[wp-trac] [WordPress Trac] #11608: wpdb->prepare() is broken
WordPress Trac
wp-trac at lists.automattic.com
Fri Dec 25 15:49:54 UTC 2009
#11608: wpdb->prepare() is broken
--------------------------+-------------------------------------------------
Reporter: hakre | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.0
Component: Database | Version: 2.9
Severity: normal | Keywords: has-patch tested
--------------------------+-------------------------------------------------
Comment(by miqrogroove):
I think the bottom line is that the printf syntax was a poor choice for
query parsing. '%' is syntactically ambiguous in wpdb::prepare() unless
you assume that every query author also knows how to use the '%%' syntax,
and every server has applied the dd32 diff file from above. That's a
fairly impossible standard to meet.
So I'll say it for a third time, both the wpdb class and the Codex page
need to explain how this function was intended to work. Hiding behind the
dogma of "it's a prepare function that works like sprintf" is a big
mistake. The '%%' syntax is not explicitly defined in the PHP function
description. It only shows up 3 pages below the fold in the fifth example
where it says, "notice the double %%". Before creating the previous
ticket, I personally read the wpdb class, the Codex page, and the PHP
function description and parameters list, and I still didn't understand
why prepare() was broken until dd32 explained it to me. I've been writing
various flavors of SQL for over 10 years, and I've never had to escape an
intentional wildcard like this.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11608#comment:25>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list