[wp-trac] [WordPress Trac] #56091: Use %i for table/field names in wpdb::prepare()
WordPress Trac
noreply at wordpress.org
Tue Jun 28 19:10:52 UTC 2022
#56091: Use %i for table/field names in wpdb::prepare()
--------------------------+--------------------------
Reporter: craigfrancis | Owner: craigfrancis
Type: enhancement | Status: assigned
Priority: low | Milestone: 6.1
Component: Database | Version: trunk
Severity: minor | Keywords: needs-patch
Focuses: |
--------------------------+--------------------------
Now `wpdb::prepare()` supports `%i` for Identifiers (e.g. table/field
names), via [https://core.trac.wordpress.org/changeset/53575 commit
52506], and [https://core.trac.wordpress.org/ticket/52506 ticket 52506].
Queries within WP Core should use this, to ensure variables are always
quoted, and avoid static analysis tools flagging unescaped SQL input (a
non-`literal-string`) for the `$query` parameter:
{{{#!php
<?php
$wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE post_type = %s",
$post_type );
$wpdb->prepare( "SELECT ID FROM %i WHERE post_type = %s", $wpdb->posts,
$post_type );
}}}
I'll write a patch for the first set, but I suspect there will be a lot of
changes, and they should be checked carefully.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56091>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list