[wp-trac] [WordPress Trac] #11102: $wpdb->prepare should merge all arguments to pass to vsprintf

WordPress Trac wp-trac at lists.automattic.com
Sun Nov 8 21:42:23 UTC 2009


#11102: $wpdb->prepare should merge all arguments to pass to vsprintf
-------------------------+--------------------------------------------------
 Reporter:  westi        |       Owner:  westi          
     Type:  enhancement  |      Status:  new            
 Priority:  normal       |   Milestone:  3.0            
Component:  Database     |     Version:  2.9            
 Severity:  normal       |    Keywords:  has-patch early
-------------------------+--------------------------------------------------

Comment(by westi):

 Replying to [comment:3 azaozz]:
 > Not sure if that really improves things. Passing an array seems to make
 sense only in `"IN (5,10,20, ...)"` where the length of the array is not
 fixed.
 >
 > MySQL seems to accept both `"IN (5,10,20, ...)"` and `"IN
 ('5','10','20', ...)"` (it casts string to int when comparing with a
 numeric column) so we can `join( "','", $array )` and pass it as a string.
 This is already used in about 50 places in core including #11100.
 >

 The point is to make it easy to use the correct data type specifier in the
 prepare statement.  If we are preparing in what we believe/expect are
 integers we should use %d.

 Replying to [comment:3 azaozz]:
 > In this case a query would look like:
 > {{{
 > $wpdb->prepare("SELECT * FROM $table WHERE `x` = %s AND type IN (%s)",
 $where, $in_array);
 > }}}
 > that would expand to:
 > {{{
 > SELECT * FROM $table WHERE `x` = 'bar' AND type IN ('5','10','20');
 > }}}
 > or
 > {{{
 > SELECT * FROM $table WHERE `x` = 'bar' AND type IN
 ('bar1','bar2','bar3');
 > }}}
 >
 >

 With the current code this would expand to

 {{{
 SELECT * FROM $table WHERE `x` = 'bar' AND type IN
 (''bar1','bar2','bar3'');
 }}}

 Assuming $in_array was a string containing {{{'bar1','bar2','bar3'}}} as
 we force %s to be quoted.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/11102#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list