<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[42064] branches/4.1: Database: Restore numbered placeholders in `wpdb::prepare()`.</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta" style="font-size: 105%">
<dt style="float: left; width: 6em; font-weight: bold">Revision</dt> <dd><a style="font-weight: bold" href="https://core.trac.wordpress.org/changeset/42064">42064</a><script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"Review this Commit","action":{"@type":"ViewAction","url":"https://core.trac.wordpress.org/changeset/42064","name":"Review Commit"}}</script></dd>
<dt style="float: left; width: 6em; font-weight: bold">Author</dt> <dd>pento</dd>
<dt style="float: left; width: 6em; font-weight: bold">Date</dt> <dd>2017-10-31 12:52:03 +0000 (Tue, 31 Oct 2017)</dd>
</dl>
<pre style='padding-left: 1em; margin: 2em 0; border-left: 2px solid #ccc; line-height: 1.25; font-size: 105%; font-family: sans-serif'>Database: Restore numbered placeholders in `wpdb::prepare()`.
<a href="https://core.trac.wordpress.org/changeset/41496">[41496]</a> removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used.
This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders.
Merges <a href="https://core.trac.wordpress.org/changeset/41662">[41662]</a>, <a href="https://core.trac.wordpress.org/changeset/42056">[42056]</a> to the 4.2 branch.
See <a href="https://core.trac.wordpress.org/ticket/41925">#41925</a>.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#branches41srcwpincludespostphp">branches/4.1/src/wp-includes/post.php</a></li>
<li><a href="#branches41srcwpincludeswpdbphp">branches/4.1/src/wp-includes/wp-db.php</a></li>
<li><a href="#branches41testsphpunitincludestestcasephp">branches/4.1/tests/phpunit/includes/testcase.php</a></li>
<li><a href="#branches41testsphpunittestsdatequeryphp">branches/4.1/tests/phpunit/tests/date/query.php</a></li>
<li><a href="#branches41testsphpunittestsdbphp">branches/4.1/tests/phpunit/tests/db.php</a></li>
<li><a href="#branches41wptestsconfigsamplephp">branches/4.1/wp-tests-config-sample.php</a></li>
</ul>
<h3>Property Changed</h3>
<ul>
<li><a href="#branches41">branches/4.1/</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<span class="cx" style="display: block; padding: 0 10px">Index: branches/4.1
</span><span class="cx" style="display: block; padding: 0 10px">===================================================================
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">--- branches/4.1 2017-10-31 12:50:23 UTC (rev 42063)
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+++ branches/4.1 2017-10-31 12:52:03 UTC (rev 42064)
</ins><a id="branches41"></a>
<div class="propset"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Property changes: branches/4.1</h4>
<pre class="diff"><span>
</span></pre></div>
<a id="svnmergeinfo"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: svn:mergeinfo</h4></div>
<span class="cx" style="display: block; padding: 0 10px"> /branches/4.4:41434
</span><span class="cx" style="display: block; padding: 0 10px"> /branches/4.5:41415-41416
</span><span class="cx" style="display: block; padding: 0 10px"> /branches/4.6:38615,41414
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-/trunk:30801-30813,30817,30821,30823-30824,30828-30847,30849,30852-30857,30860,30865-30869,30871-30874,30879,30884-30891,30893,30896-30897,30899-30901,30903,30905,30907,30910,30912,30921,30929,30932,30944-30946,30951-30956,30961,30967,30971,30985,30991,30993,31010,31023,31071,31073,31140,31179-31180,31203,31251,31258-31259,31273,31329,31339,31342,31360,31362,31386,31390,31429,31432,33124,33142,36083,36435,37651,38524,39645,39659,39759,39772,39795,39807-39808,39831,39850,39956,40148,40160,40169,40183,40241,40400,40538,40604,40677,40692,40704,40723,40736,41072,41393,41395,41398,41457,41470,41483,41496,41522
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+/trunk:30801-30813,30817,30821,30823-30824,30828-30847,30849,30852-30857,30860,30865-30869,30871-30874,30879,30884-30891,30893,30896-30897,30899-30901,30903,30905,30907,30910,30912,30921,30929,30932,30944-30946,30951-30956,30961,30967,30971,30985,30991,30993,31010,31023,31071,31073,31140,31179-31180,31203,31251,31258-31259,31273,31329,31339,31342,31360,31362,31386,31390,31429,31432,33124,33142,36083,36435,37651,38524,39645,39659,39759,39772,39795,39807-39808,39831,39850,39956,40148,40160,40169,40183,40241,40400,40538,40604,40677,40692,40704,40723,40736,41072,41393,41395,41398,41457,41470,41483,41496,41522,41662,42056
</ins><span class="cx" style="display: block; padding: 0 10px">\ No newline at end of property
</span><a id="branches41srcwpincludespostphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/4.1/src/wp-includes/post.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/4.1/src/wp-includes/post.php 2017-10-31 12:50:23 UTC (rev 42063)
+++ branches/4.1/src/wp-includes/post.php 2017-10-31 12:52:03 UTC (rev 42064)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -4176,10 +4176,10 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $page_path = str_replace('%2F', '/', $page_path);
</span><span class="cx" style="display: block; padding: 0 10px"> $page_path = str_replace('%20', ' ', $page_path);
</span><span class="cx" style="display: block; padding: 0 10px"> $parts = explode( '/', trim( $page_path, '/' ) );
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $parts = esc_sql( $parts );
</del><span class="cx" style="display: block; padding: 0 10px"> $parts = array_map( 'sanitize_title_for_query', $parts );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $escaped_parts = esc_sql( $parts );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $in_string = "'" . implode( "','", $parts ) . "'";
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $in_string = "'" . implode( "','", $escaped_parts ) . "'";
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> if ( is_array( $post_type ) ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $post_types = $post_type;
</span></span></pre></div>
<a id="branches41srcwpincludeswpdbphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/4.1/src/wp-includes/wp-db.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/4.1/src/wp-includes/wp-db.php 2017-10-31 12:50:23 UTC (rev 42063)
+++ branches/4.1/src/wp-includes/wp-db.php 2017-10-31 12:52:03 UTC (rev 42064)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1076,19 +1076,22 @@
</span><span class="cx" style="display: block; padding: 0 10px"> function _real_escape( $string ) {
</span><span class="cx" style="display: block; padding: 0 10px"> if ( $this->dbh ) {
</span><span class="cx" style="display: block; padding: 0 10px"> if ( $this->use_mysqli ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- return mysqli_real_escape_string( $this->dbh, $string );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $escaped = mysqli_real_escape_string( $this->dbh, $string );
</ins><span class="cx" style="display: block; padding: 0 10px"> } else {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- return mysql_real_escape_string( $string, $this->dbh );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $escaped = mysql_real_escape_string( $string, $this->dbh );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ } else {
+ $class = get_class( $this );
+ if ( function_exists( '__' ) ) {
+ /* translators: %s: database access abstraction class, usually wpdb or a class extending wpdb */
+ _doing_it_wrong( $class, sprintf( __( '%s must set a database connection for use with escaping.' ), $class ), '3.6.0' );
+ } else {
+ _doing_it_wrong( $class, sprintf( '%s must set a database connection for use with escaping.', $class ), '3.6.0' );
+ }
+ $escaped = addslashes( $string );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $class = get_class( $this );
- if ( function_exists( '__' ) ) {
- _doing_it_wrong( $class, sprintf( __( '%s must set a database connection for use with escaping.' ), $class ), E_USER_NOTICE );
- } else {
- _doing_it_wrong( $class, sprintf( '%s must set a database connection for use with escaping.', $class ), E_USER_NOTICE );
- }
- return addslashes( $string );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ return $this->add_placeholder_escape( $escaped );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1162,68 +1165,120 @@
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><span class="cx" style="display: block; padding: 0 10px"> * Prepares a SQL query for safe execution. Uses sprintf()-like syntax.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * The following directives can be used in the query format string:
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * The following placeholders can be used in the query string:
</ins><span class="cx" style="display: block; padding: 0 10px"> * %d (integer)
</span><span class="cx" style="display: block; padding: 0 10px"> * %f (float)
</span><span class="cx" style="display: block; padding: 0 10px"> * %s (string)
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * %% (literal percentage sign - no argument needed)
</del><span class="cx" style="display: block; padding: 0 10px"> *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * All of %d, %f, and %s are to be left unquoted in the query string and they need an argument passed for them.
- * Literals (%) as parts of the query must be properly written as %%.
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * All placeholders MUST be left unquoted in the query string. A corresponding argument MUST be passed for each placeholder.
</ins><span class="cx" style="display: block; padding: 0 10px"> *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * This function only supports a small subset of the sprintf syntax; it only supports %d (integer), %f (float), and %s (string).
- * Does not support sign, padding, alignment, width or precision specifiers.
- * Does not support argument numbering/swapping.
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * For compatibility with old behavior, numbered or formatted string placeholders (eg, %1$s, %5s) will not have quotes
+ * added by this function, so should be passed with appropriate quotes around them for your usage.
</ins><span class="cx" style="display: block; padding: 0 10px"> *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * May be called like {@link http://php.net/sprintf sprintf()} or like {@link http://php.net/vsprintf vsprintf()}.
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * Literal percentage signs (%) in the query string must be written as %%. Percentage wildcards (for example,
+ * to use in LIKE syntax) must be passed via a substitution argument containing the complete LIKE string, these
+ * cannot be inserted directly in the query string. Also see {@see esc_like()}.
</ins><span class="cx" style="display: block; padding: 0 10px"> *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * Both %d and %s should be left unquoted in the query string.
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * Arguments may be passed as individual arguments to the method, or as a single array containing all arguments. A combination
+ * of the two is not supported.
</ins><span class="cx" style="display: block; padding: 0 10px"> *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * wpdb::prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d", 'foo', 1337 )
- * wpdb::prepare( "SELECT DATE_FORMAT(`field`, '%%c') FROM `table` WHERE `column` = %s", 'foo' );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * Examples:
+ * $wpdb->prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d OR `other_field` LIKE %s", array( 'foo', 1337, '%bar' ) );
+ * $wpdb->prepare( "SELECT DATE_FORMAT(`field`, '%%c') FROM `table` WHERE `column` = %s", 'foo' );
</ins><span class="cx" style="display: block; padding: 0 10px"> *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * @link http://php.net/sprintf Description of syntax.
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @link https://secure.php.net/sprintf Description of syntax.
</ins><span class="cx" style="display: block; padding: 0 10px"> * @since 2.3.0
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * @param string $query Query statement with sprintf()-like placeholders
- * @param array|mixed $args The array of variables to substitute into the query's placeholders if being called like
- * {@link http://php.net/vsprintf vsprintf()}, or the first variable to substitute into the query's placeholders if
- * being called like {@link http://php.net/sprintf sprintf()}.
- * @param mixed $args,... further variables to substitute into the query's placeholders if being called like
- * {@link http://php.net/sprintf sprintf()}.
- * @return null|false|string Sanitized query string, null if there is no query, false if there is an error and string
- * if there was something to prepare
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @param string $query Query statement with sprintf()-like placeholders
+ * @param array|mixed $args The array of variables to substitute into the query's placeholders if being called with an array of arguments,
+ * or the first variable to substitute into the query's placeholders if being called with individual arguments.
+ * @param mixed $args,... further variables to substitute into the query's placeholders if being called wih individual arguments.
+ * @return string|void Sanitized query string, if there is a query to prepare.
</ins><span class="cx" style="display: block; padding: 0 10px"> */
</span><span class="cx" style="display: block; padding: 0 10px"> public function prepare( $query, $args ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( is_null( $query ) )
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( is_null( $query ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> return;
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ }
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> // This is not meant to be foolproof -- but it will catch obviously incorrect usage.
</span><span class="cx" style="display: block; padding: 0 10px"> if ( strpos( $query, '%' ) === false ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- _doing_it_wrong( 'wpdb::prepare', sprintf( __( 'The query argument of %s must have a placeholder.' ), 'wpdb::prepare()' ), '3.9' );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ wp_load_translations_early();
+ _doing_it_wrong( 'wpdb::prepare', sprintf( __( 'The query argument of %s must have a placeholder.' ), 'wpdb::prepare()' ), '3.9.0' );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $args = func_get_args();
</span><span class="cx" style="display: block; padding: 0 10px"> array_shift( $args );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- // If args were passed as an array (as in vsprintf), move them up
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ // If args were passed as an array (as in vsprintf), move them up.
+ $passed_as_array = false;
</ins><span class="cx" style="display: block; padding: 0 10px"> if ( is_array( $args[0] ) && count( $args ) == 1 ) {
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $passed_as_array = true;
</ins><span class="cx" style="display: block; padding: 0 10px"> $args = $args[0];
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> foreach ( $args as $arg ) {
</span><span class="cx" style="display: block; padding: 0 10px"> if ( ! is_scalar( $arg ) && ! is_null( $arg ) ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- _doing_it_wrong( 'wpdb::prepare', sprintf( 'Unsupported value type (%s).', gettype( $arg ) ), '4.1.19' );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ wp_load_translations_early();
+ _doing_it_wrong( 'wpdb::prepare', sprintf( __( 'Unsupported value type (%s).' ), gettype( $arg ) ), '4.8.2' );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $query = str_replace( "'%s'", '%s', $query ); // in case someone mistakenly already singlequoted it
- $query = str_replace( '"%s"', '%s', $query ); // doublequote unquoting
- $query = preg_replace( '|(?<!%)%f|' , '%F', $query ); // Force floats to be locale unaware
- $query = preg_replace( '|(?<!%)%s|', "'%s'", $query ); // quote the strings, avoiding escaped strings like %%s
- $query = preg_replace( '/%(?:%|$|([^dsF]))/', '%%\\1', $query ); // escape any unescaped percents
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ /*
+ * Specify the formatting allowed in a placeholder. The following are allowed:
+ *
+ * - Sign specifier. eg, $+d
+ * - Numbered placeholders. eg, %1$s
+ * - Padding specifier, including custom padding characters. eg, %05s, %'#5s
+ * - Alignment specifier. eg, %05-s
+ * - Precision specifier. eg, %.2f
+ */
+ $allowed_format = '(?:[1-9][0-9]*[$])?[-+0-9]*(?: |0|\'.)?[-+0-9]*(?:\.[0-9]+)?';
+
+ /*
+ * If a %s placeholder already has quotes around it, removing the existing quotes and re-inserting them
+ * ensures the quotes are consistent.
+ *
+ * For backwards compatibility, this is only applied to %s, and not to placeholders like %1$s, which are frequently
+ * used in the middle of longer strings, or as table name placeholders.
+ */
+ $query = str_replace( "'%s'", '%s', $query ); // Strip any existing single quotes.
+ $query = str_replace( '"%s"', '%s', $query ); // Strip any existing double quotes.
+ $query = preg_replace( '/(?<!%)%s/', "'%s'", $query ); // Quote the strings, avoiding escaped strings like %%s.
+
+ $query = preg_replace( "/(?<!%)(%($allowed_format)?f)/" , '%\\2F', $query ); // Force floats to be locale unaware.
+
+ $query = preg_replace( "/%(?:%|$|(?!($allowed_format)?[sdF]))/", '%%\\1', $query ); // Escape any unescaped percents.
+
+ // Count the number of valid placeholders in the query.
+ $placeholders = preg_match_all( "/(^|[^%]|(%%)+)%($allowed_format)?[sdF]/", $query, $matches );
+
+ if ( count( $args ) !== $placeholders ) {
+ if ( 1 === $placeholders && $passed_as_array ) {
+ // If the passed query only expected one argument, but the wrong number of arguments were sent as an array, bail.
+ wp_load_translations_early();
+ _doing_it_wrong( 'wpdb::prepare', __( 'The query only expected one placeholder, but an array of multiple placeholders was sent.' ), '4.9.0' );
+
+ return;
+ } else {
+ /*
+ * If we don't have the right number of placeholders, but they were passed as individual arguments,
+ * or we were expecting multiple arguments in an array, throw a warning.
+ */
+ wp_load_translations_early();
+ _doing_it_wrong( 'wpdb::prepare',
+ /* translators: 1: number of placeholders, 2: number of arguments passed */
+ sprintf( __( 'The query does not contain the correct number of placeholders (%1$d) for the number of arguments passed (%2$d).' ),
+ $placeholders,
+ count( $args ) ),
+ '4.8.3'
+ );
+ }
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> array_walk( $args, array( $this, 'escape_by_ref' ) );
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- return @vsprintf( $query, $args );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $query = @vsprintf( $query, $args );
+
+ return $this->add_placeholder_escape( $query );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1739,6 +1794,64 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * Generates and returns a placeholder escape string for use in queries returned by ::prepare().
+ *
+ * @since 4.8.3
+ *
+ * @return string String to escape placeholders.
+ */
+ public function placeholder_escape() {
+ static $placeholder;
+
+ if ( ! $placeholder ) {
+ // If ext/hash is not present, compat.php's hash_hmac() does not support sha256.
+ $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1';
+ // Old WP installs may not have AUTH_SALT defined.
+ $salt = defined( 'AUTH_SALT' ) ? AUTH_SALT : rand();
+
+ $placeholder = '{' . hash_hmac( $algo, uniqid( $salt, true ), $salt ) . '}';
+ }
+
+ /*
+ * Add the filter to remove the placeholder escaper. Uses priority 0, so that anything
+ * else attached to this filter will recieve the query with the placeholder string removed.
+ */
+ if ( ! has_filter( 'query', array( $this, 'remove_placeholder_escape' ) ) ) {
+ add_filter( 'query', array( $this, 'remove_placeholder_escape' ), 0 );
+ }
+
+ return $placeholder;
+ }
+
+ /**
+ * Adds a placeholder escape string, to escape anything that resembles a printf() placeholder.
+ *
+ * @since 4.8.3
+ *
+ * @param string $query The query to escape.
+ * @return string The query with the placeholder escape string inserted where necessary.
+ */
+ public function add_placeholder_escape( $query ) {
+ /*
+ * To prevent returning anything that even vaguely resembles a placeholder,
+ * we clobber every % we can find.
+ */
+ return str_replace( '%', $this->placeholder_escape(), $query );
+ }
+
+ /**
+ * Removes the placeholder escape strings from a query.
+ *
+ * @since 4.8.3
+ *
+ * @param string $query The query from which the placeholder will be removed.
+ * @return string The query with the placeholder removed.
+ */
+ public function remove_placeholder_escape( $query ) {
+ return str_replace( $this->placeholder_escape(), '%', $query );
+ }
+
+ /**
</ins><span class="cx" style="display: block; padding: 0 10px"> * Insert a row into a table.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * wpdb::insert( 'table', array( 'column' => 'foo', 'field' => 'bar' ) )
</span></span></pre></div>
<a id="branches41testsphpunitincludestestcasephp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/4.1/tests/phpunit/includes/testcase.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/4.1/tests/phpunit/includes/testcase.php 2017-10-31 12:50:23 UTC (rev 42063)
+++ branches/4.1/tests/phpunit/includes/testcase.php 2017-10-31 12:52:03 UTC (rev 42064)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -256,6 +256,18 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ /**
+ * Declare an expected `_doing_it_wrong()` call from within a test.
+ *
+ * @since 4.2.0
+ *
+ * @param string $deprecated Name of the function, method, or class that appears in the first argument of the
+ * source `_doing_it_wrong()` call.
+ */
+ public function setExpectedIncorrectUsage( $doing_it_wrong ) {
+ array_push( $this->expected_doing_it_wrong, $doing_it_wrong );
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> function deprecated_function_run( $function ) {
</span><span class="cx" style="display: block; padding: 0 10px"> if ( ! in_array( $function, $this->caught_deprecated ) )
</span><span class="cx" style="display: block; padding: 0 10px"> $this->caught_deprecated[] = $function;
</span></span></pre></div>
<a id="branches41testsphpunittestsdatequeryphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/4.1/tests/phpunit/tests/date/query.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/4.1/tests/phpunit/tests/date/query.php 2017-10-31 12:50:23 UTC (rev 42063)
+++ branches/4.1/tests/phpunit/tests/date/query.php 2017-10-31 12:52:03 UTC (rev 42064)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -601,33 +601,36 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> public function test_build_time_query_hour_minute() {
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ global $wpdb;
</ins><span class="cx" style="display: block; padding: 0 10px"> $q = new WP_Date_Query( array() );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $found = $q->build_time_query( 'post_date', '=', 5, 15 );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> // $compare value is floating point - use regex to account for
</span><span class="cx" style="display: block; padding: 0 10px"> // varying precision on different PHP installations
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i' \) = 5\.150*/", $found );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i' \) = 5\.150*/", $wpdb->remove_placeholder_escape( $found ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> public function test_build_time_query_hour_minute_second() {
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ global $wpdb;
</ins><span class="cx" style="display: block; padding: 0 10px"> $q = new WP_Date_Query( array() );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $found = $q->build_time_query( 'post_date', '=', 5, 15, 35 );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> // $compare value is floating point - use regex to account for
</span><span class="cx" style="display: block; padding: 0 10px"> // varying precision on different PHP installations
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i%s' \) = 5\.15350*/", $found );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i%s' \) = 5\.15350*/", $wpdb->remove_placeholder_escape( $found ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> public function test_build_time_query_minute_second() {
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ global $wpdb;
</ins><span class="cx" style="display: block; padding: 0 10px"> $q = new WP_Date_Query( array() );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $found = $q->build_time_query( 'post_date', '=', null, 15, 35 );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> // $compare value is floating point - use regex to account for
</span><span class="cx" style="display: block; padding: 0 10px"> // varying precision on different PHP installations
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $this->assertRegExp( "/DATE_FORMAT\( post_date, '0\.%i%s' \) = 0\.15350*/", $found );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $this->assertRegExp( "/DATE_FORMAT\( post_date, '0\.%i%s' \) = 0\.15350*/", $wpdb->remove_placeholder_escape( $found ) );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span></span></pre></div>
<a id="branches41testsphpunittestsdbphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/4.1/tests/phpunit/tests/db.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/4.1/tests/phpunit/tests/db.php 2017-10-31 12:50:23 UTC (rev 42063)
+++ branches/4.1/tests/phpunit/tests/db.php 2017-10-31 12:52:03 UTC (rev 42064)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -269,6 +269,9 @@
</span><span class="cx" style="display: block; padding: 0 10px"> public function test_double_escaped_placeholders() {
</span><span class="cx" style="display: block; padding: 0 10px"> global $wpdb;
</span><span class="cx" style="display: block; padding: 0 10px"> $sql = $wpdb->prepare( "UPDATE test_table SET string_column = '%%f is a float, %%d is an int %d, %%s is a string', field = %s", 3, '4' );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $this->assertContains( $wpdb->placeholder_escape(), $sql );
+
+ $sql = $wpdb->remove_placeholder_escape( $sql );
</ins><span class="cx" style="display: block; padding: 0 10px"> $this->assertEquals( "UPDATE test_table SET string_column = '%f is a float, %d is an int 3, %s is a string', field = '4'", $sql );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -373,8 +376,8 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 0 AND user_login = 'admin'", $prepared );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- function test_prepare_vsprintf() {
- global $wpdb;
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ function test_prepare_vsprintf() {
+ global $wpdb;
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $prepared = $wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( 1, "admin" ) );
</span><span class="cx" style="display: block; padding: 0 10px"> $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = 'admin'", $prepared );
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -391,8 +394,75 @@
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> $prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( array( 1 ), "admin" ) );
</span><span class="cx" style="display: block; padding: 0 10px"> $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 0 AND user_login = 'admin'", $prepared );
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- }
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ }
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ /**
+ * @ticket 42040
+ * @dataProvider data_prepare_incorrect_arg_count
+ * @expectedIncorrectUsage wpdb::prepare
+ */
+ public function test_prepare_incorrect_arg_count( $query, $args, $expected ) {
+ global $wpdb;
+
+ // $query is the first argument to be passed to wpdb::prepare()
+ array_unshift( $args, $query );
+
+ $prepared = @call_user_func_array( array( $wpdb, 'prepare' ), $args );
+ $this->assertEquals( $expected, $prepared );
+ }
+
+ public function data_prepare_incorrect_arg_count() {
+ global $wpdb;
+
+ return array(
+ array(
+ "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", // Query
+ array( 1, "admin", "extra-arg" ), // ::prepare() args, to be passed via call_user_func_array
+ "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = 'admin'", // Expected output
+ ),
+ array(
+ "SELECT * FROM $wpdb->users WHERE id = %%%d AND user_login = %s",
+ array( 1 ),
+ false,
+ ),
+ array(
+ "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s",
+ array( array( 1, "admin", "extra-arg" ) ),
+ "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = 'admin'",
+ ),
+ array(
+ "SELECT * FROM $wpdb->users WHERE id = %d AND %% AND user_login = %s",
+ array( 1, "admin", "extra-arg" ),
+ "SELECT * FROM $wpdb->users WHERE id = 1 AND {$wpdb->placeholder_escape()} AND user_login = 'admin'",
+ ),
+ array(
+ "SELECT * FROM $wpdb->users WHERE id = %%%d AND %F AND %f AND user_login = %s",
+ array( 1, 2.3, "4.5", "admin", "extra-arg" ),
+ "SELECT * FROM $wpdb->users WHERE id = {$wpdb->placeholder_escape()}1 AND 2.300000 AND 4.500000 AND user_login = 'admin'",
+ ),
+ array(
+ "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s",
+ array( array( 1 ), "admin", "extra-arg" ),
+ "SELECT * FROM $wpdb->users WHERE id = 0 AND user_login = 'admin'",
+ ),
+ array(
+ "SELECT * FROM $wpdb->users WHERE id = %d and user_nicename = %s and user_status = %d and user_login = %s",
+ array( 1, "admin", 0 ),
+ '',
+ ),
+ array(
+ "SELECT * FROM $wpdb->users WHERE id = %d and user_nicename = %s and user_status = %d and user_login = %s",
+ array( array( 1, "admin", 0 ) ),
+ '',
+ ),
+ array(
+ "SELECT * FROM $wpdb->users WHERE id = %d and %% and user_login = %s and user_status = %d and user_login = %s",
+ array( 1, "admin", "extra-arg" ),
+ '',
+ ),
+ );
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> function test_db_version() {
</span><span class="cx" style="display: block; padding: 0 10px"> global $wpdb;
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -844,13 +914,327 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- *
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @dataProvider data_prepare_with_placeholders
</ins><span class="cx" style="display: block; padding: 0 10px"> */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- function test_prepare_with_unescaped_percents() {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ function test_prepare_with_placeholders_and_individual_args( $sql, $values, $incorrect_usage, $expected) {
</ins><span class="cx" style="display: block; padding: 0 10px"> global $wpdb;
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $sql = $wpdb->prepare( '%d %1$d %%% %', 1 );
- $this->assertEquals( '1 %1$d %% %', $sql );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( $incorrect_usage ) {
+ $this->setExpectedIncorrectUsage( 'wpdb::prepare' );
+ }
+
+ if ( ! is_array( $values ) ) {
+ $values = array( $values );
+ }
+
+ array_unshift( $values, $sql );
+
+ $sql = call_user_func_array( array( $wpdb, 'prepare' ), $values );
+ $this->assertEquals( $expected, $sql );
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+
+ /**
+ * @dataProvider data_prepare_with_placeholders
+ */
+ function test_prepare_with_placeholders_and_array_args( $sql, $values, $incorrect_usage, $expected) {
+ global $wpdb;
+
+ if ( $incorrect_usage ) {
+ $this->setExpectedIncorrectUsage( 'wpdb::prepare' );
+ }
+
+ if ( ! is_array( $values ) ) {
+ $values = array( $values );
+ }
+
+ $sql = call_user_func_array( array( $wpdb, 'prepare' ), array( $sql, $values ) );
+ $this->assertEquals( $expected, $sql );
+ }
+
+ function data_prepare_with_placeholders() {
+ global $wpdb;
+
+ return array(
+ array(
+ '%5s', // SQL to prepare
+ 'foo', // Value to insert in the SQL
+ false, // Whether to expect an incorrect usage error or not
+ ' foo', // Expected output
+ ),
+ array(
+ '%1$d %%% % %%1$d%% %%%1$d%%',
+ 1,
+ true,
+ "1 {$wpdb->placeholder_escape()}{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}1\$d{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}1{$wpdb->placeholder_escape()}",
+ ),
+ array(
+ '%-5s',
+ 'foo',
+ false,
+ 'foo ',
+ ),
+ array(
+ '%05s',
+ 'foo',
+ false,
+ '00foo',
+ ),
+ array(
+ "%'#5s",
+ 'foo',
+ false,
+ '##foo',
+ ),
+ array(
+ '%.3s',
+ 'foobar',
+ false,
+ 'foo',
+ ),
+ array(
+ '%.3f',
+ 5.123456,
+ false,
+ '5.123',
+ ),
+ array(
+ '%.3f',
+ 5.12,
+ false,
+ '5.120',
+ ),
+ array(
+ '%s',
+ ' %s ',
+ false,
+ "' {$wpdb->placeholder_escape()}s '",
+ ),
+ array(
+ '%1$s',
+ ' %s ',
+ false,
+ " {$wpdb->placeholder_escape()}s ",
+ ),
+ array(
+ '%1$s',
+ ' %1$s ',
+ false,
+ " {$wpdb->placeholder_escape()}1\$s ",
+ ),
+ array(
+ '%d %1$d %%% %',
+ 1,
+ true,
+ "1 1 {$wpdb->placeholder_escape()}{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}",
+ ),
+ array(
+ '%d %2$s',
+ array( 1, 'hello' ),
+ false,
+ "1 hello",
+ ),
+ array(
+ "'%s'",
+ 'hello',
+ false,
+ "'hello'",
+ ),
+ array(
+ '"%s"',
+ 'hello',
+ false,
+ "'hello'",
+ ),
+ array(
+ "%s '%1\$s'",
+ 'hello',
+ true,
+ "'hello' 'hello'",
+ ),
+ array(
+ "%s '%1\$s'",
+ 'hello',
+ true,
+ "'hello' 'hello'",
+ ),
+ array(
+ '%s "%1$s"',
+ 'hello',
+ true,
+ "'hello' \"hello\"",
+ ),
+ array(
+ "%%s %%'%1\$s'",
+ 'hello',
+ false,
+ "{$wpdb->placeholder_escape()}s {$wpdb->placeholder_escape()}'hello'",
+ ),
+ array(
+ '%%s %%"%1$s"',
+ 'hello',
+ false,
+ "{$wpdb->placeholder_escape()}s {$wpdb->placeholder_escape()}\"hello\"",
+ ),
+ array(
+ '%s',
+ ' % s ',
+ false,
+ "' {$wpdb->placeholder_escape()} s '",
+ ),
+ array(
+ '%%f %%"%1$f"',
+ 3,
+ false,
+ "{$wpdb->placeholder_escape()}f {$wpdb->placeholder_escape()}\"3.000000\"",
+ ),
+ array(
+ 'WHERE second=\'%2$s\' AND first=\'%1$s\'',
+ array( 'first arg', 'second arg' ),
+ false,
+ "WHERE second='second arg' AND first='first arg'",
+ ),
+ array(
+ 'WHERE second=%2$d AND first=%1$d',
+ array( 1, 2 ),
+ false,
+ "WHERE second=2 AND first=1",
+ ),
+ array(
+ "'%'%%s",
+ 'hello',
+ true,
+ "'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s",
+ ),
+ array(
+ "'%'%%s%s",
+ 'hello',
+ false,
+ "'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s'hello'",
+ ),
+ array(
+ "'%'%%s %s",
+ 'hello',
+ false,
+ "'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s 'hello'",
+ ),
+ array(
+ "'%-'#5s' '%'#-+-5s'",
+ array( 'hello', 'foo' ),
+ false,
+ "'hello' 'foo##'",
+ ),
+ );
+ }
+
+ /**
+ * @dataProvider data_escape_and_prepare
+ */
+ function test_escape_and_prepare( $escape, $sql, $values, $incorrect_usage, $expected ) {
+ global $wpdb;
+
+ if ( $incorrect_usage ) {
+ $this->setExpectedIncorrectUsage( 'wpdb::prepare' );
+ }
+
+ $escape = esc_sql( $escape );
+
+ $sql = str_replace( '{ESCAPE}', $escape, $sql );
+
+ $actual = $wpdb->prepare( $sql, $values );
+
+ $this->assertEquals( $expected, $actual );
+ }
+
+ function data_escape_and_prepare() {
+ global $wpdb;
+ return array(
+ array(
+ '%s', // String to pass through esc_url()
+ ' {ESCAPE} ', // Query to insert the output of esc_url() into, replacing "{ESCAPE}"
+ 'foo', // Data to send to prepare()
+ true, // Whether to expect an incorrect usage error or not
+ " {$wpdb->placeholder_escape()}s ", // Expected output
+ ),
+ array(
+ 'foo%sbar',
+ "SELECT * FROM bar WHERE foo='{ESCAPE}' OR baz=%s",
+ array( ' SQLi -- -', 'pewpewpew' ),
+ true,
+ null,
+ ),
+ array(
+ '%s',
+ ' %s {ESCAPE} ',
+ 'foo',
+ false,
+ " 'foo' {$wpdb->placeholder_escape()}s ",
+ ),
+ );
+ }
+
+ /**
+ * @expectedIncorrectUsage wpdb::prepare
+ */
+ function test_double_prepare() {
+ global $wpdb;
+
+ $part = $wpdb->prepare( ' AND meta_value = %s', ' %s ' );
+ $this->assertNotContains( '%s', $part );
+ $query = $wpdb->prepare( 'SELECT * FROM {$wpdb->postmeta} WHERE meta_key = %s $part', array( 'foo', 'bar' ) );
+ $this->assertNull( $query );
+ }
+
+ function test_prepare_numeric_placeholders_float_args() {
+ global $wpdb;
+
+ $actual = $wpdb->prepare(
+ 'WHERE second=%2$f AND first=%1$f',
+ 1.1,
+ 2.2
+ );
+
+ /* Floats can be right padded, need to assert differently */
+ $this->assertContains( ' first=1.1', $actual );
+ $this->assertContains( ' second=2.2', $actual );
+ }
+
+ function test_prepare_numeric_placeholders_float_array() {
+ global $wpdb;
+
+ $actual = $wpdb->prepare(
+ 'WHERE second=%2$f AND first=%1$f',
+ array( 1.1, 2.2 )
+ );
+
+ /* Floats can be right padded, need to assert differently */
+ $this->assertContains( ' first=1.1', $actual );
+ $this->assertContains( ' second=2.2', $actual );
+ }
+
+ function test_query_unescapes_placeholders() {
+ global $wpdb;
+
+ $value = ' %s ';
+
+ $wpdb->query( "CREATE TABLE {$wpdb->prefix}test_placeholder( a VARCHAR(100) );" );
+ $sql = $wpdb->prepare( "INSERT INTO {$wpdb->prefix}test_placeholder VALUES(%s)", $value );
+ $wpdb->query( $sql );
+
+ $actual = $wpdb->get_var( "SELECT a FROM {$wpdb->prefix}test_placeholder" );
+
+ $wpdb->query( "DROP TABLE {$wpdb->prefix}test_placeholder" );
+
+ $this->assertNotContains( '%s', $sql );
+ $this->assertEquals( $value, $actual );
+ }
+
+ function test_esc_sql_with_unsupported_placeholder_type() {
+ global $wpdb;
+
+ $sql = $wpdb->prepare( ' %s %1$c ', 'foo' );
+ $sql = $wpdb->prepare( " $sql %s ", 'foo' );
+
+ $this->assertEquals( " 'foo' {$wpdb->placeholder_escape()}1\$c 'foo' ", $sql );
+ }
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span></span></pre></div>
<a id="branches41wptestsconfigsamplephp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/4.1/wp-tests-config-sample.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/4.1/wp-tests-config-sample.php 2017-10-31 12:50:23 UTC (rev 42063)
+++ branches/4.1/wp-tests-config-sample.php 2017-10-31 12:52:03 UTC (rev 42064)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -30,6 +30,21 @@
</span><span class="cx" style="display: block; padding: 0 10px"> define( 'DB_CHARSET', 'utf8' );
</span><span class="cx" style="display: block; padding: 0 10px"> define( 'DB_COLLATE', '' );
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+/**#@+
+ * Authentication Unique Keys and Salts.
+ *
+ * Change these to different unique phrases!
+ * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
+ */
+define('AUTH_KEY', 'put your unique phrase here');
+define('SECURE_AUTH_KEY', 'put your unique phrase here');
+define('LOGGED_IN_KEY', 'put your unique phrase here');
+define('NONCE_KEY', 'put your unique phrase here');
+define('AUTH_SALT', 'put your unique phrase here');
+define('SECURE_AUTH_SALT', 'put your unique phrase here');
+define('LOGGED_IN_SALT', 'put your unique phrase here');
+define('NONCE_SALT', 'put your unique phrase here');
+
</ins><span class="cx" style="display: block; padding: 0 10px"> $table_prefix = 'wptests_'; // Only numbers, letters, and underscores please!
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> define( 'WP_TESTS_DOMAIN', 'example.org' );
</span></span></pre>
</div>
</div>
</body>
</html>