Line 212: In SQL strings, Use db_query() placeholders in place of variables. This is a protential source of SQL injection attacks when the variable can come from user data. (Drupal Docs)

$sql = "SELECT COUNT(n.nid) FROM {node} n INNER JOIN {node_revisions} r USING (nid, vid) WHERE n.type='%s' AND (r.title REGEXP '^[^[:alpha:]].*$')";

BTW, there is a typo in "protential".

CommentFileSizeAuthor
#2 coder_6x_257499.patch1.92 KBstella

Comments

stella’s picture

stella commented

I've fixed the typo in CVS, will try and look at the false positive issue later.

Cheers,
Stella

stella’s picture

stella commented
Status: Active » Needs review
StatusFileSize
new coder_6x_257499.patch1.92 KB

Try the attached patch. It assumes that any $ signs followed by a single quote are ok. The patch is for the 6.x version, but should apply to the 5.x version too.

Cheers,
Stella

nancydru’s picture

nancydru
she/her/hers
Primary language English
Location Boston
commented

Okay, that took care of my problem. IMO, this is RTBC.

stella’s picture

stella commented
Status: Needs review » Fixed

Committed, thanks.

Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.