[wp-trac] Re: [WordPress Trac] #4553: Consider using local prepared-statement/sprintf()-like system for last-second SQL escaping

WordPress Trac wp-trac at lists.automattic.com
Thu Jul 5 17:13:35 GMT 2007 

#4553: Consider using local prepared-statement/sprintf()-like system for last-
second SQL escaping
---------------------------------------------------------------+------------
 Reporter:  markjaquith                                        |        Owner:  markjaquith
     Type:  task                                               |       Status:  assigned   
 Priority:  normal                                             |    Milestone:  2.3 (trunk)
Component:  Security                                           |      Version:  2.3        
 Severity:  normal                                             |   Resolution:             
 Keywords:  sql prepared statement sprintf injection security  |  
---------------------------------------------------------------+------------
Comment (by markjaquith):

 > About the automated quoting: in most of the cases it will cause no
 problems. And in the rare cases, in which we don't have to quote some
 part, we can just escape it manually and insert it directly as an
 interpolated variable (like the table names now).

 That might be good.  But we'd have to either look out (manually or via
 regex) for {{{'%s'}}}, because otherwise {{{'%s'}}} would turn into
 {{{''%s''}}} (that's two grouping of single quotes) which is dangerous.
 Also, without a lot of expensive regex, we'll have to limit ourselves to
 simple %s ... no getting fancy with sprintf() features.

 And actually, using naked %s might be close to actual SQL prepared
 statements, in  which they use a naked question mark.  So yeah, that
 sounds like a good idea.  I'll work on that.

 > Couldn't we have a method, which both supports arguments and runs the
 query?

 Not really, because the existing methods take multiple arguments.  And
 there are a lot of methods.  {{{get_var()}}}, {{{get_row()}}},
 {{{query()}}}, {{{get_results()}}}, {{{get_col()}}}  So I think it is best
 to have one escaping function.


 > sprintf converts non-int values to zero. Is it the desired behaviour?

 {{{
 <?php
 printf("This is a sprintf() int: %d\n", '10BLAH');
 printf("This is a PHP int: %s\n", (int) '10BLAH');
 printf("This is a sprintf() int: %d\n", 'foo');
 printf("This is an PHP int: %s", (int) 'foo');
 ?>
 }}}

 Output:

 {{{
 This is a sprintf() int: 10
 This is a PHP int: 10
 This is a sprintf() int: 0
 This is an PHP int: 0
 }}}

 Behaves the same as PHP (int) casting in those situations.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/4553#comment:9>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list