View Issue Details

IDProjectCategoryView StatusLast Update
0032704mantisbtcode cleanuppublic2023-10-31 16:32
Reporterdregad Assigned Todregad  
Status closedResolutionfixed 
Target Version2.26.0Fixed in Version2.26.0 
Summary0032704: Remove deprecated function db_prepare_string()

This function has been deprecated for ages, and is no longer useful now that we are consistently using parameterized queries.

There are 2 occurrences left in the code base, which should be removed.

Additional Information

This may impact 3rd party plugins.

Their authors should refactor their code to use parameterized queries so escaping strings is no longer necessary.

TagsNo tags attached.


Related Changesets

MantisBT: master f624e424

2023-05-28 12:44


Details Diff
Remove deprecated db_prepare_string() function

It was used in:

- user_set_fields() to escape the field names when building the SQL
query to update the user data. This function is normally only used
internally, so $p_fields array can be considered as trusted input.
- file_move_bug_attachments() to escape the file path, which is not
necessary (parameterized query)

Fixes 0032704
Affected Issues
mod - core/database_api.php Diff File
mod - core/file_api.php Diff File
mod - core/user_api.php Diff File