escape_string($_POST['mode']);
$order = db_escape_string($_POST['order']);
$threshold = db_escape_string($_POST['threshold']);
$comments_per_page = db_escape_string($_POST['comments_per_page']);
global $user;
$edit = $_POST['edit'];
......
......@@ -380,7 +380,7 @@ function forum_get_forums($tid = 0) {
// This query does not use full ANSI syntax since MySQL 3.x does not support
// table1 INNER JOIN table2 INNER JOIN table3 ON table2_criteria ON table3_criteria
// used to join node_comment_statistics to users
// used to join node_comment_statistics to users.
$topic = db_fetch_object(db_query_range('SELECT DISTINCT(n.nid), l.last_comment_timestamp, IF(l.last_comment_uid, cu.name, l.last_comment_name) as last_comment_name, l.last_comment_uid FROM {node} n ' . node_access_join_sql() . ", {node_comment_statistics} l /*! USE INDEX (node_comment_timestamp) */, {users} cu, {term_node} r WHERE n.nid = r.nid AND r.tid = %d AND n.status = 1 AND n.type = 'forum' AND l.last_comment_uid = cu.uid AND n.nid = l.nid AND " . node_access_where_sql() . ' ORDER BY l.last_comment_timestamp DESC', $forum->tid, 0, 1));
$last_post->timestamp = $topic->last_comment_timestamp;
$last_post->name = $topic->last_comment_name;
......@@ -422,7 +422,7 @@ function forum_get_topics($tid, $sortby, $forum_per_page) {
}
$term = taxonomy_get_term($tid);
$check_tid = $tid ? "'". check_query($tid) ."'" : 'NULL';
$check_tid = $tid ? "'". db_escape_string($tid) ."'" : 'NULL';
$sql = "SELECT DISTINCT(n.nid), f.tid, n.title, n.sticky, u.name, u.uid, n.created AS timestamp, n.comment AS comment_mode, l.last_comment_timestamp, IF(l.last_comment_uid, cu.name, l.last_comment_name) as last_comment_name, l.last_comment_uid, l.comment_count AS num_comments FROM {node} n ". node_access_join_sql() .", {node_comment_statistics} l, {users} cu, {term_node} r, {users} u, {forum} f WHERE n.status = 1 AND l.last_comment_uid = cu.uid AND n.nid = l.nid AND n.nid = r.nid AND r.tid = $check_tid AND n.uid = u.uid AND n.nid = f.nid AND ". node_access_where_sql();
$sql .= tablesort_sql($forum_topic_list_header, 'n.sticky DESC,');
......
......@@ -380,7 +380,7 @@ function forum_get_forums($tid = 0) {
// This query does not use full ANSI syntax since MySQL 3.x does not support
// table1 INNER JOIN table2 INNER JOIN table3 ON table2_criteria ON table3_criteria
// used to join node_comment_statistics to users
// used to join node_comment_statistics to users.
$topic = db_fetch_object(db_query_range('SELECT DISTINCT(n.nid), l.last_comment_timestamp, IF(l.last_comment_uid, cu.name, l.last_comment_name) as last_comment_name, l.last_comment_uid FROM {node} n ' . node_access_join_sql() . ", {node_comment_statistics} l /*! USE INDEX (node_comment_timestamp) */, {users} cu, {term_node} r WHERE n.nid = r.nid AND r.tid = %d AND n.status = 1 AND n.type = 'forum' AND l.last_comment_uid = cu.uid AND n.nid = l.nid AND " . node_access_where_sql() . ' ORDER BY l.last_comment_timestamp DESC', $forum->tid, 0, 1));
$last_post->timestamp = $topic->last_comment_timestamp;
$last_post->name = $topic->last_comment_name;
......@@ -422,7 +422,7 @@ function forum_get_topics($tid, $sortby, $forum_per_page) {
}
$term = taxonomy_get_term($tid);
$check_tid = $tid ? "'". check_query($tid) ."'" : 'NULL';
$check_tid = $tid ? "'". db_escape_string($tid) ."'" : 'NULL';
$sql = "SELECT DISTINCT(n.nid), f.tid, n.title, n.sticky, u.name, u.uid, n.created AS timestamp, n.comment AS comment_mode, l.last_comment_timestamp, IF(l.last_comment_uid, cu.name, l.last_comment_name) as last_comment_name, l.last_comment_uid, l.comment_count AS num_comments FROM {node} n ". node_access_join_sql() .", {node_comment_statistics} l, {users} cu, {term_node} r, {users} u, {forum} f WHERE n.status = 1 AND l.last_comment_uid = cu.uid AND n.nid = l.nid AND n.nid = r.nid AND r.tid = $check_tid AND n.uid = u.uid AND n.nid = f.nid AND ". node_access_where_sql();
$sql .= tablesort_sql($forum_topic_list_header, 'n.sticky DESC,');
......
......@@ -428,11 +428,11 @@ function locale_admin_string() {
switch ($op) {
case 'delete':
$output .= _locale_string_delete(check_query(arg(4)));
$output .= _locale_string_delete(db_escape_string(arg(4)));
$output .= _locale_string_seek();
break;
case 'edit':
$output .= _locale_string_edit(check_query(arg(4)));
$output .= _locale_string_edit(db_escape_string(arg(4)));
$output .= _locale_string_seek();
break;
case t('Search'):
......@@ -441,7 +441,7 @@ function locale_admin_string() {
$output .= _locale_string_seek_form();
break;
case t('Save translations'):
$output .= _locale_string_save(check_query(arg(4)));
$output .= _locale_string_save(db_escape_string(arg(4)));
drupal_goto('admin/locale/string/search');
break;
default:
......
......@@ -428,11 +428,11 @@ function locale_admin_string() {
switch ($op) {
case 'delete':
$output .= _locale_string_delete(check_query(arg(4)));
$output .= _locale_string_delete(db_escape_string(arg(4)));
$output .= _locale_string_seek();
break;
case 'edit':
$output .= _locale_string_edit(check_query(arg(4)));
$output .= _locale_string_edit(db_escape_string(arg(4)));
$output .= _locale_string_seek();
break;
case t('Search'):
......@@ -441,7 +441,7 @@ function locale_admin_string() {
$output .= _locale_string_seek_form();
break;
case t('Save translations'):
$output .= _locale_string_save(check_query(arg(4)));
$output .= _locale_string_save(db_escape_string(arg(4)));
drupal_goto('admin/locale/string/search');
break;
default:
......
......@@ -386,7 +386,7 @@ function node_load($conditions, $revision = NULL, $reset = NULL) {
// Turn the conditions into a query.
foreach ($conditions as $key => $value) {
$cond[] = 'n.'. check_query($key) ." = '". check_query($value) ."'";
$cond[] = 'n.'. db_escape_string($key) ." = '". db_escape_string($value) ."'";
}
// Retrieve the node.
......@@ -452,7 +452,7 @@ function node_save($node) {
// Prepare the query:
foreach ($node as $key => $value) {
if (in_array($key, $fields)) {
$k[] = check_query($key);
$k[] = db_escape_string($key);
$v[] = $value;
$s[] = "'%s'";
}
......@@ -478,7 +478,7 @@ function node_save($node) {
// Prepare the query:
foreach ($node as $key => $value) {
if (in_array($key, $fields)) {
$q[] = check_query($key) ." = '%s'";
$q[] = db_escape_string($key) ." = '%s'";
$v[] = $value;
}
}
......
......@@ -386,7 +386,7 @@ function node_load($conditions, $revision = NULL, $reset = NULL) {
// Turn the conditions into a query.
foreach ($conditions as $key => $value) {
$cond[] = 'n.'. check_query($key) ." = '". check_query($value) ."'";
$cond[] = 'n.'. db_escape_string($key) ." = '". db_escape_string($value) ."'";
}
// Retrieve the node.
......@@ -452,7 +452,7 @@ function node_save($node) {
// Prepare the query:
foreach ($node as $key => $value) {
if (in_array($key, $fields)) {
$k[] = check_query($key);
$k[] = db_escape_string($key);
$v[] = $value;
$s[] = "'%s'";
}
......@@ -478,7 +478,7 @@ function node_save($node) {
// Prepare the query:
foreach ($node as $key => $value) {
if (in_array($key, $fields)) {
$q[] = check_query($key) ." = '%s'";
$q[] = db_escape_string($key) ." = '%s'";
$v[] = $value;
}
}
......
......@@ -86,10 +86,10 @@ function profile_browse() {
$query = 'v.value = 1';
break;
case 'selection':
$query = "v.value = '". check_query($value) ."'";
$query = "v.value = '". db_escape_string($value) ."'";
break;
case 'list':
$query = "v.value LIKE '%%". check_query($value) ."%%'";
$query = "v.value LIKE '%%". db_escape_string($value) ."%%'";
break;
default:
drupal_not_found();
......
......@@ -86,10 +86,10 @@ function profile_browse() {
$query = 'v.value = 1';
break;
case 'selection':
$query = "v.value = '". check_query($value) ."'";
$query = "v.value = '". db_escape_string($value) ."'";
break;
case 'list':
$query = "v.value LIKE '%%". check_query($value) ."%%'";
$query = "v.value LIKE '%%". db_escape_string($value) ."%%'";
break;
default:
drupal_not_found();
......
......@@ -207,7 +207,7 @@ function statistics_admin_displaylog($type = 'all', $id = 0) {
// retrieve recent access logs for specific user $id
$user = user_load(array('uid' => $id));
$page_title = t('Recent hits for "%username"', array('%username' => $user->name));
$sql = 'SELECT title, path, url, hostname, uid, timestamp FROM {accesslog} WHERE uid = \''. check_query($id) ."'";
$sql = 'SELECT title, path, url, hostname, uid, timestamp FROM {accesslog} WHERE uid = \''. db_escape_string($id) ."'";
}
else {
// retrieve recent access logs for all users (not guests)
......@@ -218,12 +218,12 @@ function statistics_admin_displaylog($type = 'all', $id = 0) {
case 'page':
// retrieve recent access logs for title $id
$page_title = t('Recent hits for "%title"', array('%title' => $id));
$sql = 'SELECT title, path, url, hostname, uid, timestamp FROM {accesslog} WHERE title = \''. check_query($id) ."'";
$sql = 'SELECT title, path, url, hostname, uid, timestamp FROM {accesslog} WHERE title = \''. db_escape_string($id) ."'";
break;
case 'host':
// retrieve recent access logs for hostname $id
$page_title = t('Recent hits for "%hostname"', array('%hostname' => $id));
$sql = 'SELECT title, path, url, hostname, uid, timestamp, title FROM {accesslog} WHERE hostname = \''. check_query($id) ."'";
$sql = 'SELECT title, path, url, hostname, uid, timestamp, title FROM {accesslog} WHERE hostname = \''. db_escape_string($id) ."'";
break;
case 'all':
default:
......@@ -380,14 +380,14 @@ function statistics_top_referrers($view = 'all') {
$describe = t('Top referrers in the past %interval');
}
elseif ($view == 'internal') {
$query = "SELECT url, MAX(timestamp) AS last_hit, COUNT(url) AS hits FROM {accesslog} WHERE url LIKE '%". check_query($_SERVER['HTTP_HOST']) ."%' GROUP BY url";
$query_cnt = "SELECT COUNT(DISTINCT(url)) FROM {accesslog} WHERE url <> '' AND url LIKE '%". check_query($_SERVER['HTTP_HOST']) ."%'";
$query = "SELECT url, MAX(timestamp) AS last_hit, COUNT(url) AS hits FROM {accesslog} WHERE url LIKE '%". db_escape_string($_SERVER['HTTP_HOST']) ."%' GROUP BY url";
$query_cnt = "SELECT COUNT(DISTINCT(url)) FROM {accesslog} WHERE url <> '' AND url LIKE '%". db_escape_string($_SERVER['HTTP_HOST']) ."%'";
$describe = t('Top internal referrers in the past %interval');
}
else {
/* default to external */
$query = "SELECT url, MAX(timestamp) AS last_hit, COUNT(url) AS hits FROM {accesslog} WHERE url NOT LIKE '%". check_query($_SERVER['HTTP_HOST']) ."%' AND url <> '' GROUP BY url";
$query_cnt = "SELECT COUNT(DISTINCT(url)) FROM {accesslog} WHERE url <> '' AND url NOT LIKE '%". check_query($_SERVER['HTTP_HOST']) ."%'";
$query = "SELECT url, MAX(timestamp) AS last_hit, COUNT(url) AS hits FROM {accesslog} WHERE url NOT LIKE '%". db_escape_string($_SERVER['HTTP_HOST']) ."%' AND url <> '' GROUP BY url";
$query_cnt = "SELECT COUNT(DISTINCT(url)) FROM {accesslog} WHERE url <> '' AND url NOT LIKE '%". db_escape_string($_SERVER['HTTP_HOST']) ."%'";
$describe = t('Top external referrers in the past %interval');
}
......
......@@ -207,7 +207,7 @@ function statistics_admin_displaylog($type = 'all', $id = 0) {
// retrieve recent access logs for specific user $id
$user = user_load(array('uid' => $id));
$page_title = t('Recent hits for "%username"', array('%username' => $user->name));
$sql = 'SELECT title, path, url, hostname, uid, timestamp FROM {accesslog} WHERE uid = \''. check_query($id) ."'";
$sql = 'SELECT title, path, url, hostname, uid, timestamp FROM {accesslog} WHERE uid = \''. db_escape_string($id) ."'";
}
else {
// retrieve recent access logs for all users (not guests)
......@@ -218,12 +218,12 @@ function statistics_admin_displaylog($type = 'all', $id = 0) {
case 'page':
// retrieve recent access logs for title $id
$page_title = t('Recent hits for "%title"', array('%title' => $id));
$sql = 'SELECT title, path, url, hostname, uid, timestamp FROM {accesslog} WHERE title = \''. check_query($id) ."'";
$sql = 'SELECT title, path, url, hostname, uid, timestamp FROM {accesslog} WHERE title = \''. db_escape_string($id) ."'";
break;
case 'host':
// retrieve recent access logs for hostname $id
$page_title = t('Recent hits for "%hostname"', array('%hostname' => $id));
$sql = 'SELECT title, path, url, hostname, uid, timestamp, title FROM {accesslog} WHERE hostname = \''. check_query($id) ."'";
$sql = 'SELECT title, path, url, hostname, uid, timestamp, title FROM {accesslog} WHERE hostname = \''. db_escape_string($id) ."'";
break;
case 'all':
default:
......@@ -380,14 +380,14 @@ function statistics_top_referrers($view = 'all') {
$describe = t('Top referrers in the past %interval');
}
elseif ($view == 'internal') {
$query = "SELECT url, MAX(timestamp) AS last_hit, COUNT(url) AS hits FROM {accesslog} WHERE url LIKE '%". check_query($_SERVER['HTTP_HOST']) ."%' GROUP BY url";
$query_cnt = "SELECT COUNT(DISTINCT(url)) FROM {accesslog} WHERE url <> '' AND url LIKE '%". check_query($_SERVER['HTTP_HOST']) ."%'";
$query = "SELECT url, MAX(timestamp) AS last_hit, COUNT(url) AS hits FROM {accesslog} WHERE url LIKE '%". db_escape_string($_SERVER['HTTP_HOST']) ."%' GROUP BY url";
$query_cnt = "SELECT COUNT(DISTINCT(url)) FROM {accesslog} WHERE url <> '' AND url LIKE '%". db_escape_string($_SERVER['HTTP_HOST']) ."%'";
$describe = t('Top internal referrers in the past %interval');
}
else {
/* default to external */
$query = "SELECT url, MAX(timestamp) AS last_hit, COUNT(url) AS hits FROM {accesslog} WHERE url NOT LIKE '%". check_query($_SERVER['HTTP_HOST']) ."%' AND url <> '' GROUP BY url";
$query_cnt = "SELECT COUNT(DISTINCT(url)) FROM {accesslog} WHERE url <> '' AND url NOT LIKE '%". check_query($_SERVER['HTTP_HOST']) ."%'";
$query = "SELECT url, MAX(timestamp) AS last_hit, COUNT(url) AS hits FROM {accesslog} WHERE url NOT LIKE '%". db_escape_string($_SERVER['HTTP_HOST']) ."%' AND url <> '' GROUP BY url";
$query_cnt = "SELECT COUNT(DISTINCT(url)) FROM {accesslog} WHERE url <> '' AND url NOT LIKE '%". db_escape_string($_SERVER['HTTP_HOST']) ."%'";
$describe = t('Top external referrers in the past %interval');
}
......
......@@ -773,7 +773,7 @@ function _taxonomy_depth($depth, $graphic = '--') {
function _taxonomy_prepare_update($data) {
foreach ($data as $key => $value) {
$q[] = "$key = '". str_replace('%', '%%', check_query($value)) ."'";
$q[] = "$key = '". str_replace('%', '%%', db_escape_string($value)) ."'";
}
$result = implode(', ', $q);
return $result;
......@@ -785,7 +785,7 @@ function _taxonomy_prepare_insert($data, $stage) {
}
else {
foreach (array_values($data) as $value) {
$q[] = "'". str_replace('%', '%%', check_query($value)) ."'";
$q[] = "'". str_replace('%', '%%', db_escape_string($value)) ."'";
}
$result = implode(', ', $q);
}
......
......@@ -773,7 +773,7 @@ function _taxonomy_depth($depth, $graphic = '--') {
function _taxonomy_prepare_update($data) {
foreach ($data as $key => $value) {
$q[] = "$key = '". str_replace('%', '%%', check_query($value)) ."'";
$q[] = "$key = '". str_replace('%', '%%', db_escape_string($value)) ."'";
}
$result = implode(', ', $q);
return $result;
......@@ -785,7 +785,7 @@ function _taxonomy_prepare_insert($data, $stage) {
}
else {
foreach (array_values($data) as $value) {
$q[] = "'". str_replace('%', '%%', check_query($value)) ."'";
$q[] = "'". str_replace('%', '%%', db_escape_string($value)) ."'";
}
$result = implode(', ', $q);
}
......
......@@ -152,13 +152,13 @@ function user_save($account, $array = array(), $category = 'account') {
// because we don't have a fully initialized user object yet.
foreach ($array as $key => $value) {
if ($key == 'pass') {
$fields[] = check_query($key);
$fields[] = db_escape_string($key);
$values[] = md5($value);
$s[] = "'%s'";
}
else if (substr($key, 0, 4) !== 'auth') {
if (in_array($key, $user_fields)) {
$fields[] = check_query($key);
$fields[] = db_escape_string($key);
$values[] = $value;
$s[] = "'%s'";
}
......
......@@ -152,13 +152,13 @@ function user_save($account, $array = array(), $category = 'account') {
// because we don't have a fully initialized user object yet.
foreach ($array as $key => $value) {
if ($key == 'pass') {
$fields[] = check_query($key);
$fields[] = db_escape_string($key);
$values[] = md5($value);
$s[] = "'%s'";
}
else if (substr($key, 0, 4) !== 'auth') {
if (in_array($key, $user_fields)) {
$fields[] = check_query($key);
$fields[] = db_escape_string($key);
$values[] = $value;
$s[] = "'%s'";
}
......
......@@ -83,7 +83,7 @@ function watchdog_cron() {
*/
function watchdog_overview($type = '') {
foreach (_watchdog_get_message_types() as $key) {
$query[$key] = "WHERE type = '". check_query($key) ."'";
$query[$key] = "WHERE type = '". db_escape_string($key) ."'";
}
$header = array(
......
......@@ -83,7 +83,7 @@ function watchdog_cron() {
*/
function watchdog_overview($type = '') {
foreach (_watchdog_get_message_types() as $key) {
$query[$key] = "WHERE type = '". check_query($key) ."'"