<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[42056] trunk: Database: Restore numbered placeholders in `wpdb::prepare()`.</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta" style="font-size: 105%">
<dt style="float: left; width: 6em; font-weight: bold">Revision</dt> <dd><a style="font-weight: bold" href="https://core.trac.wordpress.org/changeset/42056">42056</a><script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"Review this Commit","action":{"@type":"ViewAction","url":"https://core.trac.wordpress.org/changeset/42056","name":"Review Commit"}}</script></dd>
<dt style="float: left; width: 6em; font-weight: bold">Author</dt> <dd>pento</dd>
<dt style="float: left; width: 6em; font-weight: bold">Date</dt> <dd>2017-10-31 11:59:43 +0000 (Tue, 31 Oct 2017)</dd>
</dl>
<pre style='padding-left: 1em; margin: 2em 0; border-left: 2px solid #ccc; line-height: 1.25; font-size: 105%; font-family: sans-serif'>Database: Restore numbered placeholders in `wpdb::prepare()`.
<a href="https://core.trac.wordpress.org/changeset/41496">[41496]</a> removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used.
This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders.
See <a href="https://core.trac.wordpress.org/ticket/41925">#41925</a>.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunksrcwpincludesformattingphp">trunk/src/wp-includes/formatting.php</a></li>
<li><a href="#trunksrcwpincludesmetaphp">trunk/src/wp-includes/meta.php</a></li>
<li><a href="#trunksrcwpincludespostphp">trunk/src/wp-includes/post.php</a></li>
<li><a href="#trunksrcwpincludeswpdbphp">trunk/src/wp-includes/wp-db.php</a></li>
<li><a href="#trunktestsphpunittestscommentqueryphp">trunk/tests/phpunit/tests/comment/query.php</a></li>
<li><a href="#trunktestsphpunittestsdatequeryphp">trunk/tests/phpunit/tests/date/query.php</a></li>
<li><a href="#trunktestsphpunittestsdbphp">trunk/tests/phpunit/tests/db.php</a></li>
<li><a href="#trunktestsphpunittestsrestapirestpostscontrollerphp">trunk/tests/phpunit/tests/rest-api/rest-posts-controller.php</a></li>
<li><a href="#trunkwptestsconfigsamplephp">trunk/wp-tests-config-sample.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunksrcwpincludesformattingphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/formatting.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/formatting.php 2017-10-31 09:13:09 UTC (rev 42055)
+++ trunk/src/wp-includes/formatting.php 2017-10-31 11:59:43 UTC (rev 42056)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -3754,6 +3754,11 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * Sometimes, spot-escaping is required or useful. One example
</span><span class="cx" style="display: block; padding: 0 10px"> * is preparing an array for use in an IN clause.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * NOTE: Since 4.8.3, '%' characters will be replaced with a placeholder string,
+ * this prevents certain SQLi attacks from taking place. This change in behaviour
+ * may cause issues for code that expects the return value of esc_sql() to be useable
+ * for other purposes.
+ *
</ins><span class="cx" style="display: block; padding: 0 10px"> * @since 2.8.0
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * @global wpdb $wpdb WordPress database abstraction object.
</span></span></pre></div>
<a id="trunksrcwpincludesmetaphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/meta.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/meta.php 2017-10-31 09:13:09 UTC (rev 42055)
+++ trunk/src/wp-includes/meta.php 2017-10-31 11:59:43 UTC (rev 42056)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -364,12 +364,11 @@
</span><span class="cx" style="display: block; padding: 0 10px"> return false;
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( $delete_all ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $value_clause = '';
</del><span class="cx" style="display: block; padding: 0 10px"> if ( '' !== $meta_value && null !== $meta_value && false !== $meta_value ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $value_clause = $wpdb->prepare( " AND meta_value = %s", $meta_value );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $object_ids = $wpdb->get_col( $wpdb->prepare( "SELECT $type_column FROM $table WHERE meta_key = %s AND meta_value = %s", $meta_key, $meta_value ) );
+ } else {
+ $object_ids = $wpdb->get_col( $wpdb->prepare( "SELECT $type_column FROM $table WHERE meta_key = %s", $meta_key ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-
- $object_ids = $wpdb->get_col( $wpdb->prepare( "SELECT $type_column FROM $table WHERE meta_key = %s $value_clause", $meta_key ) );
</del><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span></span></pre></div>
<a id="trunksrcwpincludespostphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/post.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/post.php 2017-10-31 09:13:09 UTC (rev 42055)
+++ trunk/src/wp-includes/post.php 2017-10-31 11:59:43 UTC (rev 42056)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -4317,10 +4317,10 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $page_path = str_replace('%2F', '/', $page_path);
</span><span class="cx" style="display: block; padding: 0 10px"> $page_path = str_replace('%20', ' ', $page_path);
</span><span class="cx" style="display: block; padding: 0 10px"> $parts = explode( '/', trim( $page_path, '/' ) );
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $parts = esc_sql( $parts );
</del><span class="cx" style="display: block; padding: 0 10px"> $parts = array_map( 'sanitize_title_for_query', $parts );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $escaped_parts = esc_sql( $parts );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $in_string = "'" . implode( "','", $parts ) . "'";
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $in_string = "'" . implode( "','", $escaped_parts ) . "'";
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( is_array( $post_type ) ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $post_types = $post_type;
</span></span></pre></div>
<a id="trunksrcwpincludeswpdbphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/src/wp-includes/wp-db.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/src/wp-includes/wp-db.php 2017-10-31 09:13:09 UTC (rev 42055)
+++ trunk/src/wp-includes/wp-db.php 2017-10-31 11:59:43 UTC (rev 42056)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1106,20 +1106,22 @@
</span><span class="cx" style="display: block; padding: 0 10px"> function _real_escape( $string ) {
</span><span class="cx" style="display: block; padding: 0 10px"> if ( $this->dbh ) {
</span><span class="cx" style="display: block; padding: 0 10px"> if ( $this->use_mysqli ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- return mysqli_real_escape_string( $this->dbh, $string );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $escaped = mysqli_real_escape_string( $this->dbh, $string );
</ins><span class="cx" style="display: block; padding: 0 10px"> } else {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- return mysql_real_escape_string( $string, $this->dbh );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $escaped = mysql_real_escape_string( $string, $this->dbh );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ } else {
+ $class = get_class( $this );
+ if ( function_exists( '__' ) ) {
+ /* translators: %s: database access abstraction class, usually wpdb or a class extending wpdb */
+ _doing_it_wrong( $class, sprintf( __( '%s must set a database connection for use with escaping.' ), $class ), '3.6.0' );
+ } else {
+ _doing_it_wrong( $class, sprintf( '%s must set a database connection for use with escaping.', $class ), '3.6.0' );
+ }
+ $escaped = addslashes( $string );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $class = get_class( $this );
- if ( function_exists( '__' ) ) {
- /* translators: %s: database access abstraction class, usually wpdb or a class extending wpdb */
- _doing_it_wrong( $class, sprintf( __( '%s must set a database connection for use with escaping.' ), $class ), '3.6.0' );
- } else {
- _doing_it_wrong( $class, sprintf( '%s must set a database connection for use with escaping.', $class ), '3.6.0' );
- }
- return addslashes( $string );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ return $this->add_placeholder_escape( $escaped );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1201,14 +1203,14 @@
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * All placeholders MUST be left unquoted in the query string. A corresponding argument MUST be passed for each placeholder.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * For compatibility with old behavior, numbered or formatted string placeholders (eg, %1$s, %5s) will not have quotes
+ * added by this function, so should be passed with appropriate quotes around them for your usage.
+ *
</ins><span class="cx" style="display: block; padding: 0 10px"> * Literal percentage signs (%) in the query string must be written as %%. Percentage wildcards (for example,
</span><span class="cx" style="display: block; padding: 0 10px"> * to use in LIKE syntax) must be passed via a substitution argument containing the complete LIKE string, these
</span><span class="cx" style="display: block; padding: 0 10px"> * cannot be inserted directly in the query string. Also see {@see esc_like()}.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * This method DOES NOT support sign, padding, alignment, width or precision specifiers.
- * This method DOES NOT support argument numbering or swapping.
- *
- * Arguments may be passed as individual arguments to the method, or as a single array containing all arguments. A combination
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * Arguments may be passed as individual arguments to the method, or as a single array containing all arguments. A combination
</ins><span class="cx" style="display: block; padding: 0 10px"> * of the two is not supported.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * Examples:
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1225,8 +1227,9 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * @return string|void Sanitized query string, if there is a query to prepare.
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><span class="cx" style="display: block; padding: 0 10px"> public function prepare( $query, $args ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( is_null( $query ) )
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( is_null( $query ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> return;
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ }
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> // This is not meant to be foolproof -- but it will catch obviously incorrect usage.
</span><span class="cx" style="display: block; padding: 0 10px"> if ( strpos( $query, '%' ) === false ) {
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1237,8 +1240,10 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $args = func_get_args();
</span><span class="cx" style="display: block; padding: 0 10px"> array_shift( $args );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- // If args were passed as an array (as in vsprintf), move them up
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ // If args were passed as an array (as in vsprintf), move them up.
+ $passed_as_array = false;
</ins><span class="cx" style="display: block; padding: 0 10px"> if ( is_array( $args[0] ) && count( $args ) == 1 ) {
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $passed_as_array = true;
</ins><span class="cx" style="display: block; padding: 0 10px"> $args = $args[0];
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1249,28 +1254,62 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $query = str_replace( "'%s'", '%s', $query ); // in case someone mistakenly already singlequoted it
- $query = str_replace( '"%s"', '%s', $query ); // doublequote unquoting
- $query = preg_replace( '|(?<!%)%f|' , '%F', $query ); // Force floats to be locale unaware
- $query = preg_replace( '|(?<!%)%s|', "'%s'", $query ); // quote the strings, avoiding escaped strings like %%s
- $query = preg_replace( '/%(?:%|$|([^dsF]))/', '%%\\1', $query ); // escape any unescaped percents
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ /*
+ * Specify the formatting allowed in a placeholder. The following are allowed:
+ *
+ * - Sign specifier. eg, $+d
+ * - Numbered placeholders. eg, %1$s
+ * - Padding specifier, including custom padding characters. eg, %05s, %'#5s
+ * - Alignment specifier. eg, %05-s
+ * - Precision specifier. eg, %.2f
+ */
+ $allowed_format = '(?:[1-9][0-9]*[$])?[-+0-9]*(?: |0|\'.)?[-+0-9]*(?:\.[0-9]+)?';
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- // Count the number of valid placeholders in the query
- $placeholders = preg_match_all( '/(^|[^%]|(%%)+)%[sdF]/', $query, $matches );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ /*
+ * If a %s placeholder already has quotes around it, removing the existing quotes and re-inserting them
+ * ensures the quotes are consistent.
+ *
+ * For backwards compatibility, this is only applied to %s, and not to placeholders like %1$s, which are frequently
+ * used in the middle of longer strings, or as table name placeholders.
+ */
+ $query = str_replace( "'%s'", '%s', $query ); // Strip any existing single quotes.
+ $query = str_replace( '"%s"', '%s', $query ); // Strip any existing double quotes.
+ $query = preg_replace( '/(?<!%)%s/', "'%s'", $query ); // Quote the strings, avoiding escaped strings like %%s.
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( count ( $args ) !== $placeholders ) {
- wp_load_translations_early();
- _doing_it_wrong( 'wpdb::prepare',
- /* translators: 1: number of placeholders, 2: number of arguments passed */
- sprintf( __( 'The query does not contain the correct number of placeholders (%1$d) for the number of arguments passed (%2$d).' ),
- $placeholders,
- count( $args ) ),
- '4.9.0'
- );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $query = preg_replace( "/(?<!%)(%($allowed_format)?f)/" , '%\\2F', $query ); // Force floats to be locale unaware.
+
+ $query = preg_replace( "/%(?:%|$|(?!($allowed_format)?[sdF]))/", '%%\\1', $query ); // Escape any unescaped percents.
+
+ // Count the number of valid placeholders in the query.
+ $placeholders = preg_match_all( "/(^|[^%]|(%%)+)%($allowed_format)?[sdF]/", $query, $matches );
+
+ if ( count( $args ) !== $placeholders ) {
+ if ( 1 === $placeholders && $passed_as_array ) {
+ // If the passed query only expected one argument, but the wrong number of arguments were sent as an array, bail.
+ wp_load_translations_early();
+ _doing_it_wrong( 'wpdb::prepare', __( 'The query only expected one placeholder, but an array of multiple placeholders was sent.' ), '4.9.0' );
+
+ return;
+ } else {
+ /*
+ * If we don't have the right number of placeholders, but they were passed as individual arguments,
+ * or we were expecting multiple arguments in an array, throw a warning.
+ */
+ wp_load_translations_early();
+ _doing_it_wrong( 'wpdb::prepare',
+ /* translators: 1: number of placeholders, 2: number of arguments passed */
+ sprintf( __( 'The query does not contain the correct number of placeholders (%1$d) for the number of arguments passed (%2$d).' ),
+ $placeholders,
+ count( $args ) ),
+ '4.8.3'
+ );
+ }
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> array_walk( $args, array( $this, 'escape_by_ref' ) );
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- return @vsprintf( $query, $args );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $query = @vsprintf( $query, $args );
+
+ return $this->add_placeholder_escape( $query );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1894,6 +1933,64 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * Generates and returns a placeholder escape string for use in queries returned by ::prepare().
+ *
+ * @since 4.8.3
+ *
+ * @return string String to escape placeholders.
+ */
+ public function placeholder_escape() {
+ static $placeholder;
+
+ if ( ! $placeholder ) {
+ // If ext/hash is not present, compat.php's hash_hmac() does not support sha256.
+ $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1';
+ // Old WP installs may not have AUTH_SALT defined.
+ $salt = defined( 'AUTH_SALT' ) ? AUTH_SALT : rand();
+
+ $placeholder = '{' . hash_hmac( $algo, uniqid( $salt, true ), $salt ) . '}';
+ }
+
+ /*
+ * Add the filter to remove the placeholder escaper. Uses priority 0, so that anything
+ * else attached to this filter will recieve the query with the placeholder string removed.
+ */
+ if ( ! has_filter( 'query', array( $this, 'remove_placeholder_escape' ) ) ) {
+ add_filter( 'query', array( $this, 'remove_placeholder_escape' ), 0 );
+ }
+
+ return $placeholder;
+ }
+
+ /**
+ * Adds a placeholder escape string, to escape anything that resembles a printf() placeholder.
+ *
+ * @since 4.8.3
+ *
+ * @param string $query The query to escape.
+ * @return string The query with the placeholder escape string inserted where necessary.
+ */
+ public function add_placeholder_escape( $query ) {
+ /*
+ * To prevent returning anything that even vaguely resembles a placeholder,
+ * we clobber every % we can find.
+ */
+ return str_replace( '%', $this->placeholder_escape(), $query );
+ }
+
+ /**
+ * Removes the placeholder escape strings from a query.
+ *
+ * @since 4.8.3
+ *
+ * @param string $query The query from which the placeholder will be removed.
+ * @return string The query with the placeholder removed.
+ */
+ public function remove_placeholder_escape( $query ) {
+ return str_replace( $this->placeholder_escape(), '%', $query );
+ }
+
+ /**
</ins><span class="cx" style="display: block; padding: 0 10px"> * Insert a row into a table.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * wpdb::insert( 'table', array( 'column' => 'foo', 'field' => 'bar' ) )
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -2064,7 +2161,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $conditions = implode( ' AND ', $conditions );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $sql = "UPDATE `$table` SET $fields WHERE $conditions";
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+
</ins><span class="cx" style="display: block; padding: 0 10px"> $this->check_current_query = false;
</span><span class="cx" style="display: block; padding: 0 10px"> return $this->query( $this->prepare( $sql, $values ) );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span></span></pre></div>
<a id="trunktestsphpunittestscommentqueryphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/tests/phpunit/tests/comment/query.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/tests/phpunit/tests/comment/query.php 2017-10-31 09:13:09 UTC (rev 42055)
+++ trunk/tests/phpunit/tests/comment/query.php 2017-10-31 11:59:43 UTC (rev 42056)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1218,22 +1218,24 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * @ticket 35513
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><span class="cx" style="display: block; padding: 0 10px"> public function test_search_int_0_should_not_be_ignored() {
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ global $wpdb;
</ins><span class="cx" style="display: block; padding: 0 10px"> $q = new WP_Comment_Query();
</span><span class="cx" style="display: block; padding: 0 10px"> $q->query( array(
</span><span class="cx" style="display: block; padding: 0 10px"> 'search' => 0,
</span><span class="cx" style="display: block; padding: 0 10px"> ) );
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $this->assertContains( "comment_author LIKE '%0%'", $q->request );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $this->assertContains( "comment_author LIKE '%0%'", $wpdb->remove_placeholder_escape( $q->request ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><span class="cx" style="display: block; padding: 0 10px"> * @ticket 35513
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><span class="cx" style="display: block; padding: 0 10px"> public function test_search_string_0_should_not_be_ignored() {
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ global $wpdb;
</ins><span class="cx" style="display: block; padding: 0 10px"> $q = new WP_Comment_Query();
</span><span class="cx" style="display: block; padding: 0 10px"> $q->query( array(
</span><span class="cx" style="display: block; padding: 0 10px"> 'search' => '0',
</span><span class="cx" style="display: block; padding: 0 10px"> ) );
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $this->assertContains( "comment_author LIKE '%0%'", $q->request );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $this->assertContains( "comment_author LIKE '%0%'", $wpdb->remove_placeholder_escape( $q->request ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> public function test_orderby_default() {
</span></span></pre></div>
<a id="trunktestsphpunittestsdatequeryphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/tests/phpunit/tests/date/query.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/tests/phpunit/tests/date/query.php 2017-10-31 09:13:09 UTC (rev 42055)
+++ trunk/tests/phpunit/tests/date/query.php 2017-10-31 11:59:43 UTC (rev 42056)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -512,11 +512,12 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * @ticket 34228
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><span class="cx" style="display: block; padding: 0 10px"> public function test_build_time_query_should_not_discard_hour_0() {
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ global $wpdb;
</ins><span class="cx" style="display: block; padding: 0 10px"> $q = new WP_Date_Query( array() );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $found = $q->build_time_query( 'post_date', '=', 0, 10 );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $this->assertContains( '%H', $found );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $this->assertContains( '%H', $wpdb->remove_placeholder_escape( $found ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> public function test_build_time_query_compare_in() {
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -612,33 +613,36 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> public function test_build_time_query_hour_minute() {
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ global $wpdb;
</ins><span class="cx" style="display: block; padding: 0 10px"> $q = new WP_Date_Query( array() );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $found = $q->build_time_query( 'post_date', '=', 5, 15 );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> // $compare value is floating point - use regex to account for
</span><span class="cx" style="display: block; padding: 0 10px"> // varying precision on different PHP installations
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i' \) = 5\.150*/", $found );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i' \) = 5\.150*/", $wpdb->remove_placeholder_escape( $found ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> public function test_build_time_query_hour_minute_second() {
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ global $wpdb;
</ins><span class="cx" style="display: block; padding: 0 10px"> $q = new WP_Date_Query( array() );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $found = $q->build_time_query( 'post_date', '=', 5, 15, 35 );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> // $compare value is floating point - use regex to account for
</span><span class="cx" style="display: block; padding: 0 10px"> // varying precision on different PHP installations
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i%s' \) = 5\.15350*/", $found );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i%s' \) = 5\.15350*/", $wpdb->remove_placeholder_escape( $found ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> public function test_build_time_query_minute_second() {
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ global $wpdb;
</ins><span class="cx" style="display: block; padding: 0 10px"> $q = new WP_Date_Query( array() );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $found = $q->build_time_query( 'post_date', '=', null, 15, 35 );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> // $compare value is floating point - use regex to account for
</span><span class="cx" style="display: block; padding: 0 10px"> // varying precision on different PHP installations
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $this->assertRegExp( "/DATE_FORMAT\( post_date, '0\.%i%s' \) = 0\.15350*/", $found );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $this->assertRegExp( "/DATE_FORMAT\( post_date, '0\.%i%s' \) = 0\.15350*/", $wpdb->remove_placeholder_escape( $found ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span></span></pre></div>
<a id="trunktestsphpunittestsdbphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/tests/phpunit/tests/db.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/tests/phpunit/tests/db.php 2017-10-31 09:13:09 UTC (rev 42055)
+++ trunk/tests/phpunit/tests/db.php 2017-10-31 11:59:43 UTC (rev 42056)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -270,6 +270,9 @@
</span><span class="cx" style="display: block; padding: 0 10px"> public function test_double_escaped_placeholders() {
</span><span class="cx" style="display: block; padding: 0 10px"> global $wpdb;
</span><span class="cx" style="display: block; padding: 0 10px"> $sql = $wpdb->prepare( "UPDATE test_table SET string_column = '%%f is a float, %%d is an int %d, %%s is a string', field = %s", 3, '4' );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $this->assertContains( $wpdb->placeholder_escape(), $sql );
+
+ $sql = $wpdb->remove_placeholder_escape( $sql );
</ins><span class="cx" style="display: block; padding: 0 10px"> $this->assertEquals( "UPDATE test_table SET string_column = '%f is a float, %d is an int 3, %s is a string', field = '4'", $sql );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -432,12 +435,12 @@
</span><span class="cx" style="display: block; padding: 0 10px"> array(
</span><span class="cx" style="display: block; padding: 0 10px"> "SELECT * FROM $wpdb->users WHERE id = %d AND %% AND user_login = %s",
</span><span class="cx" style="display: block; padding: 0 10px"> array( 1, "admin", "extra-arg" ),
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- "SELECT * FROM $wpdb->users WHERE id = 1 AND % AND user_login = 'admin'",
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ "SELECT * FROM $wpdb->users WHERE id = 1 AND {$wpdb->placeholder_escape()} AND user_login = 'admin'",
</ins><span class="cx" style="display: block; padding: 0 10px"> ),
</span><span class="cx" style="display: block; padding: 0 10px"> array(
</span><span class="cx" style="display: block; padding: 0 10px"> "SELECT * FROM $wpdb->users WHERE id = %%%d AND %F AND %f AND user_login = %s",
</span><span class="cx" style="display: block; padding: 0 10px"> array( 1, 2.3, "4.5", "admin", "extra-arg" ),
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- "SELECT * FROM $wpdb->users WHERE id = %1 AND 2.300000 AND 4.500000 AND user_login = 'admin'",
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ "SELECT * FROM $wpdb->users WHERE id = {$wpdb->placeholder_escape()}1 AND 2.300000 AND 4.500000 AND user_login = 'admin'",
</ins><span class="cx" style="display: block; padding: 0 10px"> ),
</span><span class="cx" style="display: block; padding: 0 10px"> array(
</span><span class="cx" style="display: block; padding: 0 10px"> "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s",
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1185,16 +1188,330 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- *
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @dataProvider data_prepare_with_placeholders
</ins><span class="cx" style="display: block; padding: 0 10px"> */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- function test_prepare_with_unescaped_percents() {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ function test_prepare_with_placeholders_and_individual_args( $sql, $values, $incorrect_usage, $expected) {
</ins><span class="cx" style="display: block; padding: 0 10px"> global $wpdb;
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $sql = $wpdb->prepare( '%d %1$d %%% %', 1 );
- $this->assertEquals( '1 %1$d %% %', $sql );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( $incorrect_usage ) {
+ $this->setExpectedIncorrectUsage( 'wpdb::prepare' );
+ }
+
+ if ( ! is_array( $values ) ) {
+ $values = array( $values );
+ }
+
+ array_unshift( $values, $sql );
+
+ $sql = call_user_func_array( array( $wpdb, 'prepare' ), $values );
+ $this->assertEquals( $expected, $sql );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @dataProvider data_prepare_with_placeholders
+ */
+ function test_prepare_with_placeholders_and_array_args( $sql, $values, $incorrect_usage, $expected) {
+ global $wpdb;
+
+ if ( $incorrect_usage ) {
+ $this->setExpectedIncorrectUsage( 'wpdb::prepare' );
+ }
+
+ if ( ! is_array( $values ) ) {
+ $values = array( $values );
+ }
+
+ $sql = call_user_func_array( array( $wpdb, 'prepare' ), array( $sql, $values ) );
+ $this->assertEquals( $expected, $sql );
+ }
+
+ function data_prepare_with_placeholders() {
+ global $wpdb;
+
+ return array(
+ array(
+ '%5s', // SQL to prepare
+ 'foo', // Value to insert in the SQL
+ false, // Whether to expect an incorrect usage error or not
+ ' foo', // Expected output
+ ),
+ array(
+ '%1$d %%% % %%1$d%% %%%1$d%%',
+ 1,
+ true,
+ "1 {$wpdb->placeholder_escape()}{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}1\$d{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}1{$wpdb->placeholder_escape()}",
+ ),
+ array(
+ '%-5s',
+ 'foo',
+ false,
+ 'foo ',
+ ),
+ array(
+ '%05s',
+ 'foo',
+ false,
+ '00foo',
+ ),
+ array(
+ "%'#5s",
+ 'foo',
+ false,
+ '##foo',
+ ),
+ array(
+ '%.3s',
+ 'foobar',
+ false,
+ 'foo',
+ ),
+ array(
+ '%.3f',
+ 5.123456,
+ false,
+ '5.123',
+ ),
+ array(
+ '%.3f',
+ 5.12,
+ false,
+ '5.120',
+ ),
+ array(
+ '%s',
+ ' %s ',
+ false,
+ "' {$wpdb->placeholder_escape()}s '",
+ ),
+ array(
+ '%1$s',
+ ' %s ',
+ false,
+ " {$wpdb->placeholder_escape()}s ",
+ ),
+ array(
+ '%1$s',
+ ' %1$s ',
+ false,
+ " {$wpdb->placeholder_escape()}1\$s ",
+ ),
+ array(
+ '%d %1$d %%% %',
+ 1,
+ true,
+ "1 1 {$wpdb->placeholder_escape()}{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}",
+ ),
+ array(
+ '%d %2$s',
+ array( 1, 'hello' ),
+ false,
+ "1 hello",
+ ),
+ array(
+ "'%s'",
+ 'hello',
+ false,
+ "'hello'",
+ ),
+ array(
+ '"%s"',
+ 'hello',
+ false,
+ "'hello'",
+ ),
+ array(
+ "%s '%1\$s'",
+ 'hello',
+ true,
+ "'hello' 'hello'",
+ ),
+ array(
+ "%s '%1\$s'",
+ 'hello',
+ true,
+ "'hello' 'hello'",
+ ),
+ array(
+ '%s "%1$s"',
+ 'hello',
+ true,
+ "'hello' \"hello\"",
+ ),
+ array(
+ "%%s %%'%1\$s'",
+ 'hello',
+ false,
+ "{$wpdb->placeholder_escape()}s {$wpdb->placeholder_escape()}'hello'",
+ ),
+ array(
+ '%%s %%"%1$s"',
+ 'hello',
+ false,
+ "{$wpdb->placeholder_escape()}s {$wpdb->placeholder_escape()}\"hello\"",
+ ),
+ array(
+ '%s',
+ ' % s ',
+ false,
+ "' {$wpdb->placeholder_escape()} s '",
+ ),
+ array(
+ '%%f %%"%1$f"',
+ 3,
+ false,
+ "{$wpdb->placeholder_escape()}f {$wpdb->placeholder_escape()}\"3.000000\"",
+ ),
+ array(
+ 'WHERE second=\'%2$s\' AND first=\'%1$s\'',
+ array( 'first arg', 'second arg' ),
+ false,
+ "WHERE second='second arg' AND first='first arg'",
+ ),
+ array(
+ 'WHERE second=%2$d AND first=%1$d',
+ array( 1, 2 ),
+ false,
+ "WHERE second=2 AND first=1",
+ ),
+ array(
+ "'%'%%s",
+ 'hello',
+ true,
+ "'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s",
+ ),
+ array(
+ "'%'%%s%s",
+ 'hello',
+ false,
+ "'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s'hello'",
+ ),
+ array(
+ "'%'%%s %s",
+ 'hello',
+ false,
+ "'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s 'hello'",
+ ),
+ array(
+ "'%-'#5s' '%'#-+-5s'",
+ array( 'hello', 'foo' ),
+ false,
+ "'hello' 'foo##'",
+ ),
+ );
+ }
+
+ /**
+ * @dataProvider data_escape_and_prepare
+ */
+ function test_escape_and_prepare( $escape, $sql, $values, $incorrect_usage, $expected ) {
+ global $wpdb;
+
+ if ( $incorrect_usage ) {
+ $this->setExpectedIncorrectUsage( 'wpdb::prepare' );
+ }
+
+ $escape = esc_sql( $escape );
+
+ $sql = str_replace( '{ESCAPE}', $escape, $sql );
+
+ $actual = $wpdb->prepare( $sql, $values );
+
+ $this->assertEquals( $expected, $actual );
+ }
+
+ function data_escape_and_prepare() {
+ global $wpdb;
+ return array(
+ array(
+ '%s', // String to pass through esc_url()
+ ' {ESCAPE} ', // Query to insert the output of esc_url() into, replacing "{ESCAPE}"
+ 'foo', // Data to send to prepare()
+ true, // Whether to expect an incorrect usage error or not
+ " {$wpdb->placeholder_escape()}s ", // Expected output
+ ),
+ array(
+ 'foo%sbar',
+ "SELECT * FROM bar WHERE foo='{ESCAPE}' OR baz=%s",
+ array( ' SQLi -- -', 'pewpewpew' ),
+ true,
+ null,
+ ),
+ array(
+ '%s',
+ ' %s {ESCAPE} ',
+ 'foo',
+ false,
+ " 'foo' {$wpdb->placeholder_escape()}s ",
+ ),
+ );
+ }
+
+ /**
+ * @expectedIncorrectUsage wpdb::prepare
+ */
+ function test_double_prepare() {
+ global $wpdb;
+
+ $part = $wpdb->prepare( ' AND meta_value = %s', ' %s ' );
+ $this->assertNotContains( '%s', $part );
+ $query = $wpdb->prepare( 'SELECT * FROM {$wpdb->postmeta} WHERE meta_key = %s $part', array( 'foo', 'bar' ) );
+ $this->assertNull( $query );
+ }
+
+ function test_prepare_numeric_placeholders_float_args() {
+ global $wpdb;
+
+ $actual = $wpdb->prepare(
+ 'WHERE second=%2$f AND first=%1$f',
+ 1.1,
+ 2.2
+ );
+
+ /* Floats can be right padded, need to assert differently */
+ $this->assertContains( ' first=1.1', $actual );
+ $this->assertContains( ' second=2.2', $actual );
+ }
+
+ function test_prepare_numeric_placeholders_float_array() {
+ global $wpdb;
+
+ $actual = $wpdb->prepare(
+ 'WHERE second=%2$f AND first=%1$f',
+ array( 1.1, 2.2 )
+ );
+
+ /* Floats can be right padded, need to assert differently */
+ $this->assertContains( ' first=1.1', $actual );
+ $this->assertContains( ' second=2.2', $actual );
+ }
+
+ function test_query_unescapes_placeholders() {
+ global $wpdb;
+
+ $value = ' %s ';
+
+ $wpdb->query( "CREATE TABLE {$wpdb->prefix}test_placeholder( a VARCHAR(100) );" );
+ $sql = $wpdb->prepare( "INSERT INTO {$wpdb->prefix}test_placeholder VALUES(%s)", $value );
+ $wpdb->query( $sql );
+
+ $actual = $wpdb->get_var( "SELECT a FROM {$wpdb->prefix}test_placeholder" );
+
+ $wpdb->query( "DROP TABLE {$wpdb->prefix}test_placeholder" );
+
+ $this->assertNotContains( '%s', $sql );
+ $this->assertEquals( $value, $actual );
+ }
+
+ function test_esc_sql_with_unsupported_placeholder_type() {
+ global $wpdb;
+
+ $sql = $wpdb->prepare( ' %s %1$c ', 'foo' );
+ $sql = $wpdb->prepare( " $sql %s ", 'foo' );
+
+ $this->assertEquals( " 'foo' {$wpdb->placeholder_escape()}1\$c 'foo' ", $sql );
+ }
+
+ /**
</ins><span class="cx" style="display: block; padding: 0 10px"> * @dataProvider parse_db_host_data_provider
</span><span class="cx" style="display: block; padding: 0 10px"> * @ticket 41722
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span></span></pre></div>
<a id="trunktestsphpunittestsrestapirestpostscontrollerphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/tests/phpunit/tests/rest-api/rest-posts-controller.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/tests/phpunit/tests/rest-api/rest-posts-controller.php 2017-10-31 09:13:09 UTC (rev 42055)
+++ trunk/tests/phpunit/tests/rest-api/rest-posts-controller.php 2017-10-31 11:59:43 UTC (rev 42056)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -85,7 +85,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> global $wpdb;
</span><span class="cx" style="display: block; padding: 0 10px"> $expected_clause = str_replace( '{posts}', $wpdb->posts, $pattern );
</span><span class="cx" style="display: block; padding: 0 10px"> $this->assertCount( 1, $this->posts_clauses );
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $this->assertEquals( $expected_clause, $this->posts_clauses[0][ $clause ] );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $this->assertEquals( $expected_clause, $wpdb->remove_placeholder_escape( $this->posts_clauses[0][ $clause ] ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> public function assertPostsOrderedBy( $pattern ) {
</span></span></pre></div>
<a id="trunkwptestsconfigsamplephp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: trunk/wp-tests-config-sample.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- trunk/wp-tests-config-sample.php 2017-10-31 09:13:09 UTC (rev 42055)
+++ trunk/wp-tests-config-sample.php 2017-10-31 11:59:43 UTC (rev 42056)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -38,6 +38,21 @@
</span><span class="cx" style="display: block; padding: 0 10px"> define( 'DB_CHARSET', 'utf8' );
</span><span class="cx" style="display: block; padding: 0 10px"> define( 'DB_COLLATE', '' );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+/**#@+
+ * Authentication Unique Keys and Salts.
+ *
+ * Change these to different unique phrases!
+ * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
+ */
+define('AUTH_KEY', 'put your unique phrase here');
+define('SECURE_AUTH_KEY', 'put your unique phrase here');
+define('LOGGED_IN_KEY', 'put your unique phrase here');
+define('NONCE_KEY', 'put your unique phrase here');
+define('AUTH_SALT', 'put your unique phrase here');
+define('SECURE_AUTH_SALT', 'put your unique phrase here');
+define('LOGGED_IN_SALT', 'put your unique phrase here');
+define('NONCE_SALT', 'put your unique phrase here');
+
</ins><span class="cx" style="display: block; padding: 0 10px"> $table_prefix = 'wptests_'; // Only numbers, letters, and underscores please!
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> define( 'WP_TESTS_DOMAIN', 'example.org' );
</span></span></pre>
</div>
</div>
</body>
</html>