[development] Porting - Quick security reminders
Konstantin Käfer
kkaefer at gmail.com
Tue Dec 19 16:17:51 UTC 2006
Am 19.12.2006 um 15:30 schrieb Heine Deelstra:
> Good:
>
> $placeholders = implode(',', array_fill(0, count($from_user), "%d"));
>
> db_query("SELECT t.s FROM {table} t WHERE t.field IN
> ($placeholders)", $from_user);
Grep Drupal core for "IN (%s)", there are some occurences without the
array_fill you suggest. Besides, if count($from_user) == 0, PHP will
throw a warning. Also note that if you use this and have additional
parameters, you have to add them to the $from_user array as all
following parameters will be discarded if the second parameter is an
array.
Konstantin Käfer – http://kkaefer.com/
More information about the development
mailing list