[wp-trac] Re: [WordPress Trac] #4553: Consider using local prepared-statement/sprintf()-like system for last-second SQL escaping

WordPress Trac wp-trac at lists.automattic.com
Wed Jul 4 16:52:36 GMT 2007

#4553: Consider using local prepared-statement/sprintf()-like system for last-
second SQL escaping
 Reporter:  markjaquith                                        |        Owner:  markjaquith
     Type:  task                                               |       Status:  assigned   
 Priority:  normal                                             |    Milestone:  2.3 (trunk)
Component:  Security                                           |      Version:  2.3        
 Severity:  normal                                             |   Resolution:             
 Keywords:  sql prepared statement sprintf injection security  |  
Comment (by Nazgul):

 Replying to [comment:2 markjaquith]:
 >  * While going through, we can mark functions that expect pre-escaped
 data, for fixing in 2.4, with {{{// pre-escaped}}}
 Why wait till 2.4 to fix those? We'll have to go over all the code for
 this change anyway, so why not fix it while we're at it? (Tracking of
 those changes could and should be done in separate tickets linking to this
 one though)

 Replying to [comment:4 markjaquith]:
 >  * All uses of '%s' should either be quoted (for values) or strictly
 filtered through a list of allowed values (for things like %s representing
 a column name for ORDER BY). If the latter, this should be done as close
 to the SQL query as possible so that we can verify that it is not a SQL
 injection hole.
 We could quote %s automatically if it isn't and introduce a %t for column
 names. The prepare function could validate those and turn them into %s for
 sprintf if they are valid or 'abort' otherwise.

Ticket URL: <http://trac.wordpress.org/ticket/4553#comment:5>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list