[wp-trac] [WordPress Trac] #11102: $wpdb->prepare should merge all arguments to pass to vsprintf
WordPress Trac
wp-trac at lists.automattic.com
Sun Nov 8 21:42:23 UTC 2009
#11102: $wpdb->prepare should merge all arguments to pass to vsprintf
-------------------------+--------------------------------------------------
Reporter: westi | Owner: westi
Type: enhancement | Status: new
Priority: normal | Milestone: 3.0
Component: Database | Version: 2.9
Severity: normal | Keywords: has-patch early
-------------------------+--------------------------------------------------
Comment(by westi):
Replying to [comment:3 azaozz]:
> Not sure if that really improves things. Passing an array seems to make
sense only in `"IN (5,10,20, ...)"` where the length of the array is not
fixed.
>
> MySQL seems to accept both `"IN (5,10,20, ...)"` and `"IN
('5','10','20', ...)"` (it casts string to int when comparing with a
numeric column) so we can `join( "','", $array )` and pass it as a string.
This is already used in about 50 places in core including #11100.
>
The point is to make it easy to use the correct data type specifier in the
prepare statement. If we are preparing in what we believe/expect are
integers we should use %d.
Replying to [comment:3 azaozz]:
> In this case a query would look like:
> {{{
> $wpdb->prepare("SELECT * FROM $table WHERE `x` = %s AND type IN (%s)",
$where, $in_array);
> }}}
> that would expand to:
> {{{
> SELECT * FROM $table WHERE `x` = 'bar' AND type IN ('5','10','20');
> }}}
> or
> {{{
> SELECT * FROM $table WHERE `x` = 'bar' AND type IN
('bar1','bar2','bar3');
> }}}
>
>
With the current code this would expand to
{{{
SELECT * FROM $table WHERE `x` = 'bar' AND type IN
(''bar1','bar2','bar3'');
}}}
Assuming $in_array was a string containing {{{'bar1','bar2','bar3'}}} as
we force %s to be quoted.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11102#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list