[wp-trac] [WordPress Trac] #26896: Quotes not added around strings using wpdb->prepare with sprintf position specifiers
WordPress Trac
noreply at wordpress.org
Thu Jan 23 11:57:35 UTC 2014
#26896: Quotes not added around strings using wpdb->prepare with sprintf position
specifiers
------------------------------+------------------------------
Reporter: neonWired | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Database | Version: 3.2.1
Severity: minor | Resolution:
Keywords: close needs-docs |
------------------------------+------------------------------
Comment (by neonWired):
it uses vsprintf (wp-includes/wp-db.php line 890) which is the same as
sprintf only uses an array of args.
it uses the following 3 lines (886, 887 & 888) to add the quotes but
obviously if you use position specifiers this will no longer work
$query = str_replace( "'%s'", '%s', $query ); // in case someone
mistakenly already singlequoted it
$query = str_replace( '"%s"', '%s', $query ); // doublequote unquoting
$query = preg_replace( '|(?<!%)%s|', "'%s'", $query ); // quote the
strings, avoiding escaped strings like %%s
it just needs the regex pattern updating to support position specifier, i
don't think it's a huge fix for the benefit.
Not sure if this should be reclassified as an enhancement?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/26896#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list