[wp-trac] [WordPress Trac] #41925: Bring back, support and document %1$s support in wpdb->prepare

WordPress Trac noreply at wordpress.org
Wed Sep 20 18:19:40 UTC 2017


#41925: Bring back, support and document %1$s support in wpdb->prepare
-------------------------+----------------------
 Reporter:  soulseekah   |       Owner:
     Type:  enhancement  |      Status:  closed
 Priority:  normal       |   Milestone:
Component:  Database     |     Version:
 Severity:  normal       |  Resolution:  wontfix
 Keywords:               |     Focuses:
-------------------------+----------------------
Changes (by aaroncampbell):

 * status:  new => closed
 * resolution:   => wontfix
 * milestone:  Awaiting Review =>


Comment:

 Hey @soulseekah,

 I can appreciate the desire to have numbered placeholders in
 `wpdb::prepare()`. They're definitely my preference for `sprintf()` et al.
 Unfortunately, even after spending a lot of time on this, the security
 team wasn't able to find a way to keep them around and also fix the
 security issue, without basically writing an SQL parser. The more complex
 the parser got, the more likely there were additional edge cases that
 would cause problems.

 I ran your patch against some test cases I have from when we were working
 on this issue, and unfortunately it re-introduces the vulnerability that
 was closed with this change. Enforcing the simple subset of `%s`, `%F`,
 and `%d` allows us to make `wpdb::prepare()` safe and effective, which is
 it's main purpose.

 Thanks,
 Aaron
 WordPress Security Team Lead

--
Ticket URL: <https://core.trac.wordpress.org/ticket/41925#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list