[wp-trac] [WordPress Trac] #25604: first argument of wpdb::prepare should have a placeholder
WordPress Trac
noreply at wordpress.org
Wed Oct 16 00:26:25 UTC 2013
#25604: first argument of wpdb::prepare should have a placeholder
------------------------------+-----------------------------
Reporter: ounziw | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Warnings/Notices | Version:
Severity: normal | Keywords:
------------------------------+-----------------------------
wpdb::prepare is a function which escapes for SQL.
Some plugins/themes use wpdb::prepare in a wrong way, and they may have a
vulerability.
Bad Example
`$wpdb->prepare( "SELECT * FROM table WHERE id = $id", null);`
I propose to add
{{{
if ( strpos($query,'%') === false || strpos($query,'$')
!== false )
_doing_it_wrong( 'wpdb::prepare', 'first argument
of wpdb::prepare() should have a preceholder.', '3.7' );
}}}
to check the first argument of wpdb::prepare
--
Ticket URL: <http://core.trac.wordpress.org/ticket/25604>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list