On Sat, May 26, 2012 at 1:41 PM, Larry Garfield wrote:
Also, the previous code had a security hole.
That's why I was asking in the original post.
db_select('mytable', 'mt') ->fields('mt', array('myvar')) ->condition('mystring', '%' . $somrvariable . '%', LIKE) ->execute();
You actually want db_like($somevariable), which handles DB-specific escaping in LIKE strings. Forgetting to do so is almost the only possible SQL injection attack vector left in Drupal unless you bypass DBTNG entirely. :-)
Ah, thanks for that, certainly feels better.
--Larry Garfield, primary author, DBTNG
I'm impressed by it. And whether or not using db_select adds overhead, it does simplify even the simplest query string. My use of it though is in a dynamic situation where I need the likes of extenders for a themed paged list of items.