[wp-trac] [WordPress Trac] #41983: Lead by example: pass unquoted placeholders to $wpdb->prepare()
WordPress Trac
noreply at wordpress.org
Mon Sep 25 17:06:17 UTC 2017
#41983: Lead by example: pass unquoted placeholders to $wpdb->prepare()
--------------------------+-----------------------------
Reporter: jrf | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Database | Version: trunk
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
In the aftermath of last weeks security release which broke a lot of SQL
queries in plugins, a new sniff has been added to WPCS to check for
incorrect placeholders.
The sniff also verifies that placeholders - as per the documentation - are
left unquoted.
Having run this sniff over Core, it turns out that there are some fixes to
be made.
See the below report.
I suggest tagging this as an easy-pick for new contributors.
{{{
FILE: \src\wp-admin\includes\class-wp-importer.php
----------------------------------------------------------------------------------------
FOUND 2 ERRORS AFFECTING 2 LINES
----------------------------------------------------------------------------------------
32 | ERROR | Placeholders should be unquoted in the query string in
$wpdb->prepare(). Found:
| | '%s'.
68 | ERROR | Placeholders should be unquoted in the query string in
$wpdb->prepare(). Found:
| | '%s'.
----------------------------------------------------------------------------------------
FILE: \src\wp-admin\includes\nav-menu.php
----------------------------------------------------------------------------------------
FOUND 1 ERROR AFFECTING 1 LINE
----------------------------------------------------------------------------------------
999 | ERROR | Placeholders should be unquoted in the query string in
$wpdb->prepare().
| | Found: '%d'.
----------------------------------------------------------------------------------------
FILE: \src\wp-includes\functions.php
----------------------------------------------------------------------------------------
FOUND 2 ERRORS AFFECTING 2 LINES
----------------------------------------------------------------------------------------
4807 | ERROR | Placeholders should be unquoted in the query string in
$wpdb->prepare().
| | Found: '%d'.
4824 | ERROR | Placeholders should be unquoted in the query string in
$wpdb->prepare().
| | Found: '%d'.
----------------------------------------------------------------------------------------
FILE: \src\wp-includes\taxonomy.php
----------------------------------------------------------------------------------------
FOUND 2 ERRORS AFFECTING 2 LINES
----------------------------------------------------------------------------------------
3788 | ERROR | Placeholders should be unquoted in the query string in
$wpdb->prepare().
| | Found: '%s'.
----------------------------------------------------------------------------------------
}}}
Refs:
* https://github.com/WordPress-Coding-Standards/WordPress-Coding-
Standards/pull/1160
* https://developer.wordpress.org/reference/classes/wpdb/prepare/
* https://make.wordpress.org/core/handbook/best-practices/coding-
standards/php/#formatting-sql-statements
--
Ticket URL: <https://core.trac.wordpress.org/ticket/41983>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list