[wp-trac] [WordPress Trac] #11102: $wpdb->prepare should merge all arguments to pass to vsprintf
WordPress Trac
wp-trac at lists.automattic.com
Sun Nov 8 11:39:37 UTC 2009
#11102: $wpdb->prepare should merge all arguments to pass to vsprintf
-------------------------+--------------------------------------------------
Reporter: westi | Owner: westi
Type: enhancement | Status: new
Priority: normal | Milestone: 3.0
Component: Database | Version: 2.9
Severity: normal | Keywords: has-patch early
-------------------------+--------------------------------------------------
Changes (by dd32):
* keywords: needs-patch early => has-patch early
Comment:
> attachment 11102.diff added
Nothing really to say about the patch.. Pretty simple really.
As long as you pass the correct number of args then it works as expected.
If for some reason, an Array is passed in when a string was expected,
There's the downside that things overflow into the next fields.. ie:
{{{
$a = 'A';
$thought_to_be_string = array('B1', 'B2');
$c = 'C';
var_dump( $wpdb->prepare('SELECT * FROM $TABLE WHERE a = %s AND b = %s AND
c = %s', $a, $thought_to_be_string, $c) );
// string(60) "SELECT * FROM $TABLE WHERE a = 'A' AND b = 'B1' AND c =
'B2'"
}}}
One way around it, could be:
{{{
if ( count($args) != substr_count($query, '%') )
return false;
}}}
which prevents mistaken overflows.. vsprintf() returns false if too few
args are passed in as it is.
But that solution doesn't take into account {{{%%}}} being present in the
string.
If those gotcha's are thought to be OK for the added benefit, then so be
it :)
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11102#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list