[wp-trac] [WordPress Trac] #11608: wpdb->prepare() is broken
WordPress Trac
wp-trac at lists.automattic.com
Thu Dec 31 09:15:45 UTC 2009
#11608: wpdb->prepare() is broken
--------------------------+-------------------------------------------------
Reporter: hakre | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.0
Component: Database | Version: 2.9
Severity: normal | Keywords: has-patch
--------------------------+-------------------------------------------------
Comment(by hakre):
Replying to [comment:58 Denis-de-Bernardy]:
> The issue with suppressing the @ operator is that it silences warning
when more than the needed number of arguments are passed.
My patch already checks for the correct number of args in rev 3. That's
why it was possible to remove that operator.
> Re the ticket in its entirely, I think that another, simpler possibility
would be to initially double all % signs in the query
Which is just bad practise. But what I can do is to auto-duplicate all
%-signs which aren't valid format specifiers. But I think it's better to
not filter the users input but to flag an error instead. Because the
query-pattern then just is wrong. We can not try to find out what the
users wants. I would really like to see the {''%s''} and {"'%s'"} cases
ignored either. Thats a similar topic.
I know that if you read too much of the WP source code such ideas can come
into mind because those approaches seem common but they are actually bad
practice.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11608#comment:60>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list