[wp-trac] [WordPress Trac] #29801: Improper value sanitization in WP_Date_Query::build_value() can lead to incorrect results
WordPress Trac
noreply at wordpress.org
Mon Sep 29 17:23:35 UTC 2014
#29801: Improper value sanitization in WP_Date_Query::build_value() can lead to
incorrect results
--------------------------+-----------------
Reporter: boonebgorges | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.1
Component: Date/Time | Version:
Severity: minor | Keywords:
Focuses: |
--------------------------+-----------------
`WP_Date_Query::build_value()` sanitizes the `$value` param for two
purposes: (1) for safe use in SQL queries, and (2) to make sure that the
values provided make sense with the `$compare` operator. However, the
reliance on intval() means that the following cases arise:
- With compare `IN` and `NOT IN`, values like `'foo'` turn into `(0)`
while `'foo1'` turns into `(1)`
- With compare `BETWEEN` and `NOT BETWEEN`, a singleton array as the
`$value` will be sanitized down to `1`, leading to clauses like `BETWEEN 1
AND 1`
In each of these cases, the query might end up returning unexpected
results. I suggest returning `false` out of `build_query()` when an
invalid value is passed. The attached patch does this using
`is_numeric()`.
A related issue that I've also addressed in the patch: for `BETWEEN` and
`NOT BETWEEN`, passing a two-membered array like `array( 2 => 5, 3 => 6 )`
would result in the query failing, because the parser is expected array
keys 0 and 1. I suggest that in cases where two numeric values are passed,
we use them, regardless of the keys.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/29801>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list