[wp-trac] [WordPress Trac] #51486: The add_option function should not be able to update existing rows in the database.

WordPress Trac noreply at wordpress.org
Fri Oct 9 01:12:29 UTC 2020 

#51486: The add_option function should not be able to update existing rows in the
database.
--------------------------+-----------------------------
 Reporter:  khag7         |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 In certain edge cases, `add_option` is able to update existing option
 values. This should not be possible. If SQL is executed which instructs
 "Insert XYZ" into database, then the insert should fail if the key already
 exists in the database, unless the SQL specifies that an UPDATE should
 happen.

 The `add_option` function does check first to see if an option exists
 before attempting to add it to the database. In the overwhelming majority
 of cases, this works fine because when the option exists the function will
 return early before attempting to insert into the database.

 However, consider a scenario where an object cache is being used. And
 further consider that the object cache may report incorrectly. If the
 object cache tells `add_option` that the value doesn't exist in the
 database (but in reality it does!), then `add_option` continues on and
 attempts to insert the supposedly new option.

 In that particular circumstance, the SQL query, shown below, is executed
 which will insert the new row. And in the event that the option already
 exists, it will be overwritten.

 The issue here is that `add_option` shouldn't be able to update the
 existing value. The query should fail. Why is the `ON DUPLICATE KEY
 UPDATE` clause included here?

 {{{#!php
 <?php    // Code here is from wp-includes/option.php Line 581:
     $result = $wpdb->query(
         $wpdb->prepare(
             "INSERT INTO `$wpdb->options` (`option_name`, `option_value`,
 `autoload`)
              VALUES (%s, %s, %s)
              ON DUPLICATE KEY UPDATE
                 `option_name`  = VALUES(`option_name`),
                 `option_value` = VALUES(`option_value`),
                 `autoload`     = VALUES(`autoload`)
             ",
             $option,
             $serialized_value,
             $autoload
         )
     );
 }}}

 I realize this is an edge case. If the object cache being used gives bad
 information to `add_option` then really its the object caching plugin at
 fault. However, I can't understand a possible circumstance where
 `add_option` should ever UPDATE an existing option. The SQL here should
 not include `ON DUPLICATE KEY UPDATE`. Am I missing something? Is there a
 good reason for that clause? What would happen if that clause were
 removed?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/51486>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list