[development] Porting - Quick security reminders

Konstantin Käfer kkaefer at gmail.com
Tue Dec 19 16:17:51 UTC 2006

Am 19.12.2006 um 15:30 schrieb Heine Deelstra:

> Good:
> $placeholders = implode(',', array_fill(0, count($from_user), "%d"));
> db_query("SELECT t.s FROM {table} t WHERE t.field IN  
> ($placeholders)", $from_user);

Grep Drupal core for "IN (%s)", there are some occurences without the  
array_fill you suggest. Besides, if count($from_user) == 0, PHP will  
throw a warning. Also note that if you use this and have additional  
parameters, you have to add them to the $from_user array as all  
following parameters will be discarded if the second parameter is an  

Konstantin Käfer – http://kkaefer.com/

More information about the development mailing list