Introduction
This new feature suggestion comes from a custom rules set dedicated to PHP and Drupal 8 security.
Description
A dynamic database query should always have a constant string for its conditional or snippet arguments.
Impact
Dynamically computed query snippets or condition strings may lead to SQL injection attacks :
Noncompliant Code Example
$query->condition('w.severity', '5', $operator);
Compliant Solution
$query->condition('w.severity', '5', "<");
References
- MITRE CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
- OWASP Top 10 2017 Category A1 - Injection
Type
Vulnerability
Tags
cwe, owasp-a1, drupal