[wp-trac] [WordPress Trac] #11608: wpdb->prepare() is broken
WordPress Trac
wp-trac at lists.automattic.com
Fri Dec 25 01:34:39 UTC 2009
#11608: wpdb->prepare() is broken
--------------------------+-------------------------------------------------
Reporter: hakre | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.0
Component: Database | Version: 2.9
Severity: normal | Keywords: has-patch tested
--------------------------+-------------------------------------------------
Comment(by dd32):
> Does not fix my 2nd and 3rd examples above. They are oddball cases but
totally exploitable if they exist.
Which cases specifically? Passing an array is not supported by the
function, Nor is passing non-sprintf-escaped SQL's. My patch is aimed at
fixing the current bug in the current parser, Not to replace it with
something that can read your mind as to what placement marker in the
string you intended to be replace.
> Regarding the look for a "better" implemenation, maybe it should be
considere to actually use prepared statements?
When WordPress utilises the MySQLi extension rather than the MySQL
extension, then sure.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11608#comment:18>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list