Avoid SQL injection in Drupal

You, Sat Jan 22 2011 • Web development Drupal SQL Security

Drupal depends on a database to function correctly. Inside Drupal, a lightweight database abstraction layer exists between your code and the database. You may already know how to run db_query() in Drupal to query data from the database. What if your process an insertion which is a user-submitted data?. You should process user submitted data to avoid SQL injections. But in the other hand you can let Drupal to do that for you.

Note : User-submitted data should be passed in as separate parameters so the values can be sani-tized to avoid SQL injection attacks. Drupal uses the printf syntax (see http://php.net/printf) as placeholders for these values within queries. There are different % modifiers depending on the data type of the user-submitted information.

Wrong way of insertion:

    db_query("INSERT INTO {video_files} (fid, status, dimensions) VALUES ($video['fid'], VIDEO_RENDERING_PENDING, '$video['dimensions']')");

Correct way of insertion:

    db_query("INSERT INTO {video_files} (fid, status, dimensions) VALUES (%d, %d, '%s')", $video['fid'], VIDEO_RENDERING_PENDING, $video['dimensions']);

🍪 This site does not track you.