[support] Place holders in SQL query
Warren Vail
warren at vailtech.net
Mon Apr 11 16:21:04 UTC 2011
Your article seems to suggest that the whole concept of db_placeholders is
not valid. How would you do any query where parameters come from a form
without this vulnerability?
Warren Vail
-----Original Message-----
From: support-bounces at drupal.org [mailto:support-bounces at drupal.org] On
Behalf Of Greg Knaddison
Sent: Monday, April 11, 2011 8:50 AM
To: support at drupal.org
Cc: Warren Vail
Subject: Re: [support] Place holders in SQL query
On Sun, Apr 10, 2011 at 11:05 PM, Warren Vail <warren at vailtech.net> wrote:
> Not sure what you mean by generic, and never used the db_placeholders
> function, but this should work;
>
> $skillnames = array("PHP", "HTML","SQL");
> $tblname = "resubmt_skills";
> $query = sprintf("SELECT skillid FROM %s WHERE skillname in ('%s')",
> $tblname, "'".implode("', '",$skillnames)."'");
> //execute and fetch query results here
>
> not real elegant, but nothing is as elegant as the solution that works
> and maintainers can understand.
This may work, but is _wrong_.
Please read
http://heine.familiedeelstra.com/a-security-vulnerability-waiting-to-happen
Thanks,
Greg
--
Greg Knaddison | 720-310-5623 | http://growingventuresolutions.com
http://masteringdrupal.com - Videos and Tutorials
--
[ Drupal support list | http://lists.drupal.org/ ]
More information about the support
mailing list