[wp-trac] Re: [WordPress Trac] #4553: Consider using local prepared-statement/sprintf()-like system for last-second SQL escaping

WordPress Trac wp-trac at lists.automattic.com
Thu Jul 5 14:36:26 GMT 2007

#4553: Consider using local prepared-statement/sprintf()-like system for last-
second SQL escaping
 Reporter:  markjaquith                                        |        Owner:  markjaquith
     Type:  task                                               |       Status:  assigned   
 Priority:  normal                                             |    Milestone:  2.3 (trunk)
Component:  Security                                           |      Version:  2.3        
 Severity:  normal                                             |   Resolution:             
 Keywords:  sql prepared statement sprintf injection security  |  
Comment (by nbachiyski):

 * About the automated quoting: in most of the cases it will cause no
 problems. And in the rare cases, in which we don't have to quote some
 part, we can just escape it manually and insert it directly as an
 interpolated variable (like the table names now).
  * {{{sprintf}}} converts non-int values to zero. Is it the desired
  * Couldn't we have a method, which both supports arguments and runs the
 query? Something like:
 $wpdb->smartnamehere("UPDATE t SET foo = '%s'", $foo);

Ticket URL: <http://trac.wordpress.org/ticket/4553#comment:7>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list