[wp-trac] [WordPress Trac] #56091: Use %i for table/field names in wpdb::prepare()

WordPress Trac noreply at wordpress.org
Tue Jun 28 19:10:52 UTC 2022

#56091: Use %i for table/field names in wpdb::prepare()
 Reporter:  craigfrancis  |      Owner:  craigfrancis
     Type:  enhancement   |     Status:  assigned
 Priority:  low           |  Milestone:  6.1
Component:  Database      |    Version:  trunk
 Severity:  minor         |   Keywords:  needs-patch
  Focuses:                |
 Now `wpdb::prepare()` supports `%i` for Identifiers (e.g. table/field
 names), via [https://core.trac.wordpress.org/changeset/53575 commit
 52506], and [https://core.trac.wordpress.org/ticket/52506 ticket 52506].

 Queries within WP Core should use this, to ensure variables are always
 quoted, and avoid static analysis tools flagging unescaped SQL input (a
 non-`literal-string`) for the `$query` parameter:

 $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE post_type = %s",
 $post_type );

 $wpdb->prepare( "SELECT ID FROM %i WHERE post_type = %s", $wpdb->posts,
 $post_type );

 I'll write a patch for the first set, but I suspect there will be a lot of
 changes, and they should be checked carefully.

Ticket URL: <https://core.trac.wordpress.org/ticket/56091>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list