4.7 Demonstrate ability to analyze and resolve security issues arising from site configuration or cu
Review SQL injection and more specifically examples of correct SQL injection syntax.
Examples from https://www.drupal.org/node/2489544. Use the database abstraction layer to avoid SQL injection attacks.
Use the database layer correctly. For example, never concatenate data directly into SQL queries.
Don't do this:
Instead, use proper argument substitution with db_query. The DB layer works on top of PHP PDO and uses an array of named placeholders:
Do This:
For a variable number of argument, use an array of arguments or use db_select():
db_query is deprecated and will be removed in Drupal 9 - instead you should use a database connection object and call the query method on it (the parameters are the same).
Another example of proper syntax.
Other Resources
Last updated