[wp-trac] [WordPress Trac] #11608: wpdb->prepare() is broken

WordPress Trac wp-trac at lists.automattic.com
Fri Dec 25 15:49:54 UTC 2009


#11608: wpdb->prepare() is broken
--------------------------+-------------------------------------------------
 Reporter:  hakre         |       Owner:  ryan            
     Type:  defect (bug)  |      Status:  new             
 Priority:  normal        |   Milestone:  3.0             
Component:  Database      |     Version:  2.9             
 Severity:  normal        |    Keywords:  has-patch tested
--------------------------+-------------------------------------------------

Comment(by miqrogroove):

 I think the bottom line is that the printf syntax was a poor choice for
 query parsing.  '%' is syntactically ambiguous in wpdb::prepare() unless
 you assume that every query author also knows how to use the '%%' syntax,
 and every server has applied the dd32 diff file from above.  That's a
 fairly impossible standard to meet.

 So I'll say it for a third time, both the wpdb class and the Codex page
 need to explain how this function was intended to work.  Hiding behind the
 dogma of "it's a prepare function that works like sprintf" is a big
 mistake.  The '%%' syntax is not explicitly defined in the PHP function
 description.  It only shows up 3 pages below the fold in the fifth example
 where it says, "notice the double %%".  Before creating the previous
 ticket, I personally read the wpdb class, the Codex page, and the PHP
 function description and parameters list, and I still didn't understand
 why prepare() was broken until dd32 explained it to me.  I've been writing
 various flavors of SQL for over 10 years, and I've never had to escape an
 intentional wildcard like this.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/11608#comment:25>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list