1. 04 Dec, 2006 1 commit
  2. 21 Nov, 2006 1 commit
  3. 15 Nov, 2006 1 commit
  4. 23 Oct, 2006 1 commit
  5. 22 Oct, 2006 1 commit
  6. 26 Sep, 2006 1 commit
  7. 16 Sep, 2006 1 commit
  8. 13 Sep, 2006 1 commit
  9. 05 Sep, 2006 1 commit
  10. 01 Sep, 2006 1 commit
  11. 26 Jul, 2006 1 commit
  12. 13 Jul, 2006 1 commit
  13. 24 May, 2006 1 commit
  14. 27 Apr, 2006 1 commit
  15. 20 Feb, 2006 1 commit
  16. 19 Feb, 2006 1 commit
  17. 15 Feb, 2006 1 commit
  18. 02 Feb, 2006 1 commit
  19. 24 Jan, 2006 1 commit
  20. 21 Jan, 2006 1 commit
  21. 06 Dec, 2005 1 commit
  22. 30 Nov, 2005 1 commit
  23. 29 Nov, 2005 1 commit
  24. 27 Nov, 2005 1 commit
  25. 18 Nov, 2005 1 commit
  26. 20 Oct, 2005 1 commit
  27. 18 Oct, 2005 1 commit
  28. 13 Oct, 2005 1 commit
  29. 12 Sep, 2005 1 commit
  30. 29 Aug, 2005 1 commit
  31. 25 Aug, 2005 1 commit
  32. 11 Aug, 2005 1 commit
  33. 30 Jul, 2005 1 commit
  34. 27 Jul, 2005 1 commit
  35. 22 Jun, 2005 1 commit
  36. 23 May, 2005 1 commit
  37. 12 May, 2005 1 commit
  38. 14 Apr, 2005 1 commit
  39. 29 Nov, 2004 1 commit
    • Dries's avatar
      - Patch #13581 by Steven: Db_query() allows a variable amount of parameters so... · 29337ad8
      Dries authored
      - Patch #13581 by Steven: Db_query() allows a variable amount of parameters so you can pass the query arguments in. There is however an alternative syntax: instead of passing the query arguments as function arguments, you can also pass a single array with the query arguments in it. For example the following two statements are equivalent:
      
      db_query($query, $a, $b, $c);
      db_query($query, array($a, $b, $c));
      
      This usage is particularly interesting when the query is constructed dynamically, and the amount of arguments to pass varies. In that case we use the second method to avoid using call_user_func_array(). This behaviour is not documented explicitly, but it is used in several places.
      
      However, db_query_range() and pager_query() do not support this syntax properly, which means there are several pieces of code which still revert to the ugly call_user_func_array() call.
      
      This patch updates db_query_range() and pager_query() so they support the array-passing method. I also added documentation about this method to each of the db functions.
      
      I also cleaned up the code for db_query (it was weird and hard to understand) and moved db_query() and db_queryd() from database.xxxxx.inc to database.inc: it was the same between both mysql and pgsql, as it doesn't do anything database specific. It just prefixes the tables and inserts the arguments. The actual db query is performed in _db_query(), which is still in database.xxxxx.inc.
      
      Finally, I updated several places with the new syntax, and the code is a lot cleaner. For example:
      - array_unshift($params, "SELECT u.* FROM {users} u WHERE $query u.status < 3");
      - $params[] = 0;
      - $params[] = 1;
      - $result = call_user_func_array('db_query_range', $params);
      + $result = db_query_range("SELECT u.* FROM {users} u WHERE $query u.status < 3", $params, 0, 1);
      
      and
      
      - return call_user_func_array('db_query_range', array_merge(array($query), $args, array((int)$pager_from_array[$element], (int)$limit)));
      + return db_query_range($query, $args, (int)$pager_from_array[$element], (int)$limit);
      
      I've tested it on mysql. I didn't alter the actual db behaviour, so pgsql should be okay too.
      
      This patch is important because many people avoid the call_user_func_array() method and put data directly into the db query.  This is very, very bad because the database prefix will be applied to it, and strip out braces. It's also generally bad form as you have to call check_query() yourself.  With the new, documented syntax, there is no more excuse to put data directly in the query.
      29337ad8
  40. 21 Nov, 2004 1 commit
    • Dries's avatar
      · fa978390
      Dries authored
      - Patch 13180 by chx: renamed check_query() to db_escape_string() and implemtented it properly per database backend.
      
        Read the manual for pg_escape_string:  "Use of this function is recommended instead of addslashes()." Or read sqlite_escape_string: "addslashes() should NOT be used to quote your strings for SQLite queries; it will lead to strange results when retrieving your data."
      fa978390