Consider using local prepared-statement/sprintf()-like system for last-second SQL escaping
|Reported by:||markjaquith||Owned by:||markjaquith|
|Severity:||normal||Keywords:||sql prepared statement sprintf injection security early|
See: #4545 comments for background.
We can also make a prepared statement-like/printf-like method of wpdb, which can handle escaping internally and get rid of the few lines, before every query, spent in escaping.
$result = $wpdb->get_results( $wpdb->prepare("SELECT something FROM $wpdb->tablename WHERE foo = '%s' LIMIT %d", $unslashed_value, $unslashed_uninted_limit) );
- Works well with last-second escaping of data as proposed in #4545
- Backwards compatible
- Makes for VERY obvious escaping -- helps us find SQL injection holes
- Reduces a lot of $wpdb->escape(); lines
- Allows original unescaped data used in query to remain unescaped in the function. No need to have $var and $var_sql floating around. Unescaped data is more usable.
Change History (23)
comment:1 markjaquith — 6 years ago
- Owner changed from anonymous to markjaquith
- Status changed from new to assigned
comment:15 ryan — 6 years ago
- Milestone changed from 2.3 to 2.4
- Priority changed from normal to high