[wp-trac] [WordPress Trac] #11608: wpdb->prepare() is broken
WordPress Trac
wp-trac at lists.automattic.com
Fri Dec 25 00:37:39 UTC 2009
#11608: wpdb->prepare() is broken
-----------------------------+----------------------------------------------
Reporter: hakre | Owner: ryan
Type: feature request | Status: new
Priority: normal | Milestone: Future Release
Component: Database | Version: 2.9
Severity: normal | Keywords: has-patch tested
-----------------------------+----------------------------------------------
Comment(by hakre):
Replying to [comment:10 dd32]:
> > attachment 11608.diff added
> * Avoid quoting pre-escaped placement holders
>
> While that is a security risk, Its also pretty hard to exploit due to
vsprintf throwing its hands up at the mis-matched arguements, some basic
sanitization of your input data would also help prevent it.
congrats making it even more complicated. you should chill this down
instead of thrilling this up. this is a step away from your first reaction
to say: this needs to be fixed properly with a bitter feeling.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11608#comment:13>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list