[wp-trac] Re: [WordPress Trac] #4553: Consider using local
prepared-statement/sprintf()-like system for last-second SQL
escaping
WordPress Trac
wp-trac at lists.automattic.com
Thu Jul 5 14:36:26 GMT 2007
#4553: Consider using local prepared-statement/sprintf()-like system for last-
second SQL escaping
---------------------------------------------------------------+------------
Reporter: markjaquith | Owner: markjaquith
Type: task | Status: assigned
Priority: normal | Milestone: 2.3 (trunk)
Component: Security | Version: 2.3
Severity: normal | Resolution:
Keywords: sql prepared statement sprintf injection security |
---------------------------------------------------------------+------------
Comment (by nbachiyski):
* About the automated quoting: in most of the cases it will cause no
problems. And in the rare cases, in which we don't have to quote some
part, we can just escape it manually and insert it directly as an
interpolated variable (like the table names now).
* {{{sprintf}}} converts non-int values to zero. Is it the desired
behaviour?
* Couldn't we have a method, which both supports arguments and runs the
query? Something like:
{{{
$wpdb->smartnamehere("UPDATE t SET foo = '%s'", $foo);
}}}
--
Ticket URL: <http://trac.wordpress.org/ticket/4553#comment:7>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list