[wp-trac] [WordPress Trac] #52506: Add escaping method for table names in SQL queries
WordPress Trac
noreply at wordpress.org
Fri Jun 24 20:34:11 UTC 2022
#52506: Add escaping method for table names in SQL queries
-------------------------------------------------+-------------------------
Reporter: tellyworth | Owner:
| davidbaumwald
Type: defect (bug) | Status: closed
Priority: normal | Milestone: 6.1
Component: Database | Version:
Severity: normal | Resolution: fixed
Keywords: has-patch has-unit-tests early | Focuses:
commit |
-------------------------------------------------+-------------------------
Changes (by davidbaumwald):
* status: reviewing => closed
* resolution: => fixed
Comment:
In [changeset:"53575" 53575]:
{{{
#!CommitTicketReference repository="" revision="53575"
Database: Add `%i` placeholder support to `$wpdb->prepare` to escape table
and column names.
WordPress does not currently provide an explicit method for escaping SQL
table and column names. This leads to potential security vulnerabilities,
and makes reviewing code for security unnecessarily difficult. Also,
static analysis tools also flag the queries as having unescaped SQL input.
Tables and column names in queries are usually in-the-raw, since using the
existing `%s` will straight quote the value, making the query invalid.
This change introduces a new `%i` placeholder in `$wpdb->prepare` to
properly quote table and column names using backticks.
Props tellyworth, iandunn, craigfrancis, peterwilsoncc, johnbillion,
apokalyptik.
Fixes #52506.
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52506#comment:32>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list