[wp-trac] [WordPress Trac] #56091: Use %i for table/field names in wpdb::prepare()
WordPress Trac
noreply at wordpress.org
Tue Jun 28 19:35:22 UTC 2022
#56091: Use %i for table/field names in wpdb::prepare()
--------------------------+---------------------------
Reporter: craigfrancis | Owner: craigfrancis
Type: enhancement | Status: assigned
Priority: low | Milestone: 6.1
Component: Database | Version: trunk
Severity: minor | Resolution:
Keywords: needs-patch | Focuses:
--------------------------+---------------------------
Description changed by SergeyBiryukov:
Old description:
> Now `wpdb::prepare()` supports `%i` for Identifiers (e.g. table/field
> names), via [https://core.trac.wordpress.org/changeset/53575 commit
> 52506], and [https://core.trac.wordpress.org/ticket/52506 ticket 52506].
>
> Queries within WP Core should use this, to ensure variables are always
> quoted, and avoid static analysis tools flagging unescaped SQL input (a
> non-`literal-string`) for the `$query` parameter:
>
> {{{#!php
> <?php
> $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE post_type = %s",
> $post_type );
>
> $wpdb->prepare( "SELECT ID FROM %i WHERE post_type = %s", $wpdb->posts,
> $post_type );
> }}}
>
> I'll write a patch for the first set, but I suspect there will be a lot
> of changes, and they should be checked carefully.
New description:
Now `wpdb::prepare()` supports `%i` for Identifiers (e.g. table/field
names), via commit [53575], and ticket #52506.
Queries within WP Core should use this, to ensure variables are always
quoted, and avoid static analysis tools flagging unescaped SQL input (a
non-`literal-string`) for the `$query` parameter:
{{{#!php
<?php
$wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE post_type = %s",
$post_type );
$wpdb->prepare( "SELECT ID FROM %i WHERE post_type = %s", $wpdb->posts,
$post_type );
}}}
I'll write a patch for the first set, but I suspect there will be a lot of
changes, and they should be checked carefully.
--
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56091#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list