[wp-trac] [WordPress Trac] #52506: Add escaping method for table names in SQL queries

WordPress Trac noreply at wordpress.org
Fri Jun 24 20:34:11 UTC 2022

#52506: Add escaping method for table names in SQL queries
 Reporter:  tellyworth                           |       Owner:
                                                 |  davidbaumwald
     Type:  defect (bug)                         |      Status:  closed
 Priority:  normal                               |   Milestone:  6.1
Component:  Database                             |     Version:
 Severity:  normal                               |  Resolution:  fixed
 Keywords:  has-patch has-unit-tests early       |     Focuses:
  commit                                         |
Changes (by davidbaumwald):

 * status:  reviewing => closed
 * resolution:   => fixed


 In [changeset:"53575" 53575]:
 #!CommitTicketReference repository="" revision="53575"
 Database: Add `%i` placeholder support to `$wpdb->prepare` to escape table
 and column names.

 WordPress does not currently provide an explicit method for escaping SQL
 table and column names. This leads to potential security vulnerabilities,
 and makes reviewing code for security unnecessarily difficult.  Also,
 static analysis tools also flag the queries as having unescaped SQL input.

 Tables and column names in queries are usually in-the-raw, since using the
 existing `%s` will straight quote the value, making the query invalid.

 This change introduces a new `%i` placeholder in `$wpdb->prepare` to
 properly quote table and column names using backticks.

 Props tellyworth, iandunn, craigfrancis, peterwilsoncc, johnbillion,
 Fixes #52506.

Ticket URL: <https://core.trac.wordpress.org/ticket/52506#comment:32>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list