<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[42067] branches/3.8: Database: Restore numbered placeholders in `wpdb::prepare()`.</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta" style="font-size: 105%">
<dt style="float: left; width: 6em; font-weight: bold">Revision</dt> <dd><a style="font-weight: bold" href="https://core.trac.wordpress.org/changeset/42067">42067</a><script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"Review this Commit","action":{"@type":"ViewAction","url":"https://core.trac.wordpress.org/changeset/42067","name":"Review Commit"}}</script></dd>
<dt style="float: left; width: 6em; font-weight: bold">Author</dt> <dd>pento</dd>
<dt style="float: left; width: 6em; font-weight: bold">Date</dt> <dd>2017-10-31 12:59:50 +0000 (Tue, 31 Oct 2017)</dd>
</dl>

<pre style='padding-left: 1em; margin: 2em 0; border-left: 2px solid #ccc; line-height: 1.25; font-size: 105%; font-family: sans-serif'>Database: Restore numbered placeholders in `wpdb::prepare()`.

<a href="https://core.trac.wordpress.org/changeset/41496">[41496]</a> removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used.

This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders.

Merges <a href="https://core.trac.wordpress.org/changeset/41662">[41662]</a>, <a href="https://core.trac.wordpress.org/changeset/42056">[42056]</a> to the 3.8 branch.
See <a href="https://core.trac.wordpress.org/ticket/41925">#41925</a>.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#branches38srcwpincludespostphp">branches/3.8/src/wp-includes/post.php</a></li>
<li><a href="#branches38srcwpincludeswpdbphp">branches/3.8/src/wp-includes/wp-db.php</a></li>
<li><a href="#branches38testsphpunitincludestestcasephp">branches/3.8/tests/phpunit/includes/testcase.php</a></li>
<li><a href="#branches38testsphpunittestsdbphp">branches/3.8/tests/phpunit/tests/db.php</a></li>
<li><a href="#branches38wptestsconfigsamplephp">branches/3.8/wp-tests-config-sample.php</a></li>
</ul>

<h3>Property Changed</h3>
<ul>
<li><a href="#branches38">branches/3.8/</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<span class="cx" style="display: block; padding: 0 10px">Index: branches/3.8
</span><span class="cx" style="display: block; padding: 0 10px">===================================================================
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">--- branches/3.8 2017-10-31 12:56:57 UTC (rev 42066)
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+++ branches/3.8  2017-10-31 12:59:50 UTC (rev 42067)
</ins><a id="branches38"></a>
<div class="propset"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Property changes: branches/3.8</h4>
<pre class="diff"><span>
</span></pre></div>
<a id="svnmergeinfo"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: svn:mergeinfo</h4></div>
<span class="cx" style="display: block; padding: 0 10px"> /branches/4.4:41434
</span><span class="cx" style="display: block; padding: 0 10px"> /branches/4.5:41415-41416
</span><span class="cx" style="display: block; padding: 0 10px"> /branches/4.6:38615,41414
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-/trunk:26864,26874-26875,26885,26887-26888,26905,26919-26925,26928-26929,26932,26935,26952,26959,26961,26967,26970,26993,26999,27006-27007,27012,27021,27119,27134,27385,27511,27760,27822,27872,27905-27906,27928,27964,27975,27990,28053,28113,28129,29327,29378,29381-29382,29397,29404,29631,29783,30412,30417,30425,30430,30435,30438,30443,30458,30466,33124,33142,36083,36435,37651,38524,39645,39659,39759,39772,39795,39807-39808,39831,39850,39956,40148,40169,40183,40400,40604,40677,40692,40704,40723,40736,41393,41398,41457,41470,41483,41496,41522
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+/trunk:26864,26874-26875,26885,26887-26888,26905,26919-26925,26928-26929,26932,26935,26952,26959,26961,26967,26970,26993,26999,27006-27007,27012,27021,27119,27134,27385,27511,27760,27822,27872,27905-27906,27928,27964,27975,27990,28053,28113,28129,29327,29378,29381-29382,29397,29404,29631,29783,30412,30417,30425,30430,30435,30438,30443,30458,30466,33124,33142,36083,36435,37651,38524,39645,39659,39759,39772,39795,39807-39808,39831,39850,39956,40148,40169,40183,40400,40604,40677,40692,40704,40723,40736,41393,41398,41457,41470,41483,41496,41522,41662,42056
</ins><span class="cx" style="display: block; padding: 0 10px">\ No newline at end of property
</span><a id="branches38srcwpincludespostphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/3.8/src/wp-includes/post.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/3.8/src/wp-includes/post.php     2017-10-31 12:56:57 UTC (rev 42066)
+++ branches/3.8/src/wp-includes/post.php       2017-10-31 12:59:50 UTC (rev 42067)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -3501,10 +3501,10 @@
</span><span class="cx" style="display: block; padding: 0 10px">        $page_path = str_replace('%2F', '/', $page_path);
</span><span class="cx" style="display: block; padding: 0 10px">        $page_path = str_replace('%20', ' ', $page_path);
</span><span class="cx" style="display: block; padding: 0 10px">        $parts = explode( '/', trim( $page_path, '/' ) );
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-        $parts = esc_sql( $parts );
</del><span class="cx" style="display: block; padding: 0 10px">         $parts = array_map( 'sanitize_title_for_query', $parts );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+        $escaped_parts = esc_sql( $parts );
</ins><span class="cx" style="display: block; padding: 0 10px"> 
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-        $in_string = "'". implode( "','", $parts ) . "'";
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $in_string = "'". implode( "','", $escaped_parts ) . "'";
</ins><span class="cx" style="display: block; padding: 0 10px">         $post_type_sql = esc_sql( $post_type );
</span><span class="cx" style="display: block; padding: 0 10px">        $pages = $wpdb->get_results( "SELECT ID, post_name, post_parent, post_type FROM $wpdb->posts WHERE post_name IN ($in_string) AND (post_type = '$post_type_sql' OR post_type = 'attachment')", OBJECT_K );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span></span></pre></div>
<a id="branches38srcwpincludeswpdbphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/3.8/src/wp-includes/wp-db.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/3.8/src/wp-includes/wp-db.php    2017-10-31 12:56:57 UTC (rev 42066)
+++ branches/3.8/src/wp-includes/wp-db.php      2017-10-31 12:59:50 UTC (rev 42067)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -911,8 +911,9 @@
</span><span class="cx" style="display: block; padding: 0 10px">        }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">        /**
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-         * Real escape, using mysql_real_escape_string()
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+  * Real escape, using mysqli_real_escape_string() or mysql_real_escape_string()
</ins><span class="cx" style="display: block; padding: 0 10px">          *
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         * @see mysqli_real_escape_string()
</ins><span class="cx" style="display: block; padding: 0 10px">          * @see mysql_real_escape_string()
</span><span class="cx" style="display: block; padding: 0 10px">         * @since 2.8.0
</span><span class="cx" style="display: block; padding: 0 10px">         * @access private
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -921,12 +922,20 @@
</span><span class="cx" style="display: block; padding: 0 10px">         * @return string escaped
</span><span class="cx" style="display: block; padding: 0 10px">         */
</span><span class="cx" style="display: block; padding: 0 10px">        function _real_escape( $string ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                if ( $this->dbh )
-                       return mysql_real_escape_string( $string, $this->dbh );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         if ( $this->dbh ) {
+                       $escaped = mysql_real_escape_string( $string, $this->dbh );
+               } else {
+                       $class = get_class( $this );
+                       if ( function_exists( '__' ) ) {
+                               /* translators: %s: database access abstraction class, usually wpdb or a class extending wpdb */
+                               _doing_it_wrong( $class, sprintf( __( '%s must set a database connection for use with escaping.' ), $class ), '3.6.0' );
+                       } else {
+                               _doing_it_wrong( $class, sprintf( '%s must set a database connection for use with escaping.', $class ), '3.6.0' );
+                       }
+                       $escaped = addslashes( $string );
+               }
</ins><span class="cx" style="display: block; padding: 0 10px"> 
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                $class = get_class( $this );
-               _doing_it_wrong( $class, "$class must set a database connection for use with escaping.", E_USER_NOTICE );
-               return addslashes( $string );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         return $this->add_placeholder_escape( $escaped );
</ins><span class="cx" style="display: block; padding: 0 10px">         }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">        /**
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1000,65 +1009,120 @@
</span><span class="cx" style="display: block; padding: 0 10px">        /**
</span><span class="cx" style="display: block; padding: 0 10px">         * Prepares a SQL query for safe execution. Uses sprintf()-like syntax.
</span><span class="cx" style="display: block; padding: 0 10px">         *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-         * The following directives can be used in the query format string:
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+  * The following placeholders can be used in the query string:
</ins><span class="cx" style="display: block; padding: 0 10px">          *   %d (integer)
</span><span class="cx" style="display: block; padding: 0 10px">         *   %f (float)
</span><span class="cx" style="display: block; padding: 0 10px">         *   %s (string)
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-         *   %% (literal percentage sign - no argument needed)
</del><span class="cx" style="display: block; padding: 0 10px">          *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-         * All of %d, %f, and %s are to be left unquoted in the query string and they need an argument passed for them.
-        * Literals (%) as parts of the query must be properly written as %%.
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+  * All placeholders MUST be left unquoted in the query string. A corresponding argument MUST be passed for each placeholder.
</ins><span class="cx" style="display: block; padding: 0 10px">          *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-         * This function only supports a small subset of the sprintf syntax; it only supports %d (integer), %f (float), and %s (string).
-        * Does not support sign, padding, alignment, width or precision specifiers.
-        * Does not support argument numbering/swapping.
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+  * For compatibility with old behavior, numbered or formatted string placeholders (eg, %1$s, %5s) will not have quotes
+        * added by this function, so should be passed with appropriate quotes around them for your usage.
</ins><span class="cx" style="display: block; padding: 0 10px">          *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-         * May be called like {@link http://php.net/sprintf sprintf()} or like {@link http://php.net/vsprintf vsprintf()}.
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+  * Literal percentage signs (%) in the query string must be written as %%. Percentage wildcards (for example,
+        * to use in LIKE syntax) must be passed via a substitution argument containing the complete LIKE string, these
+        * cannot be inserted directly in the query string. Also see {@see esc_like()}.
</ins><span class="cx" style="display: block; padding: 0 10px">          *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-         * Both %d and %s should be left unquoted in the query string.
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+  * Arguments may be passed as individual arguments to the method, or as a single array containing all arguments. A combination
+        * of the two is not supported.
</ins><span class="cx" style="display: block; padding: 0 10px">          *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-         * <code>
-        * wpdb::prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d", 'foo', 1337 )
-        * wpdb::prepare( "SELECT DATE_FORMAT(`field`, '%%c') FROM `table` WHERE `column` = %s", 'foo' );
-        * </code>
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+  * Examples:
+        *     $wpdb->prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d OR `other_field` LIKE %s", array( 'foo', 1337, '%bar' ) );
+        *     $wpdb->prepare( "SELECT DATE_FORMAT(`field`, '%%c') FROM `table` WHERE `column` = %s", 'foo' );
</ins><span class="cx" style="display: block; padding: 0 10px">          *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-         * @link http://php.net/sprintf Description of syntax.
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+  * @link https://secure.php.net/sprintf Description of syntax.
</ins><span class="cx" style="display: block; padding: 0 10px">          * @since 2.3.0
</span><span class="cx" style="display: block; padding: 0 10px">         *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-         * @param string $query Query statement with sprintf()-like placeholders
-        * @param array|mixed $args The array of variables to substitute into the query's placeholders if being called like
-        *      {@link http://php.net/vsprintf vsprintf()}, or the first variable to substitute into the query's placeholders if
-        *      being called like {@link http://php.net/sprintf sprintf()}.
-        * @param mixed $args,... further variables to substitute into the query's placeholders if being called like
-        *      {@link http://php.net/sprintf sprintf()}.
-        * @return null|false|string Sanitized query string, null if there is no query, false if there is an error and string
-        *      if there was something to prepare
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+  * @param string      $query    Query statement with sprintf()-like placeholders
+        * @param array|mixed $args     The array of variables to substitute into the query's placeholders if being called with an array of arguments,
+        *                              or the first variable to substitute into the query's placeholders if being called with individual arguments.
+        * @param mixed       $args,... further variables to substitute into the query's placeholders if being called wih individual arguments.
+        * @return string|void Sanitized query string, if there is a query to prepare.
</ins><span class="cx" style="display: block; padding: 0 10px">          */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-        function prepare( $query, $args ) {
-               if ( is_null( $query ) )
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ public function prepare( $query, $args ) {
+               if ( is_null( $query ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px">                         return;
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                }
</ins><span class="cx" style="display: block; padding: 0 10px"> 
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                // This is not meant to be foolproof -- but it will catch obviously incorrect usage.
+               if ( strpos( $query, '%' ) === false ) {
+                       wp_load_translations_early();
+                       _doing_it_wrong( 'wpdb::prepare', sprintf( __( 'The query argument of %s must have a placeholder.' ), 'wpdb::prepare()' ), '3.9.0' );
+               }
+
</ins><span class="cx" style="display: block; padding: 0 10px">                 $args = func_get_args();
</span><span class="cx" style="display: block; padding: 0 10px">                array_shift( $args );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                // If args were passed as an array (as in vsprintf), move them up
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         // If args were passed as an array (as in vsprintf), move them up.
+               $passed_as_array = false;
</ins><span class="cx" style="display: block; padding: 0 10px">                 if ( is_array( $args[0] ) && count( $args ) == 1 ) {
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                        $passed_as_array = true;
</ins><span class="cx" style="display: block; padding: 0 10px">                         $args = $args[0];
</span><span class="cx" style="display: block; padding: 0 10px">                }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">                foreach ( $args as $arg ) {
</span><span class="cx" style="display: block; padding: 0 10px">                        if ( ! is_scalar( $arg ) && ! is_null( $arg ) ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                                _doing_it_wrong( 'wpdb::prepare', sprintf( 'Unsupported value type (%s).', gettype( $arg ) ), '3.8.22' );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                         wp_load_translations_early();
+                               _doing_it_wrong( 'wpdb::prepare', sprintf( __( 'Unsupported value type (%s).' ), gettype( $arg ) ), '4.8.2' );
</ins><span class="cx" style="display: block; padding: 0 10px">                         }
</span><span class="cx" style="display: block; padding: 0 10px">                }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                $query = str_replace( "'%s'", '%s', $query ); // in case someone mistakenly already singlequoted it
-               $query = str_replace( '"%s"', '%s', $query ); // doublequote unquoting
-               $query = preg_replace( '|(?<!%)%f|' , '%F', $query ); // Force floats to be locale unaware
-               $query = preg_replace( '|(?<!%)%s|', "'%s'", $query ); // quote the strings, avoiding escaped strings like %%s
-               $query = preg_replace( '/%(?:%|$|([^dsF]))/', '%%\\1', $query ); // escape any unescaped percents 
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         /*
+                * Specify the formatting allowed in a placeholder. The following are allowed:
+                *
+                * - Sign specifier. eg, $+d
+                * - Numbered placeholders. eg, %1$s
+                * - Padding specifier, including custom padding characters. eg, %05s, %'#5s
+                * - Alignment specifier. eg, %05-s
+                * - Precision specifier. eg, %.2f
+                */
+               $allowed_format = '(?:[1-9][0-9]*[$])?[-+0-9]*(?: |0|\'.)?[-+0-9]*(?:\.[0-9]+)?';
+
+               /*
+                * If a %s placeholder already has quotes around it, removing the existing quotes and re-inserting them
+                * ensures the quotes are consistent.
+                *
+                * For backwards compatibility, this is only applied to %s, and not to placeholders like %1$s, which are frequently
+                * used in the middle of longer strings, or as table name placeholders.
+                */
+               $query = str_replace( "'%s'", '%s', $query ); // Strip any existing single quotes.
+               $query = str_replace( '"%s"', '%s', $query ); // Strip any existing double quotes.
+               $query = preg_replace( '/(?<!%)%s/', "'%s'", $query ); // Quote the strings, avoiding escaped strings like %%s.
+
+               $query = preg_replace( "/(?<!%)(%($allowed_format)?f)/" , '%\\2F', $query ); // Force floats to be locale unaware.
+
+               $query = preg_replace( "/%(?:%|$|(?!($allowed_format)?[sdF]))/", '%%\\1', $query ); // Escape any unescaped percents.
+
+               // Count the number of valid placeholders in the query.
+               $placeholders = preg_match_all( "/(^|[^%]|(%%)+)%($allowed_format)?[sdF]/", $query, $matches );
+
+               if ( count( $args ) !== $placeholders ) {
+                       if ( 1 === $placeholders && $passed_as_array ) {
+                               // If the passed query only expected one argument, but the wrong number of arguments were sent as an array, bail.
+                               wp_load_translations_early();
+                               _doing_it_wrong( 'wpdb::prepare', __( 'The query only expected one placeholder, but an array of multiple placeholders was sent.' ), '4.9.0' );
+
+                               return;
+                       } else {
+                               /*
+                                * If we don't have the right number of placeholders, but they were passed as individual arguments,
+                                * or we were expecting multiple arguments in an array, throw a warning.
+                                */
+                               wp_load_translations_early();
+                               _doing_it_wrong( 'wpdb::prepare',
+                                       /* translators: 1: number of placeholders, 2: number of arguments passed */
+                                       sprintf( __( 'The query does not contain the correct number of placeholders (%1$d) for the number of arguments passed (%2$d).' ),
+                                               $placeholders,
+                                               count( $args ) ),
+                                       '4.8.3'
+                               );
+                       }
+               }
+
</ins><span class="cx" style="display: block; padding: 0 10px">                 array_walk( $args, array( $this, 'escape_by_ref' ) );
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                return @vsprintf( $query, $args );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         $query = @vsprintf( $query, $args );
+
+               return $this->add_placeholder_escape( $query );
</ins><span class="cx" style="display: block; padding: 0 10px">         }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">        /**
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1325,6 +1389,64 @@
</span><span class="cx" style="display: block; padding: 0 10px">        }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">        /**
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         * Generates and returns a placeholder escape string for use in queries returned by ::prepare().
+        *
+        * @since 4.8.3
+        *
+        * @return string String to escape placeholders.
+        */
+       public function placeholder_escape() {
+               static $placeholder;
+
+               if ( ! $placeholder ) {
+                       // If ext/hash is not present, compat.php's hash_hmac() does not support sha256.
+                       $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1';
+                       // Old WP installs may not have AUTH_SALT defined.
+                       $salt = defined( 'AUTH_SALT' ) ? AUTH_SALT : rand();
+
+                       $placeholder = '{' . hash_hmac( $algo, uniqid( $salt, true ), $salt ) . '}';
+               }
+
+               /*
+                * Add the filter to remove the placeholder escaper. Uses priority 0, so that anything
+                * else attached to this filter will recieve the query with the placeholder string removed.
+                */
+               if ( ! has_filter( 'query', array( $this, 'remove_placeholder_escape' ) ) ) {
+                       add_filter( 'query', array( $this, 'remove_placeholder_escape' ), 0 );
+               }
+
+               return $placeholder;
+       }
+
+       /**
+        * Adds a placeholder escape string, to escape anything that resembles a printf() placeholder.
+        *
+        * @since 4.8.3
+        *
+        * @param string $query The query to escape.
+        * @return string The query with the placeholder escape string inserted where necessary.
+        */
+       public function add_placeholder_escape( $query ) {
+               /*
+                * To prevent returning anything that even vaguely resembles a placeholder,
+                * we clobber every % we can find.
+                */
+               return str_replace( '%', $this->placeholder_escape(), $query );
+       }
+
+       /**
+        * Removes the placeholder escape strings from a query.
+        *
+        * @since 4.8.3
+        *
+        * @param string $query The query from which the placeholder will be removed.
+        * @return string The query with the placeholder removed.
+        */
+       public function remove_placeholder_escape( $query ) {
+               return str_replace( $this->placeholder_escape(), '%', $query );
+       }
+
+       /**
</ins><span class="cx" style="display: block; padding: 0 10px">          * Insert a row into a table.
</span><span class="cx" style="display: block; padding: 0 10px">         *
</span><span class="cx" style="display: block; padding: 0 10px">         * <code>
</span></span></pre></div>
<a id="branches38testsphpunitincludestestcasephp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/3.8/tests/phpunit/includes/testcase.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/3.8/tests/phpunit/includes/testcase.php  2017-10-31 12:56:57 UTC (rev 42066)
+++ branches/3.8/tests/phpunit/includes/testcase.php    2017-10-31 12:59:50 UTC (rev 42067)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -124,6 +124,18 @@
</span><span class="cx" style="display: block; padding: 0 10px">                }
</span><span class="cx" style="display: block; padding: 0 10px">        }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+        /**
+        * Declare an expected `_doing_it_wrong()` call from within a test.
+        *
+        * @since 4.2.0
+        *
+        * @param string $deprecated Name of the function, method, or class that appears in the first argument of the
+        *                           source `_doing_it_wrong()` call.
+        */
+       public function setExpectedIncorrectUsage( $doing_it_wrong ) {
+               array_push( $this->expected_doing_it_wrong, $doing_it_wrong );
+       }
+
</ins><span class="cx" style="display: block; padding: 0 10px">         function deprecated_function_run( $function ) {
</span><span class="cx" style="display: block; padding: 0 10px">                if ( ! in_array( $function, $this->caught_deprecated ) )
</span><span class="cx" style="display: block; padding: 0 10px">                        $this->caught_deprecated[] = $function;
</span></span></pre></div>
<a id="branches38testsphpunittestsdbphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/3.8/tests/phpunit/tests/db.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/3.8/tests/phpunit/tests/db.php   2017-10-31 12:56:57 UTC (rev 42066)
+++ branches/3.8/tests/phpunit/tests/db.php     2017-10-31 12:59:50 UTC (rev 42067)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -149,6 +149,9 @@
</span><span class="cx" style="display: block; padding: 0 10px">        public function test_double_escaped_placeholders() {
</span><span class="cx" style="display: block; padding: 0 10px">                global $wpdb;
</span><span class="cx" style="display: block; padding: 0 10px">                $sql = $wpdb->prepare( "UPDATE test_table SET string_column = '%%f is a float, %%d is an int %d, %%s is a string', field = %s", 3, '4' );
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+                $this->assertContains( $wpdb->placeholder_escape(), $sql );
+
+               $sql = $wpdb->remove_placeholder_escape( $sql );
</ins><span class="cx" style="display: block; padding: 0 10px">                 $this->assertEquals( "UPDATE test_table SET string_column = '%f is a float, %d is an int 3, %s is a string', field = '4'", $sql );
</span><span class="cx" style="display: block; padding: 0 10px">        }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -172,8 +175,8 @@
</span><span class="cx" style="display: block; padding: 0 10px">                $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 0 AND user_login = 'admin'", $prepared );
</span><span class="cx" style="display: block; padding: 0 10px">        }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-        function test_prepare_vsprintf() {
-                global $wpdb;
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+    function test_prepare_vsprintf() {
+               global $wpdb;
</ins><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">                $prepared = $wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( 1, "admin" ) );
</span><span class="cx" style="display: block; padding: 0 10px">                $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = 'admin'", $prepared );
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -190,8 +193,75 @@
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">                $prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( array( 1 ), "admin" ) );
</span><span class="cx" style="display: block; padding: 0 10px">                $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 0 AND user_login = 'admin'", $prepared );
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-        }
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ }
</ins><span class="cx" style="display: block; padding: 0 10px"> 
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+        /**
+        * @ticket 42040
+        * @dataProvider data_prepare_incorrect_arg_count
+        * @expectedIncorrectUsage wpdb::prepare
+        */
+       public function test_prepare_incorrect_arg_count( $query, $args, $expected ) {
+               global $wpdb;
+
+               // $query is the first argument to be passed to wpdb::prepare()
+               array_unshift( $args, $query );
+
+               $prepared = @call_user_func_array( array( $wpdb, 'prepare' ), $args );
+               $this->assertEquals( $expected, $prepared );
+       }
+
+       public function data_prepare_incorrect_arg_count() {
+               global $wpdb;
+
+               return array(
+                       array(
+                               "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s",     // Query
+                               array( 1, "admin", "extra-arg" ),                                   // ::prepare() args, to be passed via call_user_func_array
+                               "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = 'admin'", // Expected output
+                       ),
+                       array(
+                               "SELECT * FROM $wpdb->users WHERE id = %%%d AND user_login = %s",
+                               array( 1 ),
+                               false,
+                       ),
+                       array(
+                               "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s",
+                               array( array( 1, "admin", "extra-arg" ) ),
+                               "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = 'admin'",
+                       ),
+                       array(
+                               "SELECT * FROM $wpdb->users WHERE id = %d AND %% AND user_login = %s",
+                               array( 1, "admin", "extra-arg" ),
+                               "SELECT * FROM $wpdb->users WHERE id = 1 AND {$wpdb->placeholder_escape()} AND user_login = 'admin'",
+                       ),
+                       array(
+                               "SELECT * FROM $wpdb->users WHERE id = %%%d AND %F AND %f AND user_login = %s",
+                               array( 1, 2.3, "4.5", "admin", "extra-arg" ),
+                               "SELECT * FROM $wpdb->users WHERE id = {$wpdb->placeholder_escape()}1 AND 2.300000 AND 4.500000 AND user_login = 'admin'",
+                       ),
+                       array(
+                               "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s",
+                               array( array( 1 ), "admin", "extra-arg" ),
+                               "SELECT * FROM $wpdb->users WHERE id = 0 AND user_login = 'admin'",
+                       ),
+                       array(
+                               "SELECT * FROM $wpdb->users WHERE id = %d and user_nicename = %s and user_status = %d and user_login = %s",
+                               array( 1, "admin", 0 ),
+                               '',
+                       ),
+                       array(
+                               "SELECT * FROM $wpdb->users WHERE id = %d and user_nicename = %s and user_status = %d and user_login = %s",
+                               array( array( 1, "admin", 0 ) ),
+                               '',
+                       ),
+                       array(
+                               "SELECT * FROM $wpdb->users WHERE id = %d and %% and user_login = %s and user_status = %d and user_login = %s",
+                               array( 1, "admin", "extra-arg" ),
+                               '',
+                       ),
+               );
+       }
+
</ins><span class="cx" style="display: block; padding: 0 10px">         function test_db_version() {
</span><span class="cx" style="display: block; padding: 0 10px">                global $wpdb;
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -608,13 +678,327 @@
</span><span class="cx" style="display: block; padding: 0 10px">        }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px">        /**
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-         *
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+  * @dataProvider data_prepare_with_placeholders
</ins><span class="cx" style="display: block; padding: 0 10px">          */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-        function test_prepare_with_unescaped_percents() {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ function test_prepare_with_placeholders_and_individual_args( $sql, $values, $incorrect_usage, $expected) {
</ins><span class="cx" style="display: block; padding: 0 10px">                 global $wpdb;
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-                $sql = $wpdb->prepare( '%d %1$d %%% %', 1 );
-               $this->assertEquals( '1 %1$d %% %', $sql );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+         if ( $incorrect_usage ) {
+                       $this->setExpectedIncorrectUsage( 'wpdb::prepare' );
+               }
+
+               if ( ! is_array( $values ) ) {
+                       $values = array( $values );
+               }
+
+               array_unshift( $values, $sql );
+
+               $sql = call_user_func_array( array( $wpdb, 'prepare' ), $values );
+               $this->assertEquals( $expected, $sql );
</ins><span class="cx" style="display: block; padding: 0 10px">         }
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+
+       /**
+        * @dataProvider data_prepare_with_placeholders
+        */
+       function test_prepare_with_placeholders_and_array_args( $sql, $values, $incorrect_usage, $expected) {
+               global $wpdb;
+
+               if ( $incorrect_usage ) {
+                       $this->setExpectedIncorrectUsage( 'wpdb::prepare' );
+               }
+
+               if ( ! is_array( $values ) ) {
+                       $values = array( $values );
+               }
+
+               $sql = call_user_func_array( array( $wpdb, 'prepare' ), array( $sql, $values ) );
+               $this->assertEquals( $expected, $sql );
+       }
+
+       function data_prepare_with_placeholders() {
+               global $wpdb;
+
+               return array(
+                       array(
+                               '%5s',   // SQL to prepare
+                               'foo',   // Value to insert in the SQL
+                               false,   // Whether to expect an incorrect usage error or not
+                               '  foo', // Expected output
+                       ),
+                       array(
+                               '%1$d %%% % %%1$d%% %%%1$d%%',
+                               1,
+                               true,
+                               "1 {$wpdb->placeholder_escape()}{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}1\$d{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}1{$wpdb->placeholder_escape()}",
+                       ),
+                       array(
+                               '%-5s',
+                               'foo',
+                               false,
+                               'foo  ',
+                       ),
+                       array(
+                               '%05s',
+                               'foo',
+                               false,
+                               '00foo',
+                       ),
+                       array(
+                               "%'#5s",
+                               'foo',
+                               false,
+                               '##foo',
+                       ),
+                       array(
+                               '%.3s',
+                               'foobar',
+                               false,
+                               'foo',
+                       ),
+                       array(
+                               '%.3f',
+                               5.123456,
+                               false,
+                               '5.123',
+                       ),
+                       array(
+                               '%.3f',
+                               5.12,
+                               false,
+                               '5.120',
+                       ),
+                       array(
+                               '%s',
+                               ' %s ',
+                               false,
+                               "' {$wpdb->placeholder_escape()}s '",
+                       ),
+                       array(
+                               '%1$s',
+                               ' %s ',
+                               false,
+                               " {$wpdb->placeholder_escape()}s ",
+                       ),
+                       array(
+                               '%1$s',
+                               ' %1$s ',
+                               false,
+                               " {$wpdb->placeholder_escape()}1\$s ",
+                       ),
+                       array(
+                               '%d %1$d %%% %',
+                               1,
+                               true,
+                               "1 1 {$wpdb->placeholder_escape()}{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}",
+                       ),
+                       array(
+                               '%d %2$s',
+                               array( 1, 'hello' ),
+                               false,
+                               "1 hello",
+                       ),
+                       array(
+                               "'%s'",
+                               'hello',
+                               false,
+                               "'hello'",
+                       ),
+                       array(
+                               '"%s"',
+                               'hello',
+                               false,
+                               "'hello'",
+                       ),
+                       array(
+                               "%s '%1\$s'",
+                               'hello',
+                               true,
+                               "'hello' 'hello'",
+                       ),
+                       array(
+                               "%s '%1\$s'",
+                               'hello',
+                               true,
+                               "'hello' 'hello'",
+                       ),
+                       array(
+                               '%s "%1$s"',
+                               'hello',
+                               true,
+                               "'hello' \"hello\"",
+                       ),
+                       array(
+                               "%%s %%'%1\$s'",
+                               'hello',
+                               false,
+                               "{$wpdb->placeholder_escape()}s {$wpdb->placeholder_escape()}'hello'",
+                       ),
+                       array(
+                               '%%s %%"%1$s"',
+                               'hello',
+                               false,
+                               "{$wpdb->placeholder_escape()}s {$wpdb->placeholder_escape()}\"hello\"",
+                       ),
+                       array(
+                               '%s',
+                               ' %  s ',
+                               false,
+                               "' {$wpdb->placeholder_escape()}  s '",
+                       ),
+                       array(
+                               '%%f %%"%1$f"',
+                               3,
+                               false,
+                               "{$wpdb->placeholder_escape()}f {$wpdb->placeholder_escape()}\"3.000000\"",
+                       ),
+                       array(
+                               'WHERE second=\'%2$s\' AND first=\'%1$s\'',
+                               array( 'first arg', 'second arg' ),
+                               false,
+                               "WHERE second='second arg' AND first='first arg'",
+                       ),
+                       array(
+                               'WHERE second=%2$d AND first=%1$d',
+                               array( 1, 2 ),
+                               false,
+                               "WHERE second=2 AND first=1",
+                       ),
+                       array(
+                               "'%'%%s",
+                               'hello',
+                               true,
+                               "'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s",
+                       ),
+                       array(
+                               "'%'%%s%s",
+                               'hello',
+                               false,
+                               "'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s'hello'",
+                       ),
+                       array(
+                               "'%'%%s %s",
+                               'hello',
+                               false,
+                               "'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s 'hello'",
+                       ),
+                       array(
+                               "'%-'#5s' '%'#-+-5s'",
+                               array( 'hello', 'foo' ),
+                               false,
+                               "'hello' 'foo##'",
+                       ),
+               );
+       }
+
+       /**
+        * @dataProvider data_escape_and_prepare
+        */
+       function test_escape_and_prepare( $escape, $sql, $values, $incorrect_usage, $expected ) {
+               global $wpdb;
+
+               if ( $incorrect_usage ) {
+                       $this->setExpectedIncorrectUsage( 'wpdb::prepare' );
+               }
+
+               $escape = esc_sql( $escape );
+
+               $sql = str_replace( '{ESCAPE}', $escape, $sql );
+
+               $actual = $wpdb->prepare( $sql, $values );
+
+               $this->assertEquals( $expected, $actual );
+       }
+
+       function data_escape_and_prepare() {
+               global $wpdb;
+               return array(
+                       array(
+                               '%s',                                  // String to pass through esc_url()
+                               ' {ESCAPE} ',                          // Query to insert the output of esc_url() into, replacing "{ESCAPE}"
+                               'foo',                                 // Data to send to prepare()
+                               true,                                  // Whether to expect an incorrect usage error or not
+                               " {$wpdb->placeholder_escape()}s ",    // Expected output
+                       ),
+                       array(
+                               'foo%sbar',
+                               "SELECT * FROM bar WHERE foo='{ESCAPE}' OR baz=%s",
+                               array( ' SQLi -- -', 'pewpewpew' ),
+                               true,
+                               null,
+                       ),
+                       array(
+                               '%s',
+                               ' %s {ESCAPE} ',
+                               'foo',
+                               false,
+                               " 'foo' {$wpdb->placeholder_escape()}s ",
+                       ),
+               );
+       }
+
+       /**
+        * @expectedIncorrectUsage wpdb::prepare
+        */
+       function test_double_prepare() {
+               global $wpdb;
+
+               $part = $wpdb->prepare( ' AND meta_value = %s', ' %s ' );
+               $this->assertNotContains( '%s', $part );
+               $query = $wpdb->prepare( 'SELECT * FROM {$wpdb->postmeta} WHERE meta_key = %s $part', array( 'foo', 'bar' ) );
+               $this->assertNull( $query );
+       }
+
+       function test_prepare_numeric_placeholders_float_args() {
+               global $wpdb;
+
+               $actual = $wpdb->prepare(
+                       'WHERE second=%2$f AND first=%1$f',
+                       1.1,
+                       2.2
+               );
+
+               /* Floats can be right padded, need to assert differently */
+               $this->assertContains( ' first=1.1', $actual );
+               $this->assertContains( ' second=2.2', $actual );
+       }
+
+       function test_prepare_numeric_placeholders_float_array() {
+               global $wpdb;
+
+               $actual = $wpdb->prepare(
+                       'WHERE second=%2$f AND first=%1$f',
+                       array( 1.1, 2.2 )
+               );
+
+               /* Floats can be right padded, need to assert differently */
+               $this->assertContains( ' first=1.1', $actual );
+               $this->assertContains( ' second=2.2', $actual );
+       }
+
+       function test_query_unescapes_placeholders() {
+               global $wpdb;
+
+               $value = ' %s ';
+
+               $wpdb->query( "CREATE TABLE {$wpdb->prefix}test_placeholder( a VARCHAR(100) );" );
+               $sql = $wpdb->prepare( "INSERT INTO {$wpdb->prefix}test_placeholder VALUES(%s)", $value );
+               $wpdb->query( $sql );
+
+               $actual = $wpdb->get_var( "SELECT a FROM {$wpdb->prefix}test_placeholder" );
+
+               $wpdb->query( "DROP TABLE {$wpdb->prefix}test_placeholder" );
+
+               $this->assertNotContains( '%s', $sql );
+               $this->assertEquals( $value, $actual );
+       }
+
+       function test_esc_sql_with_unsupported_placeholder_type() {
+               global $wpdb;
+
+               $sql = $wpdb->prepare( ' %s %1$c ', 'foo' );
+               $sql = $wpdb->prepare( " $sql %s ", 'foo' );
+
+               $this->assertEquals( "  'foo' {$wpdb->placeholder_escape()}1\$c  'foo' ", $sql );
+       }
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span></span></pre></div>
<a id="branches38wptestsconfigsamplephp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/3.8/wp-tests-config-sample.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/3.8/wp-tests-config-sample.php   2017-10-31 12:56:57 UTC (rev 42066)
+++ branches/3.8/wp-tests-config-sample.php     2017-10-31 12:59:50 UTC (rev 42067)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -30,6 +30,21 @@
</span><span class="cx" style="display: block; padding: 0 10px"> define( 'DB_CHARSET', 'utf8' );
</span><span class="cx" style="display: block; padding: 0 10px"> define( 'DB_COLLATE', '' );
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+/**#@+
+ * Authentication Unique Keys and Salts.
+ *
+ * Change these to different unique phrases!
+ * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
+ */
+define('AUTH_KEY',         'put your unique phrase here');
+define('SECURE_AUTH_KEY',  'put your unique phrase here');
+define('LOGGED_IN_KEY',    'put your unique phrase here');
+define('NONCE_KEY',        'put your unique phrase here');
+define('AUTH_SALT',        'put your unique phrase here');
+define('SECURE_AUTH_SALT', 'put your unique phrase here');
+define('LOGGED_IN_SALT',   'put your unique phrase here');
+define('NONCE_SALT',       'put your unique phrase here');
+
</ins><span class="cx" style="display: block; padding: 0 10px"> $table_prefix  = 'wptests_';   // Only numbers, letters, and underscores please!
</span><span class="cx" style="display: block; padding: 0 10px"> 
</span><span class="cx" style="display: block; padding: 0 10px"> define( 'WP_TESTS_DOMAIN', 'example.org' );
</span></span></pre>
</div>
</div>

</body>
</html>