Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Getting this error for the .install file of a module I'm porting to D6:
Line 26: In SQL strings, Use db_query() placeholders in place of variables. This is a potential source of SQL injection attacks when the variable can come from user data. (Drupal Docs)
$ret[] = update_sql("INSERT INTO {sequences} VALUES ('{uc_payment_credit}_credit_id', $max)");
I don't particularly care for that syntax of putting variables in strings, but that aside coder should recognize that this query is being passed to update_sql() instead of db_query() and not advise you to use placeholders. : )
| Comment | File | Size | Author |
|---|---|---|---|
| #3 | coder_272903.patch | 1.66 KB | stella |
Comments
Comment #1
wim leersI agree. The same problem exists in the Drupal 5 version of coder btw.
Comment #2
wim leersI agree. The same problem exists in the Drupal 5 version of coder btw.
Comment #3
stella commentedTry the attached patch. Should apply to both 5.x and 6.x versions.
Cheers,
Stella
Comment #4
wim leersI don't think this is committed yet? :)
Comment #5
stella commentedNo it is committed. Can you double check that you've got the latest version? The check is done as part of the security set of tests, and not part of the sql ones. If it's still not working, can you provide the line of code for which the check is failing?
Cheers,
Stella
Comment #6
wim leersMy bad :) Fixed indeed, thanks!
Comment #7
Anonymous (not verified) commentedAutomatically closed -- issue fixed for two weeks with no activity.