#175117 follow up patch by moshe weitzman: sanitize user name, remove t() because it might not be availabla and comment what is happening

includes/database.mysql.inc

@@ -133,8 +133,14 @@ function _db_query($query, $debug = 0) {
   if (variable_get('dev_query', 0)) {
     list($usec, $sec) = explode(' ', microtime());
     $timer = (float)$usec + (float)$sec;
+    // If devel.module query logging is enabled, prepend a comment with the username and calling function
+    // to the SQL string. This is useful when running mysql's SHOW PROCESSLIST to learn what exact
+    // code is issueing the slow query.
     $bt = debug_backtrace();
-    $name = ($user->uid) ? $user->name : variable_get('anonymous', t('Anonymous'));;
+    // t() may not be available yet so we don't wrap 'Anonymous'.
+    $name = $user->uid ? $user->name : variable_get('anonymous', 'Anonymous');
+    // str_replace() to prevent SQL injection via username or anonymous name.
+    $name = str_replace(array('*', '/'), '', $name);
     $query = '/* '. $name .' : '. $bt[2]['function'] .' */ '. $query;
   }
 

includes/database.mysqli.inc

@@ -130,8 +130,14 @@ function _db_query($query, $debug = 0) {
   if (variable_get('dev_query', 0)) {
     list($usec, $sec) = explode(' ', microtime());
     $timer = (float)$usec + (float)$sec;
+    // If devel.module query logging is enabled, prepend a comment with the username and calling function
+    // to the SQL string. This is useful when running mysql's SHOW PROCESSLIST to learn what exact
+    // code is issueing the slow query.
     $bt = debug_backtrace();
-    $name = ($user->uid) ? $user->name : variable_get('anonymous', t('Anonymous'));
+    // t() may not be available yet so we don't wrap 'Anonymous'
+    $name = $user->uid ? $user->name : variable_get('anonymous', 'Anonymous');
+    // str_replace() to prevent SQL injection via username or anonymous name.
+    $name = str_replace(array('*', '/'), '', $name);
     $query = '/* '. $name .' : '. $bt[2]['function'] .' */ '. $query;
   }