Why use db_rewrite_sql?

I'm also unclear about this. I've searched the forums, and the only answer I could find was on the writing secure code page.

we are dealing with nodes and the node access mechanism kicks in via db_rewrite_sql so we are utilizing it. It's really easy and yet it's so often neglected!

So, once more; There are three kind of errors you need to avoid: XSS with proper checking, SQL injections with proper db_query usage and node access bypass by utilizing db_rewrite_sql.

On the documentation for db_rewrite_sql it says:

Rewrites node, taxonomy and comment queries. Use it for listing queries. Do not use FROM table1, table2 syntax, use JOIN instead.

Are "listing queries" any query where you will be outputting several nodes via pager_query?

If so, the db_rewrite_sql page should link to pager_query and vice versa, with an explanation of their relationship.

+1

Drupal experts, lend a hand!

When + why are we expected to use it?

the answer depends on whether you are writing a snippet to put in a single page/block on your specific site, or whether you are writing core or contrib module code that's supposed to be generally usable.

In the first case, if you are not using any access control modules or similar to control who can see content, then it's probably not necessary (or even useful), but you may want to anyhow in case you install access control in the future.

In the latter case, you should use it essentially any time you are making a query, especially any content-related query (node, terms, comment, etc). The exception would be for queries doing internal module work but not showing any content to users (e.g. a cron task), or perhaps queries for administrative pages where the user is expected to already have full privileges and/or it is necessary to show an unfiltered list.

look through the core code and I think you'll get a sense of it.

Thank you - that's exactly what I wanted to know.