--- a/includes/database.inc	Tue Dec 23 14:30:08 2008 +0100
+++ b/includes/database.inc	Tue Dec 23 14:30:28 2008 +0100
@@ -1,5 +1,5 @@
 <?php
-// $Id: database.inc,v 1.92.2.1 2008/02/08 22:44:59 goba Exp $
+// $Id: database.inc,v 1.92.2.2 2008/07/09 21:48:28 goba Exp $
 
 /**
  * @file
@@ -210,6 +210,11 @@
       return (int) array_shift($args); // We don't need db_escape_string as numbers are db-safe
     case '%s':
       return db_escape_string(array_shift($args));
+    case '%n':
+      // Numeric values have arbitrary precision, so can't be treated as float.
+      // is_numeric() allows hex values (0xFF), but they are not valid.
+      $value = trim(array_shift($args));
+      return is_numeric($value) && !preg_match('/x/i', $value) ? $value : '0';
     case '%%':
       return '%';
     case '%f':
@@ -238,7 +243,7 @@
 /**
  * Indicates the place holders that should be replaced in _db_query_callback().
  */
-define('DB_QUERY_REGEXP', '/(%d|%s|%%|%f|%b)/');
+define('DB_QUERY_REGEXP', '/(%d|%s|%%|%f|%b|%n)/');
 
 /**
  * Helper function for db_rewrite_sql.
@@ -551,16 +556,14 @@
     case 'char':
     case 'text':
     case 'datetime':
-      return '\'%s\'';
+      return "'%s'";
 
     case 'numeric':
-      // For 'numeric' values, we use '%s', not '\'%s\'' as with
-      // string types, because numeric values should not be enclosed
-      // in quotes in queries (though they can be, at least on mysql
-      // and pgsql).  Numerics should only have [0-9.+-] and
-      // presumably no db's "escape string" function will mess with
-      // those characters.
-      return '%s';
+      // Numeric values are arbitrary precision numbers.  Syntacically, numerics
+      // should be specified directly in SQL. However, without single quotes
+      // the %s placeholder does not protect against non-numeric characters such
+      // as spaces which would expose us to SQL injection.
+      return '%n';
 
     case 'serial':
     case 'int':