[development] db_query and serialized arrays

Karoly Negyesi karoly at negyesi.net
Tue Sep 4 09:17:54 UTC 2007

> I should've looked deeper into the code .. it's a very complex query that
is dynamically generated, and it looks as though the constructed values
string is plugged in directly rather than using %s substitution.  That
explains it, I guess.

This is an extremely bad practice and you will be biten by it. Though core does similar at a few places wherever I have encountered such, I added a comment why it's safe -- usually because it's an integer retrieved from the database. Complex stuff should never go without a placeholder.

More information about the development mailing list