[wp-trac] Re: [WordPress Trac] #5145: Proper use of prepared statements

Fri Oct 5 14:30:14 GMT 2007

#5145: Proper use of prepared statements
---------------------+------------------------------------------------------
 Reporter:  xknown   |        Owner:  markjaquith
     Type:  defect   |       Status:  assigned   
 Priority:  normal   |    Milestone:  2.4        
Component:  General  |      Version:             
 Severity:  normal   |   Resolution:             
 Keywords:           |  
---------------------+------------------------------------------------------
Comment (by santosj):

 {{{
 $wpdb->prepare(

 "UPDATE IGNORE $wpdb->posts SET post_author = '%s',
 post_date = '%s',
 post_date_gmt = '%s',
 post_content = '$post_content',
 post_content_filtered = '$post_content_filtered',
 post_title = '$post_title',
 post_excerpt = '$post_excerpt', post_status = '$post_status', post_type =
 '$post_type', comment_status = '$comment_status', ping_status =
 '$ping_status', post_password = '$post_password', post_name =
 '$post_name', to_ping = '$to_ping', pinged = '$pinged',
 post_modified = '".current_time('mysql')."',
 post_modified_gmt = '".current_time('mysql',1)."',
 post_parent = %d,
 menu_order = '$menu_order'
 WHERE ID = %d" ,
 $post_author, $post_date, $post_date_gmt, ..., $post_parent, $post_ID ));
 }}}

 What I mean to say, is that every variable should be outside the SQL
 string, much like the PDO prepare(). It doesn't seem logical have the
 whole concept for escaping strings and only use it for numeric values.
 There are already methods for sanitizing those values.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/5145#comment:6>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software