up the documentation a little.
chx: can you double-check whether the global $conf variable is secure?
(That is, make sure it can't be send using the URL or something.)
db_query($query, $a, $b, $c);
db_query($query, array($a, $b, $c));
This usage is particularly interesting when the query is constructed dynamically, and the amount of arguments to pass varies. In that case we use the second method to avoid using call_user_func_array(). This behaviour is not documented explicitly, but it is used in several places.
However, db_query_range() and pager_query() do not support this syntax properly, which means there are several pieces of code which still revert to the ugly call_user_func_array() call.
This patch updates db_query_range() and pager_query() so they support the array-passing method. I also added documentation about this method to each of the db functions.
I also cleaned up the code for db_query (it was weird and hard to understand) and moved db_query() and db_queryd() from database.xxxxx.inc to database.inc: it was the same between both mysql and pgsql, as it doesn't do anything database specific. It just prefixes the tables and inserts the arguments. The actual db query is performed in _db_query(), which is still in database.xxxxx.inc.
Finally, I updated several places with the new syntax, and the code is a lot cleaner. For example:
- array_unshift($params, "SELECT u.* FROM {users} u WHERE $query u.status < 3");
- $params[] = 0;
- $params[] = 1;
- $result = call_user_func_array('db_query_range', $params);
+ $result = db_query_range("SELECT u.* FROM {users} u WHERE $query u.status < 3", $params, 0, 1);
and
- return call_user_func_array('db_query_range', array_merge(array($query), $args, array((int)$pager_from_array[$element], (int)$limit)));
+ return db_query_range($query, $args, (int)$pager_from_array[$element], (int)$limit);
I've tested it on mysql. I didn't alter the actual db behaviour, so pgsql should be okay too.
This patch is important because many people avoid the call_user_func_array() method and put data directly into the db query. This is very, very bad because the database prefix will be applied to it, and strip out braces. It's also generally bad form as you have to call check_query() yourself. With the new, documented syntax, there is no more excuse to put data directly in the query.
Read the manual for pg_escape_string: "Use of this function is recommended instead of addslashes()." Or read sqlite_escape_string: "addslashes() should NOT be used to quote your strings for SQLite queries; it will lead to strange results when retrieving your data."
1) Menu problems with Postgres (this is a highly critical 1 line fix)
2) Archive module fails with Postgres
3) Postgres setup problems - changes to database.pgsql (although i made these changes myself before finding this patch)
4) Book module fails with Postgres
5) Postgres problems following creation of a new type of user - which is actually about a taxonomy.module bug.
6) Creating accregator_item_table in PostgreSQL
7) Postgres - Polls not displayed on Poll Page
8) Blog module has sql errors with postgres
This should not affect MySQL users (hopefully).
* fixes all doxygen warnings [#]_ in the current code base
+ changes @param style from phpDocumentor (@param type $var desc) to doxygen (@param $var desc)
+ documents all undocumented parameters
+ escapes / fixes html warnings
+ fixes @defgroup in theme.inc
* adds more groupings [#]_
+ drupal_{set|get}_title, drupal_{set|get}_breadcrumb
+ pager.inc: pager_api (pager_query(), pager_display()), pager pieces
* adds a new group "themeable" which contains all themeable functions.
changes include:
* a couple of coding style changes, renamed some "stats" into
"statistics", etc.
* removed the "Who's online" block from the user module.
* added db_affected_rows() to the resp. database abstraction
layers and made the statistics module use db_affected_rows()
instead.
* added update logic to "update.php".
* fixed mails not being parsed properly.
* tracker now shows user name when you view your own recent
comments.
* link to submission queue now points to the right place.
* fixed jabber module.
* theme is now activated when changed.
- applied Gerhards coding style patch.
+ Changed the db_query() API.
+ Wrapped all links in l(), lm(), la(), ..., drupal_url() functions.
+ XHTML-ified some HTML.
+ Wrapped a lot of text in the administrative pages in a t()
function.
+ Replaced all $REQUEST_URI/$PATH_INFOs by request_uri().
+ Small bugfixes (eg. bug in book_export_html() and clean-ups (eg.
RSS code).
+ Fixed some bugs in the taxonomy module (eg. tree making bug), added
new functionality (eg. new APIs for use by other modules), included
Moshe's taxonomy extensions, and some documentation udpates.
+ ...
Steven Wittens
Dries Buytaert
Kjartan Mannes