Index: branches/RC/core/kernel/db/db_connection.php
===================================================================
diff -u -r11892 -r11927
--- branches/RC/core/kernel/db/db_connection.php	(.../db_connection.php)	(revision 11892)
+++ branches/RC/core/kernel/db/db_connection.php	(.../db_connection.php)	(revision 11927)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: db_connection.php 11892 2009-07-01 08:35:06Z alex $
+* @version	$Id: db_connection.php 11927 2009-07-19 12:33:08Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -570,42 +570,22 @@
 		}
 
 		/**
-		 * Correctly quotes a string so that all strings are escaped. We prefix and append
-		 * to the string single-quotes.
-		 * An example is  $db->qstr("Don't bother",magic_quotes_runtime());
+		 * If it's a string, adds quotes and backslashes (only work since PHP 4.3.0)
+		 * Otherwise returns as-is
 		 *
-		 * @param s			the string to quote
-		 * @param [magic_quotes]	if $s is GET/POST var, set to get_magic_quotes_gpc().
-		 *				This undoes the stupidity of magic quotes for GPC.
-		 *
-		 * @return  quoted string to be sent back to database
+		 * @param mixed $string
 		 */
-		function qstr($s,$magic_quotes=false)
+		function qstr($string)
 		{
-			$replaceQuote = "\\'";
-			if (!$magic_quotes)
-			{
-				if ($replaceQuote[0] == '\\')
-				{
-					// only since php 4.0.5
-					$s = str_replace(array('\\',"\0"),array('\\\\',"\\\0"),$s);
-					//$s = str_replace("\0","\\\0", str_replace('\\','\\\\',$s));
-				}
-				return  "'".str_replace("'",$replaceQuote,$s)."'";
+			if ( is_null($string) ) {
+				return 'NULL';
 			}
 
-			// undo magic quotes for "
-			$s = str_replace('\\"','"',$s);
-
-			if($replaceQuote == "\\'")  // ' already quoted, no need to change anything
-			{
-				return "'$s'";
-			}
-			else  // change \' to '' for sybase/mssql
-			{
-				$s = str_replace('\\\\','\\',$s);
-				return "'".str_replace("\\'",$replaceQuote,$s)."'";
-			}
+			# This will also quote numeric values. This should be harmless,
+			# and protects against weird problems that occur when they really
+			# _are_ strings such as article titles and string->number->string
+			# conversion is not 1:1.
+			return "'" . mysql_real_escape_string($string, $this->connectionID) . "'";
 		}
 
 		/**
@@ -649,7 +629,7 @@
 
 			$values_sql = '';
 			foreach ($fields_hash as $field_name => $field_value) {
-				$values_sql .= ( is_null($field_value) ? 'NULL' : $this->qstr($field_value) ) . ',';
+				$values_sql .= $this->qstr($field_value) . ',';
 			}
 
 			// don't use preg here, as it may fail when string is too long
@@ -677,7 +657,7 @@
 
 			$fields_sql = '';
 			foreach ($fields_hash as $field_name => $field_value) {
-				$fields_sql .= '`'.$field_name.'` = ' . ( is_null($field_value) ? 'NULL' : $this->qstr($field_value) ) . ',';
+				$fields_sql .= '`'.$field_name.'` = ' . $this->qstr($field_value) . ',';
 			}
 
 			// don't use preg here, as it may fail when string is too long