[wp-hackers] $wpdb->prepare and dynamic field names
Steve Taylor
steve at sltaylor.co.uk
Wed Mar 2 23:15:18 UTC 2011
$table and $id_field are hard-coded (as part of a switch). I'm not
that stupid (usually ;-)
I was just in a robot mode and following Mark's advice to escape even
if you "know" stuff is hard-coded. Seemed like good advice - but I
guess this is an instance where it's necessary to leave it be.
Thanks anyway,
Steve
On 2 March 2011 22:24, Otto <otto at ottodestruct.com> wrote:
> On Wed, Mar 2, 2011 at 3:45 PM, Steve Taylor <steve at sltaylor.co.uk> wrote:
>> Following from Mark Jaquith's handy presentation
>> (http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/),
>> I'm scouring my themes and plugins to check the security measures.
>>
>> One issue so far. I have a query like this:
>>
>> $field = $wpdb->get_results("
>> SELECT meta_value
>> FROM $table
>> WHERE meta_key = '$key'
>> AND $id_field = $id
>> LIMIT 0, 1
>> ");
>>
>> It's just checking whether a custom field is set for a specific object
>> (a post or user - hence the dynamic table and ID field references,
>> which are decided before this query).
>>
>> If I use $wpdb->prepare, what would I do with $table and $id_field.
>> Wouldn't using %s automatically stick quotes around them and
>> invalidate the query?
>
> Yes it would, however presumably your $table and $id_field are
> hardcoded in some fashion, or at least generated by data that is
> hardcoded into the plugin and not data that comes from the user input.
>
> Using prepare lets the data be escaped properly, because the data can
> change and sometimes comes from the user input. However your users
> aren't putting in column or tables names, are they? If they are,
> you've got deeper problems.
>
>
> -Otto
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
More information about the wp-hackers
mailing list