[wp-trac] Re: [WordPress Trac] #4553: Consider using local
prepared-statement/sprintf()-like system for last-second SQL
escaping
WordPress Trac
wp-trac at lists.automattic.com
Thu Jul 5 16:23:51 GMT 2007
#4553: Consider using local prepared-statement/sprintf()-like system for last-
second SQL escaping
---------------------------------------------------------------+------------
Reporter: markjaquith | Owner: markjaquith
Type: task | Status: assigned
Priority: normal | Milestone: 2.3 (trunk)
Component: Security | Version: 2.3
Severity: normal | Resolution:
Keywords: sql prepared statement sprintf injection security |
---------------------------------------------------------------+------------
Comment (by Otto42):
Replying to [comment:7 nbachiyski]:
> * Couldn't we have a method, which both supports arguments and runs the
query? Something like:
> {{{
> $wpdb->smartnamehere("UPDATE t SET foo = '%s'", $foo);
> }}}
+1. Calling query(prepare(...)) seems like something you're going to be
doing a lot. Making a function to do all this at once seems like an
obvious move. Also, it will discourage direct use of query by plugin
authors.
I have no idea what to name it. execute? dbgetf? ;)
--
Ticket URL: <http://trac.wordpress.org/ticket/4553#comment:8>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list