[development] Porting - Quick security reminders

Heine Deelstra hdeelstra at gmail.com
Tue Dec 19 16:34:43 UTC 2006

Konstantin Käfer wrote:
> Am 19.12.2006 um 15:30 schrieb Heine Deelstra:
>> Good:
>> $placeholders = implode(',', array_fill(0, count($from_user), "%d"));
>> db_query("SELECT t.s FROM {table} t WHERE t.field IN ($placeholders)",
>> $from_user);
> Grep Drupal core for "IN (%s)", there are some occurences without the
> array_fill you suggest. Besides, if count($from_user) == 0, PHP will
> throw a warning. Also note that if you use this and have additional
> parameters, you have to add them to the $from_user array as all
> following parameters will be discarded if the second parameter is an array.

Please keep in mind that core is not gospel. Basic sanity checks of course still
apply: if $from_user is empty you have an empty IN() clause regardless.

The note about multiple parameters is spot on: all arguments go in the array.
Thank you.


More information about the development mailing list