[wp-trac] [WordPress Trac] #12942: Change str_replace to preg_replace for $wpdb->prepare function
WordPress Trac
wp-trac at lists.automattic.com
Sat Apr 10 11:31:44 UTC 2010
#12942: Change str_replace to preg_replace for $wpdb->prepare function
----------------------------------------+-----------------------------------
Reporter: gplaurin | Owner:
Type: defect (bug) | Status: reopened
Priority: normal | Milestone:
Component: General | Version: 2.9.2
Severity: normal | Resolution:
Keywords: database, prepare, sprintf |
----------------------------------------+-----------------------------------
Changes (by gplaurin):
* status: closed => reopened
* type: enhancement => defect (bug)
* resolution: invalid =>
Comment:
That was a prepare example... not a working one. Why having a prepare
function with:
$query = str_replace("'%s'", '%s', $query); // in case someone mistakenly
already singlequoted it
$query = str_replace('"%s"', '%s', $query); // doublequote unquoting
$query = str_replace('%s', "'%s'", $query); // quote the strings
and after that using sprintf that can take care of %1$s but not the
replaces below. Prepare statement will not add quotes to %1$s. Reclosed
this if you want but this is a real bug, sprintf take care of %s and %1$s,
prepare statement takes only care of %s but use sprintf.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/12942#comment:3>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list