id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
11608,wpdb->prepare() is broken,hakre,ryan,"the wpdb->prepare() statement plays an utterly important role in database access. This function is not properly implemented. To name it correctly, this function is more or less a wrapper for sprintf / vsprintf which adds some fuzz in the proxy.

Tickets like #11318 pointed to structural problems. Eventhough tricky devs like DD32 can do it working for them it's a plain oversight that data gets manipulated by that function that might render safe queries unsafe and therefore actually opens the gate for sql injections instead of closing them.

Example: {{{CONST = 'percentage stupid or %stupid is the question'}}}

even following the rules to act vsprintf / sprintf (like documented in code) will run you into problems:

Example: {{{CONST = 'percentage stupid or %%stupid is the question'}}}

Please stop this madness and create a ->prepare function that works solidly.",defect (bug),closed,normal,3.0,Database,2.9,critical,fixed,has-patch tested dev-feedback featured,sirzooro Denis-de-Bernardy westi