WordPress.org

Make WordPress Core

Ticket #11608: 11608.2.diff

File 11608.2.diff, 1.7 KB (added by miqrogroove, 8 years ago)

Fix phpdoc. prepare() can never be called statically because dbh would have no value. Add %-encoding explanation.

  • wp-db.php

     
    533533         * Prepares a SQL query for safe execution.  Uses sprintf()-like syntax.
    534534         *
    535535         * This function only supports a small subset of the sprintf syntax; it only supports %d (decimal number), %s (string).
     536         * All % characters inside $query string literals, including LIKE wildcards, must be double %-escaped as %%.
     537         *
    536538         * Does not support sign, padding, alignment, width or precision specifiers.
    537539         * Does not support argument numbering/swapping.
    538540         *
     
    541543         * Both %d and %s should be left unquoted in the query string.
    542544         *
    543545         * <code>
    544          * wpdb::prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d", "foo", 1337 )
     546         * $wpdb->prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d", "foo", 1337 );
     547         * $wpdb->prepare( "UPDATE $wpdb->posts SET guid = '100%% Satisfied' WHERE ID = %s", $stringin );
    545548         * </code>
    546549         *
     550         * Care must be taken not to allow direct user input to the second param, which enables array manipulation.
     551         *
    547552         * @link http://php.net/sprintf Description of syntax.
    548553         * @since 2.3.0
    549554         *
     
    562567                        $args = $args[0];
    563568                $query = str_replace("'%s'", '%s', $query); // in case someone mistakenly already singlequoted it
    564569                $query = str_replace('"%s"', '%s', $query); // doublequote unquoting
    565                 $query = str_replace('%s', "'%s'", $query); // quote the strings
     570                $query = preg_replace('|(?<!%)%s|', "'%s'", $query); //quote the strings, Avoiding escaped strings
    566571                array_walk($args, array(&$this, 'escape_by_ref'));
    567572                return @vsprintf($query, $args);
    568573        }