The object oriented database api in Drupal 7 and Drupal 8 has some features to reduce sql injection. There are some pieces of the API that do not protect against sql injection. A developer using the database api can pass user-supplied data to many parameters of the api and trust the api to protect against sql injection. However, there are many parameters that are not protected.

An example of some insecure code:

  $query = db_select('node', 'n')
    ->fields('n', array('nid', 'title'));
  $order = isset($_GET['order']) ? $_GET['order'] : 'DESC';
  $order_field = isset($_GET['order_field']) ? $_GET['order_field'] : 'n.nid';
  $query->orderBy($order_field, $order);
  $results = $query->execute();

The above specific weakness would be fixed by #829464: orderby() should verify direction and escape fields.

Here is a list of some of the more frequently used methods and which parameters to those methods are are safe or dangerous:

  // db_insert->fields(['dangerous', 'dangerous']);
  // db_insert->fields([dangerous => safe])
  // db_insert->values([safe => safe]); * when combined with safe ->fields
  // i.e. the "degenerate" form provides security if you must put user
  // supplied data into the keys of the values.
  // db_update->fields([dangerous => safe])
  // db_delete->condition(safe, safe, dangerous)
  // db_select(safe, safe)
  // ->fields(safe, safe)
  // ->condition(safe, safe, dangerous)
  // ->where(dangerous)
  // ->addTag(safe)
  // addField(safe, safe, safe)
  // ->range(safe, safe)
  // ->join(safe, safe, dangerous, safe array of args)
  // ->innerJoin(safe, safe, dangerous, safe array of args)
  // ->leftJoin(safe, safe, dangerous, safe array of args)
  // ->rightJoin(safe, safe, dangerous, safe array of args)
  // ->addJoin(dangerous, safe, safe, dangerous, safe array of parameters)
  //  ->addExpression(dangerous, safe)
  // ->isNotNull(safe)
  //  ->havingCondition(safe, safe, dangerous);
  // ->having(dangerous, safe parameter array)
  // ->groupBy(dangerous);
  // ->orderBy(dangerous, safe);
  // ->addMetaData(safe, safe)

We should do some mix of:

Comments

greggles created an issue. See original summary.

greggles’s picture

greggles
he/him
Primary language English
Location Denver, Colorado, USA
commented
Issue summary: View changes
Crell’s picture

Crell commented

Thanks, greggles!

I would suggest we start by adding documentation to those that we cannot safely escape, like where(); That method asks the developer to supply an arbitrary SQL fragment, so there's no way we can safely escape it. If it's based on user input the developer MUST deal with it themselves. Documenting those cases we know we can't handle otherwise is an easy first step.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.0-beta1 was released on March 2, 2016, which means new developments and disruptive changes should now be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.0-beta1 was released on August 3, 2016, which means new developments and disruptive changes should now be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.0-alpha1 will be released the week of January 30, 2017, which means new developments and disruptive changes should now be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.0-alpha1 will be released the week of July 31, 2017, which means new developments and disruptive changes should now be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.0-alpha1 will be released the week of January 17, 2018, which means new developments and disruptive changes should now be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.7.x-dev

Drupal 8.6.0-alpha1 will be released the week of July 16, 2018, which means new developments and disruptive changes should now be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.7.x-dev » 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 9.1.x-dev » 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

quietone’s picture

quietone commented
Status: Active » Closed (duplicate)
Related issues: +#2986452: Database reserved keywords need to be quoted as per the ANSI standard

There has been work to fix this, such as #3191623: Select queries do not escape the GROUP BY fields and #2986452: Database reserved keywords need to be quoted as per the ANSI standard. closing as a duplicate of the later