[wp-trac] Re: [WordPress Trac] #4553: Consider using local prepared-statement/sprintf()-like system for last-second SQL escaping

WordPress Trac wp-trac at lists.automattic.com
Thu Jul 5 16:23:51 GMT 2007

#4553: Consider using local prepared-statement/sprintf()-like system for last-
second SQL escaping
 Reporter:  markjaquith                                        |        Owner:  markjaquith
     Type:  task                                               |       Status:  assigned   
 Priority:  normal                                             |    Milestone:  2.3 (trunk)
Component:  Security                                           |      Version:  2.3        
 Severity:  normal                                             |   Resolution:             
 Keywords:  sql prepared statement sprintf injection security  |  
Comment (by Otto42):

 Replying to [comment:7 nbachiyski]:
 >  * Couldn't we have a method, which both supports arguments and runs the
 query? Something like:
 > {{{
 > $wpdb->smartnamehere("UPDATE t SET foo = '%s'", $foo);
 > }}}

 +1. Calling query(prepare(...)) seems like something you're going to be
 doing a lot. Making a function to do all this at once seems like an
 obvious move. Also, it will discourage direct use of query by plugin

 I have no idea what to name it. execute? dbgetf? ;)

Ticket URL: <http://trac.wordpress.org/ticket/4553#comment:8>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list