Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Avoid "SELECT * FROM ..."
Last updated on
25 April 2024
Note: Changes to Drupal coding standards are proposed and discussed in issues in the Coding Standards project.
Using SELECT * FROM {node} queries in versions prior to Drupal 7 can introduce a potential security issue by causing Drupal's Node Access system to be bypassed. In such cases, private content may be shown to unprivileged users. Therefore, queries that generate lists of nodes should avoid SELECT * syntax in all cases. Instead use SELECT nid, ....
It is recommended to avoid SELECT * queries in general. They are less self-documenting than explicitly listing the fields to be retrieved and also very slightly slower. Generally, SELECT * should be used in only two cases:
- The fields in the table being selected from are dynamic and not known definitively at development time. (This is extremely rare and generally bad practice anyway.)
- The list of fields to select is prohibitively long.
- development] Is "SELECT * FROM ..." ok? : discussion on the development list.
- SELECT * IS EVIL: one developer's perspective.
Help improve this page
Page status: No known problems
You can:
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion
