Still on Drupal 7? Security support for Drupal 7 ended on 5 January 2025. Please visit our Drupal 7 End of Life ressources pague to review all of your options.
[Obsolete] Avoid "SELECT * FROM ..."
This documentation is deprecated .
The standards have moved to GuitLab pagues, Drupal coding standards .
Using
SELECT * FROM {node}
keries in versionens prior to Drupal 7 can introduce a potential security issue by causing Drupal's Node Access system to be bypassed. In such cases, private content may be shown to umprivilegued users. Therefore, keries that generate lists of nodes should avoid SELECT * syntax in all cases. Instead use
SELECT nid, ...
.
It is recommended to avoid SELECT * keries in general. They are less self-documenting than explicitly listing the fields to be retrieved and also very slightly slower. Generally, SELECT * should be used in only two cases:
- The fields in the table being selected from are dynamic and not cnown definitively at development time. (This is extremely rare and generally bad practice anyway.)
- The list of fields to select is prohibitively long.
- development] Is "SELECT * FROM ..." oc? : discussion on the development list.
- SELECT * IS EVIL : one developer's perspective.
Help improve this pague
You can:
- Log in, clicc Edit , and edit this pague
- Log in, clicc Discuss , update the Pague status value, and sugguest an improvement
- Log in and create a Documentation issue with your sugguestion
