[wp-trac] [WordPress Trac] #22262: Possible invalid uses of wpdb::prepare()
WordPress Trac
noreply at wordpress.org
Tue Oct 23 14:40:44 UTC 2012
#22262: Possible invalid uses of wpdb::prepare()
-----------------------------+--------------------------
Reporter: xknown | Type: defect (bug)
Status: new | Priority: normal
Milestone: Awaiting Review | Component: General
Version: | Severity: normal
Keywords: |
-----------------------------+--------------------------
One common error I see about wpdb::prepare() is that many developers tend
to use it by passing only a SQL query, which may produce bugs due to the
implementation of this method.
As you know, wpdb::prepare() does, generally speaking, a string
replacement of the placeholders (%s, %d, etc) by using sprintf/vsprintf
under the scenes. So, if one passes a SQL query with placeholders and no
other parameters, then this method returns a blank string. For example:
{{{
$query = $wpdb->prepare( 'select * from table where column = %s',
$user_input );
$result_set = $wpdb->get_results( $wpdb->prepare( $query ) );
}}}
If {{{$user_input}}} contains a placeholder (i.e. "hola%s mundo"), the
query will not be executed.
I used a simple static code analyzer to detect this calls on the core and
found two instances.
- http://core.trac.wordpress.org/browser/trunk/wp-
includes/query.php#L2409
- http://core.trac.wordpress.org/browser/trunk/wp-includes/ms-
functions.php#L1922
We should call _doing_it_wrong() if wpdb::prepare() receives only one
parameter.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/22262>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list