Like the Drupal documentation suggests, any SQL query should not pass the parameters directly in the query, but it should use placeholders.

In example, a query like:

  db_query("SELECT * from {table} WHERE field = ". $number);

should be rewritten in:

  db_query("SELECT * from {table} WHERE field = %d", $number);

This would also prevent any XSS attack.

Comments

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Version: 6.x-1.x-dev » 6.x-1.1
Chajecki’s picture

Chajecki commented
Assigned: Unassigned » Chajecki

Thanks. Very good general comment and I will fix the problem. However if you read the code you will realize that there was no risks of attacks in those cases.
Again, will be fix in new release that will come in a few day.

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Priority: Normal » Minor

There would not be any risk of attacks with the actual code, as the value used doesn't come from any user's input.
I think it's generally better to use placeholders, just to prevent problems when the code is changed.

The "issue" is very minimal, and doesn't even require a normal priority; I am sorry I didn't set the right priority (I keep to forget there is the possibility to change it).

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Version: 6.x-1.1 » 6.x-1.x-dev
Issue summary: View changes
Status: Active » Closed (outdated)

I am closing this issue since it's for a Drupal version that isn't supported.