#54981: calls to db_lock_table in bootstrap.inc do not use db_prefix

2006-04-27 20:38:49 +00:00 · 2006-04-27 20:38:49 +00:00 · ca9293b3ee
parent b176270018
commit ca9293b3ee
4 changed files with 12 additions and 3 deletions
--- a/includes/database.inc
+++ b/includes/database.inc
@ -315,6 +315,15 @@ function db_rewrite_sql($query, $primary_table = 'n', $primary_field = 'nid',  $
  return $query;
 }

+/**
+ * Restrict a dynamic tablename to safe characters.
+ *
+ * Only keeps alphanumeric and underscores.
+ */
+function db_escape_table($string) {
+  return preg_replace('/[^A-Za-z0-9_]+/', '', $string);
+}
+
 /**
 * @} End of "defgroup database".
 */
--- a/includes/database.mysql.inc
+++ b/includes/database.mysql.inc
@ -353,7 +353,7 @@ function db_escape_string($text) {
 * Lock a table.
 */
 function db_lock_table($table) {
-  db_query('LOCK TABLES {%s} WRITE', $table);
+  db_query('LOCK TABLES {'. db_escape_table($table) .'} WRITE');
 }

 /**
--- a/includes/database.mysqli.inc
+++ b/includes/database.mysqli.inc
@ -355,7 +355,7 @@ function db_escape_string($text) {
 * Lock a table.
 */
 function db_lock_table($table) {
-  db_query('LOCK TABLES {%s} WRITE', $table);
+  db_query('LOCK TABLES {'. db_escape_table($table) .'} WRITE');
 }

 /**
--- a/includes/database.pgsql.inc
+++ b/includes/database.pgsql.inc
@ -331,7 +331,7 @@ function db_escape_string($text) {
 * This function automatically starts a transaction.
 */
 function db_lock_table($table) {
-  db_query('BEGIN; LOCK TABLE {%s} IN EXCLUSIVE MODE', $table);
+  db_query('BEGIN; LOCK TABLE {'. db_escape_table($table) .'} IN EXCLUSIVE MODE');
 }

 /**