[wp-trac] [WordPress Trac] #49705: Sanitizing input for parameterized queries + update_meta_cache
WordPress Trac
noreply at wordpress.org
Tue May 25 06:13:37 UTC 2021
#49705: Sanitizing input for parameterized queries + update_meta_cache
--------------------------------+-------------------------------
Reporter: classicalrehan | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Options, Meta APIs | Version: 5.3.2
Severity: minor | Resolution:
Keywords: | Focuses: coding-standards
--------------------------------+-------------------------------
Changes (by dd32):
* severity: critical => minor
Comment:
Replying to [comment:2 classicalrehan]:
> I just wanted to know why get_results query not used here wit prepare
statement?
To follow up on this old comment - Because prepare isn't necessarily
useful here, as `intval()` is going to be just as secure as `sprintf( '%d'
)` which is what prepare is and is simpler to read than an `array_fill()`
call.
If WordPress was using proper native prepared queries, then it would make
more sense to use it.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/49705#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list