[wp-trac] Re: [WordPress Trac] #5145: Proper use of prepared statements

WordPress Trac wp-trac at lists.automattic.com
Fri Oct 5 17:27:19 GMT 2007

#5145: Proper use of prepared statements
 Reporter:  xknown   |        Owner:  markjaquith
     Type:  defect   |       Status:  assigned   
 Priority:  normal   |    Milestone:  2.4        
Component:  General  |      Version:             
 Severity:  normal   |   Resolution:             
 Keywords:           |  
Comment (by markjaquith):

 Yes, the ideal solution is to have the strings outside the query, and use
 {{{%s}}} placeholders.  But {{{%s}}} replacements get slash-escaped, and
 the variables in this instance are already slash-escaped.  So that would
 lead to double-escaping.  What I'm in the process of doing is converting
 to use {{{$wpdb->prepare()}}} any query that can be converted, and marking
 up any place that can't be converted because the function expects pre-
 slashed data.  My mistake was in doing partial implementation for some
 queries.  It has to be all or nothing, or we risk concatenating in a
 {{{printf()}}} token.

Ticket URL: <http://trac.wordpress.org/ticket/5145#comment:8>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list