Your article seems to suggest that the whole concept of db_placeholders is not valid. How would you do any query where parameters come from a form without this vulnerability? Warren Vail -----Original Message----- From: support-bounces@drupal.org [mailto:support-bounces@drupal.org] On Behalf Of Greg Knaddison Sent: Monday, April 11, 2011 8:50 AM To: support@drupal.org Cc: Warren Vail Subject: Re: [support] Place holders in SQL query On Sun, Apr 10, 2011 at 11:05 PM, Warren Vail <warren@vailtech.net> wrote:
Not sure what you mean by generic, and never used the db_placeholders function, but this should work;
$skillnames = array("PHP", "HTML","SQL"); $tblname = "resubmt_skills"; $query = sprintf("SELECT skillid FROM %s WHERE skillname in ('%s')", $tblname, "'".implode("', '",$skillnames)."'"); //execute and fetch query results here
not real elegant, but nothing is as elegant as the solution that works and maintainers can understand.
This may work, but is _wrong_. Please read http://heine.familiedeelstra.com/a-security-vulnerability-waiting-to-happen Thanks, Greg -- Greg Knaddison | 720-310-5623 | http://growingventuresolutions.com http://masteringdrupal.com - Videos and Tutorials -- [ Drupal support list | http://lists.drupal.org/ ]