On Sat, 19 Feb 2005, Gerhard Killesreiter wrote:
On Fri, 18 Feb 2005, Moshe Weitzman wrote:
it is quite possible that we don't have enough qualified developers with enough time on their hands to perform code checking and functionality checking for this. If you look at the patch queue, it is quite common for *noone* to review a given patch, and we just let dries do it. i would think that Contrib code would be even less worthy of review. I'm not opposed to the 'door guard' arrangement, i am just skeptical that people will do what they promised.
I share your concern. We should, however, at least check sql queries for insertion vulnerabilities. Having Drupal modules which cause major havoc is not acceptable.
We should also enforce use of our coding standards for contrib CVS. It is much easier to look at all db queries if you can just grep for them like this: egrep -r "SELECT|INSERT|UPDATE" */*.module */*.inc|less I currently get 1727 matches which might not be all of them. $result = db_query('SELECT nid, uid, created, body is part of the output from stats_plot/stats_plot_user_activity.inc which makes judging the query difficult. Cheers, Gerhard