[wp-trac] [WordPress Trac] #11608: wpdb->prepare() is broken

WordPress Trac wp-trac at lists.automattic.com
Fri Dec 25 01:34:39 UTC 2009


#11608: wpdb->prepare() is broken
--------------------------+-------------------------------------------------
 Reporter:  hakre         |       Owner:  ryan            
     Type:  defect (bug)  |      Status:  new             
 Priority:  normal        |   Milestone:  3.0             
Component:  Database      |     Version:  2.9             
 Severity:  normal        |    Keywords:  has-patch tested
--------------------------+-------------------------------------------------

Comment(by dd32):

 > Does not fix my 2nd and 3rd examples above. They are oddball cases but
 totally exploitable if they exist.

 Which cases specifically? Passing an array is not supported by the
 function, Nor is passing non-sprintf-escaped SQL's. My patch is aimed at
 fixing the current bug in the current parser, Not to replace it with
 something that can read your mind as to what placement marker in the
 string you intended to be replace.

 > Regarding the look for a "better" implemenation, maybe it should be
 considere to actually use prepared statements?
 When WordPress utilises the MySQLi extension rather than the MySQL
 extension, then sure.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/11608#comment:18>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list