[wp-trac] Re: [WordPress Trac] #5145: Proper use of prepared
statements
WordPress Trac
wp-trac at lists.automattic.com
Fri Oct 5 14:27:15 GMT 2007
#5145: Proper use of prepared statements
---------------------+------------------------------------------------------
Reporter: xknown | Owner: markjaquith
Type: defect | Status: assigned
Priority: normal | Milestone: 2.4
Component: General | Version:
Severity: normal | Resolution:
Keywords: |
---------------------+------------------------------------------------------
Comment (by santosj):
I think the problem is that instead of defeating the purpose of even
having the function, the variables should be '''outside''' the string and
instead also used the {{{%{whatever}}}}.
{{{
$wpdb->prepare(
"UPDATE IGNORE $wpdb->posts SET
post_author = '$post_author',
post_date = '$post_date',
post_date_gmt = '$post_date_gmt',
post_content = '$post_content',
post_content_filtered = '$post_content_filtered',
post_title = '$post_title',
post_excerpt = '$post_excerpt',
post_status = '$post_status',
post_type = '$post_type',
comment_status = '$comment_status',
ping_status = '$ping_status',
post_password = '$post_password',
post_name = '$post_name',
to_ping = '$to_ping',
pinged = '$pinged',
post_modified = '".current_time('mysql')."',
post_modified_gmt = '".current_time('mysql',1)."',
post_parent = %d,
menu_order = '$menu_order'
WHERE ID = %d"
, $post_parent, $post_ID ));
}}}
should be, like:
{{{$wpdb->prepare(
"UPDATE IGNORE $wpdb->posts SET
post_author = '%s',
post_date = '%s',
post_date_gmt = '%s',
post_content = '$post_content',
post_content_filtered = '$post_content_filtered',
post_title = '$post_title',
post_excerpt = '$post_excerpt',
post_status = '$post_status',
post_type = '$post_type',
comment_status = '$comment_status',
ping_status = '$ping_status',
post_password = '$post_password',
post_name = '$post_name',
to_ping = '$to_ping',
pinged = '$pinged',
post_modified = '".current_time('mysql')."',
post_modified_gmt = '".current_time('mysql',1)."',
post_parent = %d,
menu_order = '$menu_order'
WHERE ID = %d"
, $post_author, $post_date, $post_date_gmt, ..., $post_parent,
$post_ID ));
}}}
And so on and so forth.
I think the whole concept is being defeated by using it for numeric values
when you could use {{{$post_author, $post_date, $post_date_gmt, ..., (num)
$post_parent, (num) $post_ID ));}}}
--
Ticket URL: <http://trac.wordpress.org/ticket/5145#comment:5>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list