I have this code:

    $sql = "SELECT * FROM {false_accounts} WHERE uids REGEXP '^%s,|,%s,|,%s$'";
    $query_args = array($account);
    $result= pager_query($sql . tablesort_sql($header), 50, 0, NULL, $query_args);

The coder module gives me this error:

Line 197: In SQL strings, Use db_query() placeholders in place of variables. This is a protential source of SQL injection attacks when the variable can come from user data. (Drupal Docs)

    $sql = "SELECT * FROM {false_accounts} WHERE uids REGEXP '^%s,|,%s,|,%s$'";

Is this correct?


#1 231621.patch918 bytesdouggreen
Members fund testing for the Drupal project. Drupal Association Learn more


douggreen’s picture

918 bytes

Coder is complaining about the use of the $ sign in the regex. This looks like an exception to the rule, that is, we need to look for \$[a-z_]. I've attached a patch that implements this. But before I commit it, I'd like to have others look at this issue. Mainly, I think that your use of the $ sign inside single quotes here is problematic. What does php do with a $' inside a double quoted string? Does it ignore it, or does it replace it with an empty string?

sun’s picture

Component: Coder Format » Code

Just fixing the component.

btw: $' is not a valid variable, so PHP will leave it as is.

douggreen’s picture

Status: Active » Fixed

I tested this and committed it.

introfini’s picture


Anonymous’s picture

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.