Possible invalid uses of wpdb::prepare()
|Reported by:||xknown||Owned by:||nacin|
One common error I see about wpdb::prepare() is that many developers tend to use it by passing only a SQL query, which may produce bugs due to the implementation of this method.
As you know, wpdb::prepare() does, generally speaking, a string replacement of the placeholders (%s, %d, etc) by using sprintf/vsprintf under the scenes. So, if one passes a SQL query with placeholders and no other parameters, then this method returns a blank string. For example:
$query = $wpdb->prepare( 'select * from table where column = %s', $user_input ); $result_set = $wpdb->get_results( $wpdb->prepare( $query ) );
If $user_input contains a placeholder (i.e. "hola%s mundo"), the query will not be executed.
I used a simple static code analyzer to detect this calls on the core and found two instances.
We should call _doing_it_wrong() if wpdb::prepare() receives only one parameter.
Change History (10)
- Component changed from General to Database
- Milestone changed from Awaiting Review to 3.5
- Owner set to nacin
- Resolution set to fixed
- Status changed from new to closed