When to use db_rewrite_sql or ->addTag()

Last updated on
20 September 2016

db_rewrite_sql() in Drupal 6 and db_select() tagged with (for example) 'node_access' in Drupal 7 provide a method for modules to extend your SQL queries. For example, a module which controls access to nodes will need to limit the results of your queries, removing any nodes for which a visitor does not have the required set of access permissions.

If you do not make use of db_rewrite_sql() or the ->addTag method, access control modules won't be able to modify or extend your SQL queries, and you may inadvertently expose content that is meant to be restricted.

It's good practice to always make use of db_rewrite_sql() or ->addTag().

[Note: There is debate (#835068: Document usage of static vs dynamic queries) about whether you should always use db_select. However, it is definitely important when you are querying the node table to allow other modules to enforce node access restrictions and the only way to allow for that in D7 is to use db_select and ->addTag.]

Possible exceptions include:

  • Queries which carry out internal module work, but which aren't responsible for showing content to users (e.g. queries within cron tasks).
  • Queries for administrative pages where it is necessary to show an unfiltered list, and where the user is guaranteed to already have full privileges.