[wp-trac] Re: [WordPress Trac] #4553: Consider using local
prepared-statement/sprintf()-like system for last-second SQL
escaping
WordPress Trac
wp-trac at lists.automattic.com
Thu Jul 5 17:13:35 GMT 2007
#4553: Consider using local prepared-statement/sprintf()-like system for last-
second SQL escaping
---------------------------------------------------------------+------------
Reporter: markjaquith | Owner: markjaquith
Type: task | Status: assigned
Priority: normal | Milestone: 2.3 (trunk)
Component: Security | Version: 2.3
Severity: normal | Resolution:
Keywords: sql prepared statement sprintf injection security |
---------------------------------------------------------------+------------
Comment (by markjaquith):
> About the automated quoting: in most of the cases it will cause no
problems. And in the rare cases, in which we don't have to quote some
part, we can just escape it manually and insert it directly as an
interpolated variable (like the table names now).
That might be good. But we'd have to either look out (manually or via
regex) for {{{'%s'}}}, because otherwise {{{'%s'}}} would turn into
{{{''%s''}}} (that's two grouping of single quotes) which is dangerous.
Also, without a lot of expensive regex, we'll have to limit ourselves to
simple %s ... no getting fancy with sprintf() features.
And actually, using naked %s might be close to actual SQL prepared
statements, in which they use a naked question mark. So yeah, that
sounds like a good idea. I'll work on that.
> Couldn't we have a method, which both supports arguments and runs the
query?
Not really, because the existing methods take multiple arguments. And
there are a lot of methods. {{{get_var()}}}, {{{get_row()}}},
{{{query()}}}, {{{get_results()}}}, {{{get_col()}}} So I think it is best
to have one escaping function.
> sprintf converts non-int values to zero. Is it the desired behaviour?
{{{
<?php
printf("This is a sprintf() int: %d\n", '10BLAH');
printf("This is a PHP int: %s\n", (int) '10BLAH');
printf("This is a sprintf() int: %d\n", 'foo');
printf("This is an PHP int: %s", (int) 'foo');
?>
}}}
Output:
{{{
This is a sprintf() int: 10
This is a PHP int: 10
This is a sprintf() int: 0
This is an PHP int: 0
}}}
Behaves the same as PHP (int) casting in those situations.
--
Ticket URL: <http://trac.wordpress.org/ticket/4553#comment:9>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list