[wp-trac] Re: [WordPress Trac] #4553: Consider using local prepared-statement/sprintf()-like system for last-second SQL escaping

WordPress Trac wp-trac at lists.automattic.com
Wed Jul 4 21:12:28 GMT 2007

#4553: Consider using local prepared-statement/sprintf()-like system for last-
second SQL escaping
 Reporter:  markjaquith                                        |        Owner:  markjaquith
     Type:  task                                               |       Status:  assigned   
 Priority:  normal                                             |    Milestone:  2.3 (trunk)
Component:  Security                                           |      Version:  2.3        
 Severity:  normal                                             |   Resolution:             
 Keywords:  sql prepared statement sprintf injection security  |  
Comment (by markjaquith):

 Replying to [comment:5 Nazgul]:
 > Why wait till 2.4 to fix those? We'll have to go over all the code for
 this change anyway, so why not fix it while we're at it? (Tracking of
 those changes could and should be done in separate tickets linking to this
 one though)

 Because it will break a few plugins, and there's not enough lead time.  We
 can, however, look for functions that expect pre-escaped date and then do
 {{{stripslashes()}}} on the data and then mark that for removal in 2.4

 > We could quote %s automatically if it isn't and introduce a %t for
 column names. The prepare function could validate those and turn them into
 %s for sprintf if they are valid or 'abort' otherwise.

 I considered that, but it'd require us to write our own sprintf()-like
 code in order to figure out which parameter corresponds to the %t.  That
 seems clunky and slow.  If only sprintf() had callback functionality.
 Unless you see an elegant workaround for that.  I'm not too worried...
 those unquoted %s's are going to stick out like a sore thumb (we could
 grep for them, even) and we'll be able to scan them and verify that they
 are filtered appropriately.

Ticket URL: <http://trac.wordpress.org/ticket/4553#comment:6>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list