[wp-trac] Re: [WordPress Trac] #4553: Consider using local
prepared-statement/sprintf()-like system for last-second SQL
escaping
WordPress Trac
wp-trac at lists.automattic.com
Thu Jul 5 17:40:51 GMT 2007
#4553: Consider using local prepared-statement/sprintf()-like system for last-
second SQL escaping
---------------------------------------------------------------+------------
Reporter: markjaquith | Owner: markjaquith
Type: task | Status: assigned
Priority: normal | Milestone: 2.3 (trunk)
Component: Security | Version: 2.3
Severity: normal | Resolution:
Keywords: sql prepared statement sprintf injection security |
---------------------------------------------------------------+------------
Comment (by markjaquith):
Okay, now {{{%s}}} gets quoted automatically, after first being unquoted,
just to be sure.
New:
{{{
$wpdb->query($wpdb->prepare("UPDATE $wpdb->tablename SET foo = %s WHERE
blah = %s LIMIT %d", $var, $var2, $limit));
}}}
Do we have a function that can be used to sanitize column names?
{{{A-Za-z0-9_\.}}} should be fine. It's more restrictive than MySQL is,
but it'd just be used internally.
--
Ticket URL: <http://trac.wordpress.org/ticket/4553#comment:11>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list