function Connection::filterComment
Same name and namespace in other branches
- 9 core/lib/Drupal/Core/Database/Connection.php \Drupal\Core\Database\Connection::filterComment()
- 8.9.x core/lib/Drupal/Core/Database/Connection.php \Drupal\Core\Database\Connection::filterComment()
- 11.x core/lib/Drupal/Core/Database/Connection.php \Drupal\Core\Database\Connection::filterComment()
Sanitize a query comment string.
Ensure a query comment does not include strings such as "* /" that might terminate the comment early. This avoids SQL injection attacks via the query comment. The comment strings in this example are separated by a space to avoid PHP parse errors.
For example, the comment:
\Drupal::database()->update('example')
->condition('id', $id)
->fields(array(
'field2' => 10,
))
->comment('Exploit * / DROP TABLE node; --')
->execute();Would result in the following SQL statement being generated:
"/ * Exploit * / DROP TABLE node. -- * / UPDATE example SET field2=...";Unless the comment is sanitized first, the SQL server would drop the node table and ignore the rest of the SQL statement.
Parameters
string $comment: A query comment string.
Return value
string A sanitized version of the query comment string.
1 call to Connection::filterComment()
- Connection::makeComment in core/
lib/ Drupal/ Core/ Database/ Connection.php - Flatten an array of query comments into a single comment string.
File
-
core/
lib/ Drupal/ Core/ Database/ Connection.php, line 794
Class
- Connection
- Base Database API class.
Namespace
Drupal\Core\DatabaseCode
protected function filterComment($comment = '') {
// Change semicolons to period to avoid triggering multi-statement check.
return strtr($comment, [
'*' => ' * ',
';' => '.',
]);
}Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.