[wp-trac] Re: [WordPress Trac] #4553: Consider using local prepared-statement/sprintf()-like system for last-second SQL escaping

WordPress Trac wp-trac at lists.automattic.com
Wed Jul 4 16:32:04 GMT 2007


#4553: Consider using local prepared-statement/sprintf()-like system for last-
second SQL escaping
---------------------------------------------------------------+------------
 Reporter:  markjaquith                                        |        Owner:  markjaquith
     Type:  task                                               |       Status:  assigned   
 Priority:  normal                                             |    Milestone:  2.3 (trunk)
Component:  Security                                           |      Version:  2.3        
 Severity:  normal                                             |   Resolution:             
 Keywords:  sql prepared statement sprintf injection security  |  
---------------------------------------------------------------+------------
Comment (by markjaquith):

 Old:
 {{{
 $var = $wpdb->escape($var);
 $var2 = $wpdb->escape($var2);
 $limit = (int) $limit;
 $wpdb->query("UPDATE $wpdb->tablename SET foo = '$var' WHERE blah =
 '$var2' LIMIT $limit");
 }}}

 New
 {{{
 $wpdb->query($wpdb->prepare("UPDATE $wpdb->tablename SET foo = '%s' WHERE
 blah = '%s' LIMIT %d", $var, $var2, $limit));
 }}}

 Notes:

  * Variables passed to {{{$wpdb->prepare()}}} should '''not''' be pre-
 escaped.
  * All uses of '%s' should either be quoted (for values) or strictly
 filtered through a list of allowed values (for things like %s representing
 a column name for ORDER BY).  If the latter, this should be done as close
 to the SQL query as possible so that we can verify that it is not a SQL
 injection hole.
  * sprintf() takes care of int-casting %d variables.
  * As "%" is a special char, it is recommended that you concatenate that
 char into a string when doing LIKE queries instead of putting the "%"
 character into the query (as you will have to escape it with %% if you use
 it in the query).

 Questions, concerns?  Would be good to raise them before we start changing
 things.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/4553#comment:4>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list