[documentation] [Documentation support] Why use db_rewrite_sql?

inactivist drupal-docs at drupal.org
Sun Nov 5 18:21:36 UTC 2006 

Issue status update for 
http://drupal.org/node/47360
Post a follow up: 
http://drupal.org/project/comments/add/47360

 Project:      Documentation
 Version:      <none>
 Component:    Developer Guide
 Category:     support requests
 Priority:     normal
 Assigned to:  subha
 Reported by:  subha
 Updated by:   inactivist
 Status:       active

Thank you - that's exactly what I wanted to know.




inactivist



Previous comments:
------------------------------------------------------------------------

Wed, 01 Feb 2006 09:00:30 +0000 : subha

I am not understanding the use of the drupal function db_rewite_sql.What
is basically does.Can that functionality cannot be acheived bu
db_query().




------------------------------------------------------------------------

Thu, 12 Oct 2006 00:57:50 +0000 : piersonr

I'm also unclear about this. I've searched the forums, and the only
answer I could find was on the writing secure code [1] page.


"we are dealing with nodes and the node access mechanism kicks in via
db_rewrite_sql so we are utilizing it. It's really easy and yet it's so
often neglected!


So, once more; There are three kind of errors you need to avoid: XSS
with proper checking, SQL injections with proper db_query usage and node
access bypass by utilizing db_rewrite_sql.

"
On the documentation for db_rewrite_sql [2] it says:


"Rewrites node, taxonomy and comment queries. Use it for listing
queries. Do not use FROM table1, table2 syntax, use JOIN instead.

"
Are "listing queries" any query where you will be outputting several
nodes via pager_query [3]?


If so, the db_rewrite_sql page should link to pager_query and vice
versa, with an explanation of their relationship.
[1] http://drupal.org/node/62304
[2] http://api.drupal.org/api/HEAD/function/db_rewrite_SQL
[3] http://api.drupal.org/api/HEAD/function/pager_query




------------------------------------------------------------------------

Sun, 05 Nov 2006 15:13:38 +0000 : inactivist

+1


Drupal experts, lend a hand! 


When + why are we expected to use it?




------------------------------------------------------------------------

Sun, 05 Nov 2006 16:36:56 +0000 : pwolanin

the answer depends on whether you are writing a snippet to put in a
single page/block on your specific site, or whether you are writing core
or contrib module code that's supposed to be generally usable.


In the first case, if you are not using any access control modules or
similar to control who can see content, then it's probably not necessary
(or even useful), but you may want to anyhow in case you install access
control in the future.


In the latter case, you should use it essentially any time you are
making a query, especially any content-related query (node, terms,
comment, etc).  The exception would be for queries doing internal module
work but not showing any content to users (e.g. a cron task), or perhaps
queries for administrative pages where the user is expected to already
have full privileges and/or it is necessary to show an unfiltered list.


look through the core code and I think you'll get a sense of it.

More information about the documentation mailing list