[support] db_select()->condition()
Earnie Boyd
earnie at users.sourceforge.net
Sun May 27 13:12:57 UTC 2012
On Sat, May 26, 2012 at 1:41 PM, Larry Garfield wrote:
>
> Also, the previous code had a security hole.
>
That's why I was asking in the original post.
> db_select('mytable', 'mt')
> ->fields('mt', array('myvar'))
> ->condition('mystring', '%' . $somrvariable . '%', LIKE)
> ->execute();
>
>
> You actually want db_like($somevariable), which handles DB-specific
> escaping in LIKE strings. Forgetting to do so is almost the only
> possible SQL injection attack vector left in Drupal unless you bypass
> DBTNG entirely. :-)
>
Ah, thanks for that, certainly feels better.
> --Larry Garfield, primary author, DBTNG
>
I'm impressed by it. And whether or not using db_select adds
overhead, it does simplify even the simplest query string. My use of
it though is in a dynamic situation where I need the likes of
extenders for a themed paged list of items.
--
Earnie
-- https://sites.google.com/site/earnieboyd
More information about the support
mailing list