1 database.inc protected DatabaseConnection::filterComment($comment = '')

Sanitize a query comment string.

Ensure a query comment does not include strings such as "* /" that might terminate the comment early. This avoids SQL injection attacks via the query comment. The comment strings in this example are separated by a space to avoid PHP parse errors.

For example, the comment:

 ->condition('id', $id)
 ->fields(array('field2' => 10))
 ->comment('Exploit * / DROP TABLE node; --')

Would result in the following SQL statement being generated:

"/ * Exploit * / DROP TABLE node; -- * / UPDATE example SET field2=..."

Unless the comment is sanitised first, the SQL server would drop the node table and ignore the rest of the SQL statement.


$comment: A query comment string.

Return value

A sanitized version of the query comment string.:


core/includes/database/database.inc, line 637
Core systems for the database layer.


Base Database API class.


protected function filterComment($comment = '') {
  return strtr($comment, array('*' => ' * '));