"Awjrichards" posted a comment on Wikimedia.r1370. URL: http://www.mediawiki.org/wiki/Special:Code/Wikimedia/1370#c31573
Commit summary for Wikimedia.r1370: Changing query to use BETWEEN. Eliminated JOIN. Fixes r1329 and r1336. Awjrichards's comment: Drupal's db_query() provides some handy built-in string escaping, which makes for much easier-to-read queries and makes spotting SQL injection vulnerabilities a LOT easier (See http://api.drupal.org/api/drupal/includes%21database.pgsql.inc/function/db_query/6). Like with Mediawiki convention, it's best to escape as late as possible, consistently, and in line with convention. In your query, you can use printf()-friendly tokens for any variable data. Then, when you pass the query through db_query(), list the variable data as args in the function call in the order in which they appear in the query. For instance: <pre> $query = "SELECT * FROM some_table WHERE last_modified > " . (integer) $some_date . " AND name='" . $some_name . "'"; $res = db_query( $query ); </pre> Becomes: <pre> $query = "SELECT * FROM some_table WHERE last_modified > %d AND name = %s"; $res = db_query( $query, $some_date, $some_name ); </pre> _______________________________________________ MediaWiki-CodeReview mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-codereview
