SQL Injection Humor

See the cartoon after the jump...

Every  Drupal programmer has done it before, usually just being lazy:

$results = db_query("SELECT * FROM {node} WHERE nid = $some_number");

Why take the time to do it properly?  The folks as xkcd explain it better in cartoon form than I ever could with words.

In case you were wondering, the proper way to query the database would be:

$results = db_query("SELECT * FROM {node} WHERE nid = %d", $some_number);

which lets Drupal core properly escape any variables.  While node ID's are generally not user-submitted content, you never know. What if the spec changes such that users can select a given page on your site when they are filling out a form?  What if they enter

1'; DROP DATABASE;

instead of a proper node ID? "But I've got an autocomplete text field so I control the data being entered in that field," you might say.  Unfortunately, it's easy to spoof form submissions. The mantra should not be "sanitize any user-submitted data" but simply "sanitize ANY data" sent to your database.

Better safe than digging around for a recent database backup...