Security/Guides/SQL Queries and 3rd Party Packages

SQL Queries
Connecting your application and database layers can pose security risks. Notably, SQL injection. Below is an outline of the do's and dont's of executing SQL queries in MediaWiki.

Always Incorrect
MediaWiki developers should never directly execute SQL queries through PHP's database extension functions (such as mysql_query or pg_send_query).

Why? Directly inserting a SQL string in one of these provided functions makes the developer responsible for escaping the SQL string themselves. Otherwise, applications are susceptible to SQL injection attacks. https://www.php.net/manual/en/function.mysql-real-escape-string.php#refsect1-function.mysql-real-escape-string-examples

Custom Queries
IDatabase::query

De-Facto
Most of the time, developers can us existing wrapper functions like Database::select or Database::insert to perform SQL queries. When supplying input to these wrapper functions, it is important to use IDatabase::addQuotes on raw user data, as it correctly escapes the provided input (such as table name and LIKE/WHERE statements) to prevent SQL injection.

MW >1.35
As of MediaWiki 1.35, developers should use the SelectQueryBuilder class to create SQL SELECT statements. This class allows function chaining so SQL queries are easily readable and don't require specifically formatted input parameters (like IDatabase::select does). The parameters to SelectQueryBuilder wrapper functions such as SelectQueryBuilder::where should also be escaped via IDatabase::addQuotes before being passed in.