[wp-trac] Re: [WordPress Trac] #5145: Proper use of prepared
statements
WordPress Trac
wp-trac at lists.automattic.com
Fri Oct 5 17:27:19 GMT 2007
#5145: Proper use of prepared statements
---------------------+------------------------------------------------------
Reporter: xknown | Owner: markjaquith
Type: defect | Status: assigned
Priority: normal | Milestone: 2.4
Component: General | Version:
Severity: normal | Resolution:
Keywords: |
---------------------+------------------------------------------------------
Comment (by markjaquith):
Yes, the ideal solution is to have the strings outside the query, and use
{{{%s}}} placeholders. But {{{%s}}} replacements get slash-escaped, and
the variables in this instance are already slash-escaped. So that would
lead to double-escaping. What I'm in the process of doing is converting
to use {{{$wpdb->prepare()}}} any query that can be converted, and marking
up any place that can't be converted because the function expects pre-
slashed data. My mistake was in doing partial implementation for some
queries. It has to be all or nothing, or we risk concatenating in a
{{{printf()}}} token.
--
Ticket URL: <http://trac.wordpress.org/ticket/5145#comment:8>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list