[wp-trac] Re: [WordPress Trac] #4553: Consider using local
prepared-statement/sprintf()-like system for last-second SQL
escaping
WordPress Trac
wp-trac at lists.automattic.com
Wed Jul 4 16:52:36 GMT 2007
#4553: Consider using local prepared-statement/sprintf()-like system for last-
second SQL escaping
---------------------------------------------------------------+------------
Reporter: markjaquith | Owner: markjaquith
Type: task | Status: assigned
Priority: normal | Milestone: 2.3 (trunk)
Component: Security | Version: 2.3
Severity: normal | Resolution:
Keywords: sql prepared statement sprintf injection security |
---------------------------------------------------------------+------------
Comment (by Nazgul):
Replying to [comment:2 markjaquith]:
> * While going through, we can mark functions that expect pre-escaped
data, for fixing in 2.4, with {{{// pre-escaped}}}
Why wait till 2.4 to fix those? We'll have to go over all the code for
this change anyway, so why not fix it while we're at it? (Tracking of
those changes could and should be done in separate tickets linking to this
one though)
Replying to [comment:4 markjaquith]:
> * All uses of '%s' should either be quoted (for values) or strictly
filtered through a list of allowed values (for things like %s representing
a column name for ORDER BY). If the latter, this should be done as close
to the SQL query as possible so that we can verify that it is not a SQL
injection hole.
We could quote %s automatically if it isn't and introduce a %t for column
names. The prepare function could validate those and turn them into %s for
sprintf if they are valid or 'abort' otherwise.
--
Ticket URL: <http://trac.wordpress.org/ticket/4553#comment:5>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list