[Drupal] Dynamic database query should use proper argument substitution

Introduction
This new feature suggestion comes from a custom rules set dedicated to PHP and Drupal 8 security.

Description
A dynamic database query should always have a constant string for its conditional or snippet arguments.

Impact
Dynamically computed query snippets or condition strings may lead to SQL injection attacks :

Noncompliant Code Example

$query->condition('w.severity', '5', $operator);

Compliant Solution

$query->condition('w.severity', '5', "<");

References

Type
Vulnerability

Tags
cwe, owasp-a1, drupal

Hello,

Similar to [Drupal] Static database query should use proper argument substitution.

Your suggested check will be covered by SonarQube Developer Edition thanks to the rule S3649 as soon as we will extend it to cover PHP and this is in our pipe for 2018.
As of now, S3649 covers Java and C#.

Regards

1 Like