[wp-trac] Re: [WordPress Trac] #4553: Consider using local
prepared-statement/sprintf()-like system for last-second SQL
escaping
WordPress Trac
wp-trac at lists.automattic.com
Wed Jul 4 21:12:28 GMT 2007
#4553: Consider using local prepared-statement/sprintf()-like system for last-
second SQL escaping
---------------------------------------------------------------+------------
Reporter: markjaquith | Owner: markjaquith
Type: task | Status: assigned
Priority: normal | Milestone: 2.3 (trunk)
Component: Security | Version: 2.3
Severity: normal | Resolution:
Keywords: sql prepared statement sprintf injection security |
---------------------------------------------------------------+------------
Comment (by markjaquith):
Replying to [comment:5 Nazgul]:
> Why wait till 2.4 to fix those? We'll have to go over all the code for
this change anyway, so why not fix it while we're at it? (Tracking of
those changes could and should be done in separate tickets linking to this
one though)
Because it will break a few plugins, and there's not enough lead time. We
can, however, look for functions that expect pre-escaped date and then do
{{{stripslashes()}}} on the data and then mark that for removal in 2.4
> We could quote %s automatically if it isn't and introduce a %t for
column names. The prepare function could validate those and turn them into
%s for sprintf if they are valid or 'abort' otherwise.
I considered that, but it'd require us to write our own sprintf()-like
code in order to figure out which parameter corresponds to the %t. That
seems clunky and slow. If only sprintf() had callback functionality.
Unless you see an elegant workaround for that. I'm not too worried...
those unquoted %s's are going to stick out like a sore thumb (we could
grep for them, even) and we'll be able to scan them and verify that they
are filtered appropriately.
--
Ticket URL: <http://trac.wordpress.org/ticket/4553#comment:6>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list