[wp-trac] [WordPress Trac] #11608: wpdb->prepare() is broken
WordPress Trac
wp-trac at lists.automattic.com
Wed Dec 30 18:44:35 UTC 2009
#11608: wpdb->prepare() is broken
--------------------------+-------------------------------------------------
Reporter: hakre | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.0
Component: Database | Version: 2.9
Severity: normal | Keywords: has-patch
--------------------------+-------------------------------------------------
Comment(by Denis-de-Bernardy):
@hakre: I've been chewing on this since we discussed, and I'm really
wondering if the approach is correct...
The issue with suppressing the @ operator is that it silences warning when
more than the needed number of arguments are passed. That's probably a
good thing,
Re the ticket in its entirely, I think that another, simpler possibility
would be to initially double all % signs in the query, i.e.:
{{{
$query = str_replace('%', '%%', $query);
$query = str_replace(array('"%%s"', "'%%s'", '%%s'), '%s', $query);
$query = str_replace(array('"%%d"', "'%%d'", '%%d'), '%d', $query);
}}}
A few bugs would remain in odd edge cases (i.e. WHERE col LIKE
'%something'); to cover those too, we actually need a regexp. Probably
something like:
{{{
$query = str_replace('%', '%%', $query);
$query = preg_replace("/(\s)(['\"])?%%([sd])\\2(\s|$)/", "$1%$3$4",
$query);
}}}
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11608#comment:58>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list