[wp-trac] [WordPress Trac] #11608: wpdb->prepare() is broken
WordPress Trac
wp-trac at lists.automattic.com
Mon Dec 28 21:45:58 UTC 2009
#11608: wpdb->prepare() is broken
--------------------------+-------------------------------------------------
Reporter: hakre | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.0
Component: Database | Version: 2.9
Severity: normal | Keywords: reporter-feedback
--------------------------+-------------------------------------------------
Changes (by westi):
* cc: westi (added)
* keywords: has-patch dev-feedback => reporter-feedback
Comment:
After reading through all the comments above I can not see a clear
definition of the '''bug''' here that exists in {{{$wpdb->prepare}}}.
Most of what I see is incorrect usage of prepare itself instead.
You shouldn't be writing:
{{{
$wpdb->prepare("SELECT 1 WHERE table.row LIKE '%stupid' AND othertable.row
= %s", $input)
}}}
but:
{{{
$wpdb->prepare("SELECT 1 WHERE table.row LIKE %s AND othertable.row = %s",
$like, $other)
}}}
Can you summarise the exact bug with example queries where
{{{$wpdb->prepare}}} used correctly has a bug /security issue.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11608#comment:47>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list