535 | | * This function only supports a small subset of the sprintf syntax; it only supports %d (decimal number), %s (string). |
536 | | * Does not support sign, padding, alignment, width or precision specifiers. |
537 | | * Does not support argument numbering/swapping. |
| 535 | * Mimicks a prepare of a SQL query for safer execution. |
| 536 | * |
| 537 | * The following directives can be used in the query format string: |
| 538 | * |
| 539 | * %d (decimal number) |
| 540 | * %s (string) |
| 541 | * %% (literal percentage sign - no argument needed) |
550 | | * @param string $query Query statement with sprintf()-like placeholders |
551 | | * @param array|mixed $args The array of variables to substitute into the query's placeholders if being called like {@link http://php.net/vsprintf vsprintf()}, or the first variable to substitute into the query's placeholders if being called like {@link http://php.net/sprintf sprintf()}. |
552 | | * @param mixed $args,... further variables to substitute into the query's placeholders if being called like {@link http://php.net/sprintf sprintf()}. |
553 | | * @return null|string Sanitized query string |
| 568 | * @param string $query (optional) Query statement with wpdb->prepare directives (%%, %d, $s) |
| 569 | * @param array|mixed $args (optional) array or actual value to be used for directives like in {@link http://php.net/vsprintf vsprintf()}, or {@link http://php.net/sprintf sprintf()}. |
| 570 | * @param mixed $args,... further values to be used. |
| 571 | * @return false|string Processed query with values applied according the directives |
557 | | return; |
558 | | $args = func_get_args(); |
559 | | array_shift($args); |
560 | | // If args were passed as an array (as in vsprintf), move them up |
561 | | if ( isset($args[0]) && is_array($args[0]) ) |
562 | | $args = $args[0]; |
563 | | $query = str_replace("'%s'", '%s', $query); // in case someone mistakenly already singlequoted it |
564 | | $query = str_replace('"%s"', '%s', $query); // doublequote unquoting |
565 | | $query = str_replace('%s', "'%s'", $query); // quote the strings |
566 | | array_walk($args, array(&$this, 'escape_by_ref')); |
567 | | return @vsprintf($query, $args); |
| 576 | return false; |
| 577 | |
| 578 | if ( false === ( $query_quoted = $this->_prepare_quote_lits($query, $check = true) ) ) { |
| 579 | $this->last_query = null; |
| 580 | $this->print_error( sprintf( /*WP_I18N_DB_PREPARE_ERROR*/" \$db->prepare(string query, *args) -- Prepare '%s' is not syntactically correct."/*/WP_I18N_DB_PREPARE_ERROR*/, $query ) ); |
| 581 | return false; |
| 582 | } else { |
| 583 | $query_quoted = str_replace( array( "''%s''", "\"'%'\"" ), "'%s'", $query_quoted ); # in case someone mistakenly already single/double quoted it |
| 584 | |
| 585 | $args = func_get_args(); |
| 586 | array_shift($args); |
| 587 | // re-assign args passed as array like in vsprintf |
| 588 | if ( isset( $args[0] ) && is_array( $args[0] ) ) |
| 589 | $args = $args[0]; |
| 590 | array_walk( $args, array( &$this, 'escape_by_ref' ) ); |
| 591 | |
| 592 | return @vsprintf( $query_quoted, $args ); |
| 593 | } // else/if |
| 597 | * helper function for prepare() |
| 598 | * |
| 599 | * will quote %s tokens with single quotes |
| 600 | * allowed tokens are: %%, %d and %s |
| 601 | * |
| 602 | * can do strict parsing and return false if the query is |
| 603 | * not valid. |
| 604 | * |
| 605 | * @access private |
| 606 | * @param string $query wpdb prepare-pattern that needs to be single-quoted to %s |
| 607 | * @param bool $strict (optional) wether or not do strict parsing of the query |
| 608 | * @return string pattern with single quotes added around %s literals |
| 609 | * @return bool false on syntax error if $strict param is true |
| 610 | */ |
| 611 | function _prepare_quote_lits( $query, $strict = false ) { |
| 612 | $query = (string) $query; |
| 613 | $m = strlen( $query ); |
| 614 | for ( $i = 0; $i < $m; $i++) { |
| 615 | if ( '%' == $query[$i] ) { |
| 616 | $c = ( ++$i < $m ) ? $query[$i] : '' ; |
| 617 | switch ( $c ) { |
| 618 | case 's': |
| 619 | $query = substr( $query, 0, $i-1 ) . "'%s'" . substr( $query, ++$i ); |
| 620 | $i++; |
| 621 | case '%': |
| 622 | case 'd': |
| 623 | break; |
| 624 | default: # illegal pattern |
| 625 | if ( $strict ) return false; |
| 626 | } |
| 627 | } |
| 628 | } |
| 629 | return $query; |
| 630 | } |
| 631 | |
| 632 | /** |