[wp-trac] [WordPress Trac] #5145: Proper use of prepared statements

[WordPress Trac]

#5145: Proper use of prepared statements
---------------------+------------------------------------------------------
 Reporter:  xknown   |       Owner:  anonymous
     Type:  defect   |      Status:  new      
 Priority:  normal   |   Milestone:  2.4      
Component:  General  |     Version:           
 Severity:  normal   |    Keywords:           
---------------------+------------------------------------------------------
 I upgraded my blog to the latest svn revision (6188) and it fails to
 update/create a post if it contains `%d`, `%s` or any (`printf`) type
 modifier in a field that can accept strings: post_content, post_title,
 post_excerpt...

 A quick look at the code revealed the problem:
 {{{
 $wpdb->query(
         $wpdb->prepare(
         "UPDATE IGNORE $wpdb->posts SET
         post_author = '$post_author',
         post_date = '$post_date',
         post_date_gmt = '$post_date_gmt',
         post_content = '$post_content',
         post_content_filtered = '$post_content_filtered',
         post_title = '$post_title',
         post_excerpt = '$post_excerpt',
         post_status = '$post_status',
         post_type = '$post_type',
         comment_status = '$comment_status',
         ping_status = '$ping_status',
         post_password = '$post_password',
         post_name = '$post_name',
         to_ping = '$to_ping',
         pinged = '$pinged',
         post_modified = '".current_time('mysql')."',
         post_modified_gmt = '".current_time('mysql',1)."',
         post_parent = %d,
         menu_order = '$menu_order'
         WHERE ID = %d"
         , $post_parent, $post_ID ));
 }}}
 You shouldn't concatenate variables if its value will likely contain a %.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/5145>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software