Hi,

I have this code:

    $sql = "SELECT * FROM {false_accounts} WHERE uids REGEXP '^%s,|,%s,|,%s$'";
    $query_args = array($account);
    $result= pager_query($sql . tablesort_sql($header), 50, 0, NULL, $query_args);

The coder module gives me this error:

Line 197: In SQL strings, Use db_query() placeholders in place of variables. This is a protential source of SQL injection attacks when the variable can come from user data. (Drupal Docs)
    $sql = "SELECT * FROM {false_accounts} WHERE uids REGEXP '^%s,|,%s,|,%s$'";

Is this correct?

Thanks,
introfini

Files: 
CommentFileSizeAuthor
#1 231621.patch918 bytesdouggreen

Comments

StatusFileSize
new918 bytes

Coder is complaining about the use of the $ sign in the regex. This looks like an exception to the rule, that is, we need to look for \$[a-z_]. I've attached a patch that implements this. But before I commit it, I'd like to have others look at this issue. Mainly, I think that your use of the $ sign inside single quotes here is problematic. What does php do with a $' inside a double quoted string? Does it ignore it, or does it replace it with an empty string?

Component:Coder Format» Code

Just fixing the component.

btw: $' is not a valid variable, so PHP will leave it as is.

Status:Active» Fixed

I tested this and committed it.

Thanks,
introfini

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.