[wp-trac] [WordPress Trac] #52506: Add escaping method for table names in SQL queries
WordPress Trac
noreply at wordpress.org
Mon Sep 13 14:33:52 UTC 2021
#52506: Add escaping method for table names in SQL queries
--------------------------+------------------------------
Reporter: tellyworth | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Database | Version:
Severity: normal | Resolution:
Keywords: dev-feedback | Focuses:
--------------------------+------------------------------
Comment (by craigfrancis):
Unfortunately I didn't find this ticket when creating #54042; where I'm
also hoping to update `$wpdb->prepare()` to support backtick quoted
Identifiers (e.g. table/field names).
From the suggestions so far, I'd prefer a placeholder, so the `$query`
argument to `$wpdb->prepare()` can use the `literal-string` type that's
now available in [https://github.com/vimeo/psalm/releases/tag/4.8.0 Psalm
4.8.0] and [https://github.com/phpstan/phpstan/releases/tag/0.12.97
PHPStan 0.12.97] (and will hopefully be added to PHP in the future), this
would allow us to avoid unsafe-variable concatenation and escaping
mistakes.
In my patch, I've used `%i` for "**I**dentifier"; and because
[https://en.wikipedia.org/wiki/Printf_format_string#Type_field printf()
Types] has historically used `%d` and `%i` for Integers, whereas PHP only
uses `%d`, implying the PHP developers are unlikely to use `%i` for
anything else.
My main problem at the moment is formatting, e.g. `$wpdb->prepare('id =
%5s', $_GET['id'])` in the current implementation results in a unquoted
(unsafe) string that's padded to 5 characters; whereas my patch ensures
the value is quoted, but includes the 2 quote characters in the length.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52506#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list