[wp-trac] [WordPress Trac] #11608: wpdb->prepare() is broken
WordPress Trac
wp-trac at lists.automattic.com
Mon Feb 15 01:24:23 UTC 2010
#11608: wpdb->prepare() is broken
--------------------------+-------------------------------------------------
Reporter: hakre | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.0
Component: Database | Version: 2.9
Severity: critical | Keywords: has-patch tested dev-feedback featured
--------------------------+-------------------------------------------------
Changes (by miqrogroove):
* keywords: has-patch dev-feedback featured => has-patch tested dev-
feedback featured
* severity: normal => critical
Comment:
+1 to 11608.diff
This patch has been in production testing for almost two months, and
working perfectly.
What it does: Corrects a very serious flaw in the logic for adding quotes
around string literals.
What it does not: Does not change the syntax expected by prepare(), which
is incompatible with with MySQL data manipulation syntax. This has been
knocked down to a "documentation issue" in #11318.
Regarding the other patches: None of them really made sense to me. The
more string parsing that ends up in the hands of WordPress, the more
convoluted and the more vuln-prone the system will be.
Also restoring the correct Severity value, based on the exhaustive hole-
poking provided above.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11608#comment:73>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list