[wp-trac] [WordPress Trac] #11102: $wpdb->prepare should merge all arguments to pass to vsprintf

WordPress Trac wp-trac at lists.automattic.com
Sun Nov 8 11:39:37 UTC 2009


#11102: $wpdb->prepare should merge all arguments to pass to vsprintf
-------------------------+--------------------------------------------------
 Reporter:  westi        |       Owner:  westi          
     Type:  enhancement  |      Status:  new            
 Priority:  normal       |   Milestone:  3.0            
Component:  Database     |     Version:  2.9            
 Severity:  normal       |    Keywords:  has-patch early
-------------------------+--------------------------------------------------
Changes (by dd32):

  * keywords:  needs-patch early => has-patch early


Comment:

 > attachment 11102.diff added

 Nothing really to say about the patch.. Pretty simple really.

 As long as you pass the correct number of args then it works as expected.

 If for some reason, an Array is passed in when a string was expected,
 There's the downside that things overflow into the next fields..  ie:

 {{{
 $a = 'A';
 $thought_to_be_string = array('B1', 'B2');
 $c = 'C';
 var_dump( $wpdb->prepare('SELECT * FROM $TABLE WHERE a = %s AND b = %s AND
 c = %s', $a, $thought_to_be_string, $c) );
 // string(60) "SELECT * FROM $TABLE WHERE a = 'A' AND b = 'B1' AND c =
 'B2'"
 }}}

 One way around it, could be:
 {{{
                 if ( count($args) != substr_count($query, '%') )
                         return false;
 }}}
 which prevents mistaken overflows.. vsprintf() returns false if too few
 args are passed in as it is.

 But that solution doesn't take into account {{{%%}}} being present in the
 string.

 If those gotcha's are thought to be OK for the added benefit, then so be
 it :)

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/11102#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list