id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
4553,Consider using local prepared-statement/sprintf()-like system for last-second SQL escaping,markjaquith,markjaquith,"See: #4545 comments for background.

nbachiyski:

----

We can also make a prepared statement-like/printf-like method of wpdb, which can handle escaping internally and get rid of the few lines, before every query, spent in escaping.

----
 
Example:

{{{
$result = $wpdb->get_results(
	$wpdb->prepare(""SELECT something FROM $wpdb->tablename WHERE foo = '%s' LIMIT %d"", $unslashed_value, $unslashed_uninted_limit)
);
}}}

Benefits:

 * Works well with last-second escaping of data as proposed in #4545
 * Backwards compatible
 * Makes for VERY obvious escaping -- helps us find SQL injection holes
 * Reduces a lot of $wpdb->escape(); lines
 * Allows original unescaped data used in query to remain unescaped in the function.  No need to have {{{$var}}} and {{{$var_sql}}} floating around.  Unescaped data is more usable.",task (blessed),closed,high,2.5,Security,2.3,normal,fixed,sql prepared statement sprintf injection security early,