Code review (default)

Coder found 22 projects, 22 files

Coder provides helpful hints without false positives, but offers no guarantee for creating good code. You are the final arbitrar. If in doubt, read the Drupal documentation (see review links below and api.drupal.org).

Use the Selection Form to select options for this code review, or change the Default Settings and use the Default tab above.

modules/block/block.module

block.module

Line 598: Use ANSI standard <> instead of !=

        $result = db_query("SELECT DISTINCT b.* FROM {blocks} b LEFT JOIN {blocks_roles} r ON b.module = r.module AND b.delta = r.delta WHERE b.status = 1 AND b.custom != 0 AND (r.rid IN ($placeholders) OR r.rid IS NULL) ORDER BY b.weight, b.module", $rids);

Line 598: In SQL strings, Use db_query() placeholders in place of variables. This is a protential source of SQL injection attacks when the variable can come from user data. (Drupal Docs)
```
        $result = db_query("SELECT DISTINCT b.* FROM {blocks} b LEFT JOIN {blocks_roles} r ON b.module = r.module AND b.delta = r.delta WHERE b.status = 1 AND b.custom != 0 AND (r.rid IN ($placeholders) OR r.rid IS NULL) ORDER BY b.weight, b.module", $rids);
```
Explanation: Use %s and %d variable substitution. When inserting an array of values use $placeholders = implode(',', array_fill(0, count($args), "'%s'"));
Line 647: In SQL strings, Use db_query() placeholders in place of variables. This is a protential source of SQL injection attacks when the variable can come from user data. (Drupal Docs)
```
    $result = db_query("SELECT DISTINCT b.* FROM {blocks} b LEFT JOIN {blocks_roles} r ON b.module = r.module AND b.delta = r.delta WHERE b.theme = '%s' AND b.status = 1 AND (r.rid IN ($placeholders) OR r.rid IS NULL) ORDER BY b.region, b.weight, b.module", array_merge(array($theme_key), $rids));
```
Explanation: Use %s and %d variable substitution. When inserting an array of values use $placeholders = implode(',', array_fill(0, count($args), "'%s'"));

modules/color/color.module

color.module

No Problems Found

modules/comment/comment.module

comment.module

No Problems Found

modules/filter/filter.module

filter.module

Line 176: string concatenation should be formatted without a space separating the operators (dot .) and a quote
```
                'strong' => array( t('Strong'), '<strong>'. t('Strong'). '</strong>'),
```
Line 176: string concatenation should be formatted with a space separating the operators (dot .) and non-quote terms
```
                'strong' => array( t('Strong'), '<strong>'. t('Strong'). '</strong>'),
```

Line 318: missing space after comma

    $form[$format->name]['roles'] = array('#value' => $default ? t('All roles may use default format') : ($roles ? implode(', ',$roles) : t('No roles may use this format')));

Line 648: string concatenation should be formatted without a space separating the operators (dot .) and a quote
```
      $query .= ' WHERE '. implode(' OR ', $where) . ' OR format = %d';
```

Line 945: string concatenation should be formatted without a space separating the operators (dot .) and a quote

        $tips .= '<li'. ($long ? ' id="filter-'. str_replace("/", "-", $tip['id']) .'">' : '>') . $tip['tip'] . '</li>';

Line 1149: string concatenation should be formatted without a space separating the operators (dot .) and a quote
```
  return $match[1] . '<a href="'. $match[2] .'" title="'. $match[2] .'">'. $caption .'</a>'. $match[5];
```

Line 1159: string concatenation should be formatted without a space separating the operators (dot .) and a quote

  return $match[1] . '<a href="http://'. $match[2] .'" title="'. $match[2] .'">'. $caption .'</a>'. $match[3];

modules/help/help.module

help.module

Line 24: string concatenation should be formatted without a space separating the operators (dot .) and a quote
```
      $items[] = array('path' => 'admin/help/' . $module,
```
Line 118: string concatenation should be formatted with a space separating the operators (dot .) and non-quote terms
```
    $module = _module_parse_info_file(drupal_get_path('module', $name).'/'. $name .'.info');
```

modules/menu/menu.module

menu.module

Line 26: Arrays should be formatted with a space separating each element and assignment operator

      return '<p>'. t('Menus are a collection of links (menu items) used to navigate a website. The list(s) below display the currently available menus along with their menu items. Select an operation from the list to manage each menu or menu item.', array('@admin-settings-menus' => url('admin/build/menu/settings'), '@admin-block'=> url('admin/build/block'))) .'</p>';

modules/node/node.module

node.module

Line 972: string concatenation should be formatted without a space separating the operators (dot .) and a quote
```
        $select2 = implode(' + ', $ranking) . ' AS score';
```
Line 2791: In SQL strings, Use db_query() placeholders in place of variables. This is a protential source of SQL injection attacks when the variable can come from user data. (Drupal Docs)
```
    $sql = "SELECT COUNT(*) FROM {node_access} WHERE (nid = 0 OR nid = %d) $grants_sql AND grant_$op >= 1";
```
Explanation: Use %s and %d variable substitution. When inserting an array of values use $placeholders = implode(',', array_fill(0, count($args), "'%s'"));
Line 2903: In SQL strings, Use db_query() placeholders in place of variables. This is a protential source of SQL injection attacks when the variable can come from user data. (Drupal Docs)
```
    $sql = "SELECT COUNT(*) FROM {node_access} WHERE nid = 0 $grants_sql AND grant_view >= 1";
```
Explanation: Use %s and %d variable substitution. When inserting an array of values use $placeholders = implode(',', array_fill(0, count($args), "'%s'"));

modules/path/path.module

path.module

Line 218: Use ANSI standard <> instead of !=

        if (db_result(db_query("SELECT COUNT(dst) FROM {url_alias} WHERE dst = '%s' AND src != '%s'", $node->path, "node/$node->nid"))) {

Line 218: In SQL strings, Use db_query() placeholders in place of variables. This is a protential source of SQL injection attacks when the variable can come from user data. (Drupal Docs)
```
        if (db_result(db_query("SELECT COUNT(dst) FROM {url_alias} WHERE dst = '%s' AND src != '%s'", $node->path, "node/$node->nid"))) {
```
Explanation: Use %s and %d variable substitution. When inserting an array of values use $placeholders = implode(',', array_fill(0, count($args), "'%s'"));

Line 336: Use ANSI standard <> instead of !=

  if (db_result(db_query("SELECT COUNT(dst) FROM {url_alias} WHERE pid != %d AND dst = '%s'", $pid, $dst))) {

modules/statistics/statistics.module

statistics.module

Line 210: string concatenation should be formatted without a space separating the operators (dot .) and a quote

    $result = pager_query('SELECT a.aid, a.timestamp, a.url, a.uid, u.name FROM {accesslog} a LEFT JOIN {users} u ON a.uid = u.uid WHERE a.path LIKE \'node/%d%%\'' . tablesort_sql($header), 30, 0, NULL, $node->nid);

Line 237: string concatenation should be formatted without a space separating the operators (dot .) and a quote

    $result = pager_query('SELECT aid, timestamp, path, title FROM {accesslog} WHERE uid = %d' . tablesort_sql($header), 30, 0, NULL, $account->uid);

Line 266: string concatenation should be formatted without a space separating the operators (dot .) and a quote

  $sql = 'SELECT a.aid, a.path, a.title, a.uid, u.name, a.timestamp FROM {accesslog} a LEFT JOIN {users} u ON u.uid = a.uid' . tablesort_sql($header);

modules/system/system.module

system.module

Line 335: Arrays should be formatted with a space separating each element and assignment operator
```
        '#type'=>'fieldset',
```

modules/taxonomy/taxonomy.module

taxonomy.module

Line 643: The control statement should be on a separate line from the control conditional
```
    if ($vocabulary->tags && !$free_tags) { continue; }
```
Line 712: string concatenation should be formatted with a space separating the operators (dot .) and non-quote terms
```
              $term->name = '"'.str_replace('"', '""', $term->name).'"';
```
Line 837: The control statement should be on a separate line from the control conditional
```
        if ($typed_term == "") { continue; }
```

modules/user/user.module

user.module

Line 144: In SQL strings, Use db_query() placeholders in place of variables. This is a protential source of SQL injection attacks when the variable can come from user data. (Drupal Docs)
```
    db_query("UPDATE {users} SET $query WHERE uid = %d", array_merge($v, array($account->uid)));
```
Explanation: Use %s and %d variable substitution. When inserting an array of values use $placeholders = implode(',', array_fill(0, count($args), "'%s'"));
Line 380: In SQL strings, Use db_query() placeholders in place of variables. This is a protential source of SQL injection attacks when the variable can come from user data. (Drupal Docs)
```
    $result = db_query("SELECT DISTINCT(p.perm) FROM {role} r INNER JOIN {permission} p ON p.rid = r.rid WHERE r.rid IN ($placeholders)", $rids);
```
Explanation: Use %s and %d variable substitution. When inserting an array of values use $placeholders = implode(',', array_fill(0, count($args), "'%s'"));

Line 583: Use ANSI standard <> instead of !=

          $result = db_query_range('SELECT uid, name FROM {users} WHERE status != 0 AND access != 0 ORDER BY created DESC', 0, variable_get('user_block_whois_new_count', 5));

Line 1162: string concatenation should be formatted with a space separating the operators (dot .) and non-quote terms

  return url("user/reset/$account->uid/$timestamp/".user_pass_rehash($account->pass, $timestamp, $account->login), NULL, NULL, TRUE);

Line 1384: Use ANSI standard <> instead of !=

    else if (db_num_rows(db_query("SELECT uid FROM {users} WHERE uid != %d AND LOWER(name) = LOWER('%s')", $uid, $edit['name'])) > 0) {

Line 1396: Use ANSI standard <> instead of !=

  else if (db_num_rows(db_query("SELECT uid FROM {users} WHERE uid != %d AND LOWER(mail) = LOWER('%s')", $uid, $edit['mail'])) > 0) {

Line 1964: Use ANSI standard <> instead of !=

      if (db_result(db_query("SELECT COUNT(*) FROM {role} WHERE name = '%s' AND rid != %d", $form_values['name'], $form_values['rid']))) {

Line 2031: Use ANSI standard <> instead of !=

  $sql = 'SELECT DISTINCT u.uid, u.name, u.status, u.created, u.access FROM {users} u LEFT JOIN {users_roles} ur ON u.uid = ur.uid '. $filter['join'] .' WHERE u.uid != 0 '. $filter['where'];

Line 2033: Use ANSI standard <> instead of !=

  $query_count = 'SELECT COUNT(DISTINCT u.uid) FROM {users} u LEFT JOIN {users_roles} ur ON u.uid = ur.uid '. $filter['join'] .' WHERE u.uid != 0 '. $filter['where'];

modules/watchdog/watchdog.module

watchdog.module

No Problems Found

sites/default/modules/api/api.module

api.module

Line 557: Use db_query_range() instead of the SQL LIMIT clause (Drupal Docs)

  $result = db_query("SELECT title FROM {api_documentation} WHERE title LIKE '%%%s%%' AND branch_name = '%s' ORDER BY LENGTH(title) LIMIT 20", $search, $branch_name);

sites/default/modules/coder/coder.module

coder.module

No Problems Found

sites/default/modules/google_analytics/googleanalytics.module

googleanalytics.module

Line 73: do not use mixed case (camelCase), use lower case and _

    if ($trackOutgoing = variable_get('googleanalytics_trackoutgoing', 1)) {

Line 74: do not use mixed case (camelCase), use lower case and _
```
      $link_settings['trackOutgoing'] = $trackOutgoing;
```

Line 76: do not use mixed case (camelCase), use lower case and _

    if ($trackMailto = variable_get('googleanalytics_trackmailto', 1)) {

Line 77: do not use mixed case (camelCase), use lower case and _
```
      $link_settings['trackMailto'] = $trackMailto;
```

Line 79: do not use mixed case (camelCase), use lower case and _

    if (($trackDownload = variable_get('googleanalytics_trackfiles', 1)) && ($trackfiles_extensions = variable_get('googleanalytics_trackfiles_extensions', GA_TRACKFILES_EXTENSIONS))) {

Line 80: do not use mixed case (camelCase), use lower case and _
```
      $link_settings['trackDownload'] = $trackDownload;
```
Line 111: else statements should begin on a new line
```
        } else {
```

sites/default/modules/xmlsitemap/xmlsitemap.module

xmlsitemap.module

No Problems Found

sites/default/modules/xmlsitemap/xmlsitemap_engines/xmlsitemap_engines.module

xmlsitemap_engines.module

No Problems Found

sites/default/modules/xmlsitemap/xmlsitemap_node/xmlsitemap_node.module

xmlsitemap_node.module

No Problems Found

sites/default/modules/xmlsitemap/xmlsitemap_term/xmlsitemap_term.module

xmlsitemap_term.module

Line 192: In SQL strings, Use db_query() placeholders in place of variables. This is a protential source of SQL injection attacks when the variable can come from user data. (Drupal Docs)
```
        $pid = db_result(db_query("SELECT pid FROM {url_alias} WHERE src = '%s'", "forum/$array[tid]"));
```
Explanation: Use %s and %d variable substitution. When inserting an array of values use $placeholders = implode(',', array_fill(0, count($args), "'%s'"));
Line 198: In SQL strings, Use db_query() placeholders in place of variables. This is a protential source of SQL injection attacks when the variable can come from user data. (Drupal Docs)
```
        $pid = db_result(db_query("SELECT pid FROM {url_alias} WHERE src = '%s'", "taxonomy/term/$array[tid]"));
```
Explanation: Use %s and %d variable substitution. When inserting an array of values use $placeholders = implode(',', array_fill(0, count($args), "'%s'"));

sites/default/modules/xmlsitemap/xmlsitemap_user/xmlsitemap_user.module

xmlsitemap_user.module

Line 196: In SQL strings, Use db_query() placeholders in place of variables. This is a protential source of SQL injection attacks when the variable can come from user data. (Drupal Docs)
```
      $pid = db_result(db_query("SELECT pid FROM {url_alias} WHERE src = '%s'", "user/$account->uid"));
```
Explanation: Use %s and %d variable substitution. When inserting an array of values use $placeholders = implode(',', array_fill(0, count($args), "'%s'"));
Line 212: In SQL strings, Use db_query() placeholders in place of variables. This is a protential source of SQL injection attacks when the variable can come from user data. (Drupal Docs)
```
      $pid = db_result(db_query("SELECT pid FROM {url_alias} WHERE src = '%s'", "user/$account->uid"));
```
Explanation: Use %s and %d variable substitution. When inserting an array of values use $placeholders = implode(',', array_fill(0, count($args), "'%s'"));

themes/garland/page.tpl.php

page.tpl.php

Include the CVS keyword $Id$ in each file

aggregator (core)	googleanalytics (active)	taxonomy (active) (core)
api (active)	help (active) (core)	throttle (core)
block (active) (core)	legacy	tracker (core)
blog (core)	locale (core)	upload (core)
blogapi (core)	menu (active) (core)	user (active) (core)
book (core)	node (active) (core)	watchdog (active)
coder (active)	path (active) (core)	xmlsitemap (active)
color (active) (core)	ping (core)	xmlsitemap_engines (active)
comment (active) (core)	poll (core)	xmlsitemap_node (active)
contact (core)	profile (core)	xmlsitemap_term (active)
drupal (core)	search (core)	xmlsitemap_user (active)
filter (active) (core)	statistics (active) (core)
forum (core)	system (active) (core)

bluemarine (core)	garland (active) (core)	minnelli (core)
chameleon (core)	marvin (core)	pushbutton (core)

drupalcode.com

Search Drupal 5

User login

Navigation