[wp-trac] [WordPress Trac] #11608: wpdb->prepare() is broken

WordPress Trac wp-trac at lists.automattic.com
Fri Dec 25 00:57:02 UTC 2009 

#11608: wpdb->prepare() is broken
--------------------------+-------------------------------------------------
 Reporter:  hakre         |       Owner:  ryan            
     Type:  defect (bug)  |      Status:  new             
 Priority:  normal        |   Milestone:  3.0             
Component:  Database      |     Version:  2.9             
 Severity:  normal        |    Keywords:  has-patch tested
--------------------------+-------------------------------------------------

Comment(by hakre):

 Replying to [comment:14 dd32]:
 > > Per definition query is data passed into the function.
 > Yes, By definition. But in this case, The data is the query params, I'm
 talking on a code level, not a syntax level.
 I'm I/O-talking. function: pass something into it, get something back. If
 I move all my %s's into the data-parameter-on-your-code-level, then I
 would not need to actually use prepare. Then on your ''code level'' I
 could use vsprintf directly. Just to give you the idea where such
 argumentation leads to. But this is getting too far for this ticket.

 > > congrats making it even more complicated.
 > It fixes the current issue with the current parser which will be used in
 2.8.x and 2.9.x for awhile yet. Whilst leaving it open for someone to
 suggest a replacement.
 I have the feeling that the regex does not solve the problem acutally but
 shift it, but I'll review that.

 ----

 The requested documentation can be found here:
 [http://codex.wordpress.org/Function_Reference/wpdb_Class#Protect_Queries_Against_SQL_Injection_Attacks
 Protect Queries Against SQL Injection Attacks].

 For those who want to get a broader view on the topic and why more
 delicate stuff can happen by accident (it's not only LIKE which is using
 %-tokens), can take a look into this ticket and search for WEEK: #10397.
 This is by accident only, I assume that if the whole core code is reviewed
 to replace standard queries with variable substitution into the prepare
 statement ones, this will get us more findings.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/11608#comment:16>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list