[wp-trac] Re: [WordPress Trac] #4553: Consider using local prepared-statement/sprintf()-like system for last-second SQL escaping

[WordPress Trac]

#4553: Consider using local prepared-statement/sprintf()-like system for last-
second SQL escaping
---------------------------------------------------------------+------------
 Reporter:  markjaquith                                        |        Owner:  markjaquith
     Type:  task                                               |       Status:  assigned   
 Priority:  normal                                             |    Milestone:  2.3 (trunk)
Component:  Security                                           |      Version:  2.3        
 Severity:  normal                                             |   Resolution:             
 Keywords:  sql prepared statement sprintf injection security  |  
---------------------------------------------------------------+------------
Changes (by markjaquith):

  * owner:  anonymous => markjaquith
  * status:  new => assigned

Comment:

 {{{
 <?php

 function prepare($args=NULL) {
         if ( NULL === $args )
                 return;
         $args = func_get_args();
         $query = array_shift($args);
         array_walk($args, 'escape_by_ref');
         return call_user_func_array('sprintf', array_merge($query,
 $args));
 }

 function escape_by_ref(&$a) {
         //global $wpdb;
         //$a = $wpdb->escape($a);
         $a = addslashes($a);
 }

 $dangerous_string = "It's raining";
 $untrusted_limit = "10STRING";

 echo prepare("SELECT foo FROM sometable WHERE bar = '%s' LIMIT %d",
 $dangerous_string, $untrusted_limit);
 ?>
 }}}

 Output:

 {{{
 SELECT foo FROM sometable WHERE bar = 'It\'s raining' LIMIT 10
 }}}

 Thoughts?

-- 
Ticket URL: <http://trac.wordpress.org/ticket/4553#comment:1>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software