[development] Porting - Quick security reminders
Heine Deelstra
hdeelstra at gmail.com
Tue Dec 19 16:34:43 UTC 2006
Konstantin Käfer wrote:
>
> Am 19.12.2006 um 15:30 schrieb Heine Deelstra:
>
>> Good:
>>
>> $placeholders = implode(',', array_fill(0, count($from_user), "%d"));
>>
>> db_query("SELECT t.s FROM {table} t WHERE t.field IN ($placeholders)",
>> $from_user);
>
> Grep Drupal core for "IN (%s)", there are some occurences without the
> array_fill you suggest. Besides, if count($from_user) == 0, PHP will
> throw a warning. Also note that if you use this and have additional
> parameters, you have to add them to the $from_user array as all
> following parameters will be discarded if the second parameter is an array.
Please keep in mind that core is not gospel. Basic sanity checks of course still
apply: if $from_user is empty you have an empty IN() clause regardless.
The note about multiple parameters is spot on: all arguments go in the array.
Thank you.
Heine
More information about the development
mailing list