[wp-trac] [WordPress Trac] #11608: wpdb->prepare() is broken
WordPress Trac
wp-trac at lists.automattic.com
Thu Jan 7 00:23:30 UTC 2010
#11608: wpdb->prepare() is broken
--------------------------+-------------------------------------------------
Reporter: hakre | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.0
Component: Database | Version: 2.9
Severity: normal | Keywords: has-patch dev-feedback
--------------------------+-------------------------------------------------
Comment(by hakre):
I found why that child-security is in there, it's for the class itself.
The deeper you dig, the more you find:
{{{
$sql = "INSERT INTO `$table` (`" . implode( '`,`', $fields ) . "`) VALUES
('" . implode( "','", $formatted_fields ) . "')";
}}}
somewhere in {{{function insert($table, $data, $format = null)}}}.
Now funny to read in (untouched) prepare this comment reagarding doubled
quotes:
''in case someone mistakenly already singlequoted it doublequote
unquoting''
wpdb::insert() teaches that this is not by mistake but by design. Just for
the log.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11608#comment:67>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list