This new feature suggestion comes from a custom rules set dedicated to PHP and Drupal 8 security.
A dynamic database query should always have a constant string for its conditional or snippet arguments.
Dynamically computed query snippets or condition strings may lead to SQL injection attacks :
Noncompliant Code Example
$query->condition('w.severity', '5', $operator);
$query->condition('w.severity', '5', "<");
- MITRE CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
- OWASP Top 10 2017 Category A1 - Injection
cwe, owasp-a1, drupal