Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

- Fixing user_load() to use sprintf db_query syntax. Uglier, but safer.

4.5.x
Steven Wittens 2004-09-24 20:04:54 +00:00
parent 309b411803
commit eecbda5635
2 changed files with 22 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
modules/user.module
View File

@ -44,18 +44,25 @@ function user_load($array = array()) {
// Dynamically compose a SQL query: // Dynamically compose a SQL query:
$query = ''; $query = '';
$params = array();
foreach ($array as $key => $value) { foreach ($array as $key => $value) {
if ($key == 'pass') { if ($key == 'pass') {
$query .= "u.$key = '". md5($value) ."' AND "; $query .= "u.$key = '%s' AND ";
$params[] = md5($value);
} }
else if ($key == 'uid') { else if ($key == 'uid') {
$query .= "u.uid = ". check_query($value) ." AND "; $query .= "u.uid = %d AND ";
$params[] = $value;
} }
else { else {
$query .= "LOWER(u.$key) = '". strtolower(check_query($value)) ."' AND "; $query .= "LOWER(u.$key) = '%s' AND ";
$params[] = strtolower($value);
} }
} }
$result = db_query_range("SELECT u.* FROM {users} u WHERE $query u.status < 3", 0, 1); array_unshift($params, "SELECT u.* FROM {users} u WHERE $query u.status < 3");
$params[] = 0;
$params[] = 1;
$result = call_user_func_array('db_query_range', $params);
if (db_num_rows($result)) { if (db_num_rows($result)) {
$user = db_fetch_object($result); $user = db_fetch_object($result);

15
modules/user/user.module
View File

@ -44,18 +44,25 @@ function user_load($array = array()) {
// Dynamically compose a SQL query: // Dynamically compose a SQL query:
$query = ''; $query = '';
$params = array();
foreach ($array as $key => $value) { foreach ($array as $key => $value) {
if ($key == 'pass') { if ($key == 'pass') {
$query .= "u.$key = '". md5($value) ."' AND "; $query .= "u.$key = '%s' AND ";
$params[] = md5($value);
} }
else if ($key == 'uid') { else if ($key == 'uid') {
$query .= "u.uid = ". check_query($value) ." AND "; $query .= "u.uid = %d AND ";
$params[] = $value;
} }
else { else {
$query .= "LOWER(u.$key) = '". strtolower(check_query($value)) ."' AND "; $query .= "LOWER(u.$key) = '%s' AND ";
$params[] = strtolower($value);
} }
} }
$result = db_query_range("SELECT u.* FROM {users} u WHERE $query u.status < 3", 0, 1); array_unshift($params, "SELECT u.* FROM {users} u WHERE $query u.status < 3");
$params[] = 0;
$params[] = 1;
$result = call_user_func_array('db_query_range', $params);
if (db_num_rows($result)) { if (db_num_rows($result)) {
$user = db_fetch_object($result); $user = db_fetch_object($result);