[wp-trac] [WordPress Trac] #4553: Consider using local
prepared-statement/sprintf()-like system for last-second SQL
escaping
WordPress Trac
wp-trac at lists.automattic.com
Wed Jun 27 21:10:11 GMT 2007
#4553: Consider using local prepared-statement/sprintf()-like system for last-
second SQL escaping
-------------------------+--------------------------------------------------
Reporter: markjaquith | Owner: anonymous
Type: task | Status: new
Priority: normal | Milestone: 2.3 (trunk)
Component: Security | Version: 2.3
Severity: normal | Keywords: sql prepared statement sprintf injection security
-------------------------+--------------------------------------------------
See: #4545 comments for background.
nbachiyski:
----
We can also make a prepared statement-like/printf-like method of wpdb,
which can handle escaping internally and get rid of the few lines, before
every query, spent in escaping.
----
Example:
{{{
$result = $wpdb->get_results(
$wpdb->prepare("SELECT something FROM $wpdb->tablename WHERE foo =
'%s' LIMIT %d", $unslashed_value, $unslashed_uninted_limit)
);
}}}
Benefits:
* Works well with last-second escaping of data as proposed in #4545
* Backwards compatible
* Makes for VERY obvious escaping -- helps us find SQL injection holes
* Reduces a lot of $wpdb->escape(); lines
* Allows original unescaped data used in query to remain unescaped in the
function. No need to have {{{$var}}} and {{{$var_sql}}} floating around.
Unescaped data is more usable.
--
Ticket URL: <http://trac.wordpress.org/ticket/4553>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list