wpdb->prepare() is broken
|Reported by:||hakre||Owned by:||ryan|
|Severity:||critical||Keywords:||has-patch tested dev-feedback featured|
|Cc:||sirzooro, Denis-de-Bernardy, westi|
the wpdb->prepare() statement plays an utterly important role in database access. This function is not properly implemented. To name it correctly, this function is more or less a wrapper for sprintf / vsprintf which adds some fuzz in the proxy.
Tickets like #11318 pointed to structural problems. Eventhough tricky devs like DD32 can do it working for them it's a plain oversight that data gets manipulated by that function that might render safe queries unsafe and therefore actually opens the gate for sql injections instead of closing them.
Example: CONST = 'percentage stupid or %stupid is the question'
even following the rules to act vsprintf / sprintf (like documented in code) will run you into problems:
Example: CONST = 'percentage stupid or %%stupid is the question'
Please stop this madness and create a ->prepare function that works solidly.
Change History (86)
- Component changed from Security to Database
- Milestone changed from 2.9.1 to Future Release
- Priority changed from high to normal
- Severity changed from critical to normal
- Type changed from defect (bug) to feature request
comment:14 dd32 — 4 years ago
- Milestone changed from Future Release to 3.0
- Type changed from feature request to defect (bug)
comment:47 follow-up: ↓ 52 westi — 4 years ago
- Cc westi added
- Keywords reporter-feedback added; has-patch dev-feedback removed
comment:52 in reply to: ↑ 47 hakre — 4 years ago
- Keywords has-patch added; reporter-feedback removed