Coder incorrectly advises placeholders in update_sql()
rszrama - June 20, 2008 - 13:40
| Project: | Coder |
| Version: | 6.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | minor |
| Assigned: | Unassigned |
| Status: | closed |
Description
Getting this error for the .install file of a module I'm porting to D6:
Line 26: In SQL strings, Use db_query() placeholders in place of variables. This is a potential source of SQL injection attacks when the variable can come from user data. (Drupal Docs)
$ret[] = update_sql("INSERT INTO {sequences} VALUES ('{uc_payment_credit}_credit_id', $max)");I don't particularly care for that syntax of putting variables in strings, but that aside coder should recognize that this query is being passed to update_sql() instead of db_query() and not advise you to use placeholders. : )
#1
I agree. The same problem exists in the Drupal 5 version of coder btw.
#2
I agree. The same problem exists in the Drupal 5 version of coder btw.
#3
Try the attached patch. Should apply to both 5.x and 6.x versions.
Cheers,
Stella
#4
I don't think this is committed yet? :)
#5
No it is committed. Can you double check that you've got the latest version? The check is done as part of the security set of tests, and not part of the sql ones. If it's still not working, can you provide the line of code for which the check is failing?
Cheers,
Stella
#6
My bad :) Fixed indeed, thanks!
#7
Automatically closed -- issue fixed for two weeks with no activity.