diff --git a/includes/database.mysql.inc b/includes/database.mysql.inc
index 38d4af71d97..a4fa2d65eca 100644
--- a/includes/database.mysql.inc
+++ b/includes/database.mysql.inc
@@ -23,11 +23,18 @@ function db_connect($url) {
 
 function db_query($query) {
   $args = func_get_args();
+
   $query = db_prefix_tables($query);
   if (count($args) > 1) {
-    $args = array_map("check_query", $args);
-    $args[0] = $query;
-    return _db_query(call_user_func_array("sprintf", $args));
+    if(is_array($args[1])){
+      $args1 = array_map("check_query", $args[1]);
+      $nargs = array_merge(array($query), $args1);
+    }
+    else {
+      $nargs = array_map("check_query", $args);
+      $nargs[0] = $query;
+    }
+    return _db_query(call_user_func_array("sprintf", $nargs));
   }
   else {
     return _db_query($query);
@@ -39,9 +46,15 @@ function db_queryd($query) {
   $args = func_get_args();
   $query = db_prefix_tables($query);
   if (count($args) > 1) {
-    $args = array_map("check_query", $args);
-    $args[0] = $query;
-    return _db_query(call_user_func_array("sprintf", $args), 1);
+    if(is_array($args[1])){
+      $args1 = array_map("check_query", $args[1]);
+      $nargs = array_merge(array($query), $args1);
+    }
+    else {
+      $nargs = array_map("check_query", $args);
+      $nargs[0] = $query;
+    }
+    return _db_query(call_user_func_array("sprintf", $nargs), 1);
   }
   else {
     return _db_query($query, 1);
diff --git a/includes/database.pear.inc b/includes/database.pear.inc
index ff3b00e4f72..36e18c23691 100644
--- a/includes/database.pear.inc
+++ b/includes/database.pear.inc
@@ -25,11 +25,18 @@ function db_connect($url) {
 function db_query($query) {
 
   $args = func_get_args();
+
   $query = db_prefix_tables($query);
   if (count($args) > 1) {
-    $args = array_map("check_query", $args);
-    $args[0] = $query;
-    return _db_query(call_user_func_array("sprintf", $args));
+    if(is_array($args[1])){
+      $args1 = array_map("check_query", $args[1]);
+      $nargs = array_merge(array($query), $args1);
+    }
+    else {
+      $nargs = array_map("check_query", $args);
+      $nargs[0] = $query;
+    }
+    return _db_query(call_user_func_array("sprintf", $nargs));
   }
   else {
     return _db_query($query);
@@ -41,9 +48,15 @@ function db_queryd($query) {
   $args = func_get_args();
   $query = db_prefix_tables($query);
   if (count($args) > 1) {
-    $args = array_map("check_query", $args);
-    $args[0] = $query;
-    return _db_query(call_user_func_array("sprintf", $args), 1);
+    if(is_array($args[1])){
+      $args1 = array_map("check_query", $args[1]);
+      $nargs = array_merge(array($query), $args1);
+    }
+    else {
+      $nargs = array_map("check_query", $args);
+      $nargs[0] = $query;
+    }
+    return _db_query(call_user_func_array("sprintf", $nargs), 1);
   }
   else {
     return _db_query($query, 1);
diff --git a/modules/node.module b/modules/node.module
index e1b93cdd31c..329f6c3f6bf 100644
--- a/modules/node.module
+++ b/modules/node.module
@@ -126,14 +126,6 @@ function node_teaser($body) {
     return $body;
   }
 
-  /*
-  ** If we have a short body, return the entire body:
-  */
-
-  if (strlen($body) < $size) {
-    return $body;
-  }
-
   /*
   ** If a valid delimiter has been specified, use it to
   ** chop of the teaser.  The delimiter can be outside
@@ -145,6 +137,14 @@ function node_teaser($body) {
     return substr($body, 0, $delimiter);
   }
 
+  /*
+  ** If we have a short body, return the entire body:
+  */
+
+  if (strlen($body) < $size) {
+    return $body;
+  }
+
   /*
   ** In some cases no delimiter has been specified (eg.
   ** when posting using the Blogger API) in which case
@@ -302,12 +302,17 @@ function node_save($node) {
     foreach ($node as $key => $value) {
       if (in_array($key, $fields)) {
         $k[] = check_query($key);
-        $v[] = "'". check_query($value) ."'";
+        $v[] = $value;
+        $s[] = "'%s'";
       }
     }
 
+    $keysfmt = implode(", ", $s);
+    // need to quote the placeholders for the values
+    $valsfmt = "'". implode("', '", $s) ."'";
+
     // Insert the node into the database:
-    db_query("INSERT INTO {node} (". implode(", ", $k) .") VALUES (". implode(", ", $v) .")");
+    db_query("INSERT INTO {node} (". implode(", ", $k) .") VALUES(". implode(", ", $s) .")", $v);
 
     // Call the node specific callback (if any):
     node_invoke($node, "insert");
@@ -325,12 +330,13 @@ function node_save($node) {
     // Prepare the query:
     foreach ($node as $key => $value) {
       if (in_array($key, $fields)) {
-        $q[] = check_query($key) ." = '". check_query($value) ."'";
+        $q[] = check_query($key) ." = '%s'";
+        $v[] = $value;
       }
     }
 
     // Update the node in the database:
-    db_query("UPDATE {node} SET ". implode(", ", $q) ." WHERE nid = '$node->nid'");
+    db_query("UPDATE {node} SET ". implode(", ", $q) ." WHERE nid = '$node->nid'", $v);
 
     // Call the node specific callback (if any):
     node_invoke($node, "update");
diff --git a/modules/node/node.module b/modules/node/node.module
index e1b93cdd31c..329f6c3f6bf 100644
--- a/modules/node/node.module
+++ b/modules/node/node.module
@@ -126,14 +126,6 @@ function node_teaser($body) {
     return $body;
   }
 
-  /*
-  ** If we have a short body, return the entire body:
-  */
-
-  if (strlen($body) < $size) {
-    return $body;
-  }
-
   /*
   ** If a valid delimiter has been specified, use it to
   ** chop of the teaser.  The delimiter can be outside
@@ -145,6 +137,14 @@ function node_teaser($body) {
     return substr($body, 0, $delimiter);
   }
 
+  /*
+  ** If we have a short body, return the entire body:
+  */
+
+  if (strlen($body) < $size) {
+    return $body;
+  }
+
   /*
   ** In some cases no delimiter has been specified (eg.
   ** when posting using the Blogger API) in which case
@@ -302,12 +302,17 @@ function node_save($node) {
     foreach ($node as $key => $value) {
       if (in_array($key, $fields)) {
         $k[] = check_query($key);
-        $v[] = "'". check_query($value) ."'";
+        $v[] = $value;
+        $s[] = "'%s'";
       }
     }
 
+    $keysfmt = implode(", ", $s);
+    // need to quote the placeholders for the values
+    $valsfmt = "'". implode("', '", $s) ."'";
+
     // Insert the node into the database:
-    db_query("INSERT INTO {node} (". implode(", ", $k) .") VALUES (". implode(", ", $v) .")");
+    db_query("INSERT INTO {node} (". implode(", ", $k) .") VALUES(". implode(", ", $s) .")", $v);
 
     // Call the node specific callback (if any):
     node_invoke($node, "insert");
@@ -325,12 +330,13 @@ function node_save($node) {
     // Prepare the query:
     foreach ($node as $key => $value) {
       if (in_array($key, $fields)) {
-        $q[] = check_query($key) ." = '". check_query($value) ."'";
+        $q[] = check_query($key) ." = '%s'";
+        $v[] = $value;
       }
     }
 
     // Update the node in the database:
-    db_query("UPDATE {node} SET ". implode(", ", $q) ." WHERE nid = '$node->nid'");
+    db_query("UPDATE {node} SET ". implode(", ", $q) ." WHERE nid = '$node->nid'", $v);
 
     // Call the node specific callback (if any):
     node_invoke($node, "update");
diff --git a/modules/user.module b/modules/user.module
index 07f4866f876..ed74776d6d5 100644
--- a/modules/user.module
+++ b/modules/user.module
@@ -122,12 +122,14 @@ function user_save($account, $array = array()) {
     foreach ($array as $key => $value) {
       if ($key == "pass") {
         $fields[] = check_query($key);
-        $values[] = "'". md5($value) ."'";
+        $values[] = md5($value);
+        $s[] = "'%s'";
       }
       else if (substr($key, 0, 4) !== "auth") {
         if (in_array($key, $user_fields)) {
           $fields[] = check_query($key);
-          $values[] = "'". check_query($value) ."'";
+          $values[] = $value;
+          $s[] = "'%s'";
         }
         else {
           $data[$key] = $value;
@@ -136,9 +138,10 @@ function user_save($account, $array = array()) {
     }
 
     $fields[] = "data";
-    $values[] = "'". check_query(serialize($data)) ."'";
+    $values[] = serialize($data);
+    $s[] = "'%s'";
 
-    db_query("INSERT INTO {users} (". implode(", ", $fields) .") VALUES (". implode(", ", $values) .")");
+    db_query("INSERT INTO {users} (". implde(", ", $fields) .") VALUES (". implde(", ", $s) .")", $values);
 
     $user = user_load(array("name" => $array["name"]));
   }
diff --git a/modules/user/user.module b/modules/user/user.module
index 07f4866f876..ed74776d6d5 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -122,12 +122,14 @@ function user_save($account, $array = array()) {
     foreach ($array as $key => $value) {
       if ($key == "pass") {
         $fields[] = check_query($key);
-        $values[] = "'". md5($value) ."'";
+        $values[] = md5($value);
+        $s[] = "'%s'";
       }
       else if (substr($key, 0, 4) !== "auth") {
         if (in_array($key, $user_fields)) {
           $fields[] = check_query($key);
-          $values[] = "'". check_query($value) ."'";
+          $values[] = $value;
+          $s[] = "'%s'";
         }
         else {
           $data[$key] = $value;
@@ -136,9 +138,10 @@ function user_save($account, $array = array()) {
     }
 
     $fields[] = "data";
-    $values[] = "'". check_query(serialize($data)) ."'";
+    $values[] = serialize($data);
+    $s[] = "'%s'";
 
-    db_query("INSERT INTO {users} (". implode(", ", $fields) .") VALUES (". implode(", ", $values) .")");
+    db_query("INSERT INTO {users} (". implde(", ", $fields) .") VALUES (". implde(", ", $s) .")", $values);
 
     $user = user_load(array("name" => $array["name"]));
   }