id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
4553	Consider using local prepared-statement/sprintf()-like system for last-second SQL escaping	markjaquith	markjaquith	"See: #4545 comments for background.

nbachiyski:

----

We can also make a prepared statement-like/printf-like method of wpdb, which can handle escaping internally and get rid of the few lines, before every query, spent in escaping.

----
 
Example:

{{{
$result = $wpdb->get_results(
	$wpdb->prepare(""SELECT something FROM $wpdb->tablename WHERE foo = '%s' LIMIT %d"", $unslashed_value, $unslashed_uninted_limit)
);
}}}

Benefits:

 * Works well with last-second escaping of data as proposed in #4545
 * Backwards compatible
 * Makes for VERY obvious escaping -- helps us find SQL injection holes
 * Reduces a lot of $wpdb->escape(); lines
 * Allows original unescaped data used in query to remain unescaped in the function.  No need to have {{{$var}}} and {{{$var_sql}}} floating around.  Unescaped data is more usable."	task (blessed)	closed	high	2.5	Security	2.3	normal	fixed	sql prepared statement sprintf injection security early