[development] db_query and serialized arrays
Karoly Negyesi
karoly at negyesi.net
Tue Sep 4 09:17:54 UTC 2007
> I should've looked deeper into the code .. it's a very complex query that
is dynamically generated, and it looks as though the constructed values
string is plugged in directly rather than using %s substitution. That
explains it, I guess.
This is an extremely bad practice and you will be biten by it. Though core does similar at a few places wherever I have encountered such, I added a comment why it's safe -- usually because it's an integer retrieved from the database. Complex stuff should never go without a placeholder.
More information about the development
mailing list