[Drupal] Static database query should use proper argument substitution

php

(Pierre-Loup Tristant) #1

Introduction
This new feature suggestion comes from a custom rules set dedicated to PHP and Drupal 8 security.

Description
Static database query should use proper argument substitution.
As a result, query should always have a constant string as first argument.

Impact
Dynamically computed query string may lead to SQL injection attacks.

Noncompliant Code Example

$query = $connection->query("SELECT nid, title FROM {node} WHERE user = ".$name);

Compliant Solution

$query = $connection->query("SELECT nid, title FROM {node} WHERE user = :name",
[':name' => $name]);

References

Type
Vulnerability

Tags
cwe, owasp-a1


[Drupal] Dynamic database query should use proper argument substitution
(Alexandre Gigleux) #2

Hello,

Your suggested check will be covered by SonarQube Developer Edition thanks to the rule S3649 as soon as we will extend it to cover PHP and this is in our pipe for 2018.
As of now, S3649 covers Java and C#.

Regards