WordPress.org

Make WordPress Core

Ticket #11608: 11608.2.diff

File 11608.2.diff, 1.7 KB (added by miqrogroove, 5 years ago)

Fix phpdoc. prepare() can never be called statically because dbh would have no value. Add %-encoding explanation.

  • wp-db.php

     
    533533         * Prepares a SQL query for safe execution.  Uses sprintf()-like syntax. 
    534534         * 
    535535         * This function only supports a small subset of the sprintf syntax; it only supports %d (decimal number), %s (string). 
     536         * All % characters inside $query string literals, including LIKE wildcards, must be double %-escaped as %%. 
     537         * 
    536538         * Does not support sign, padding, alignment, width or precision specifiers. 
    537539         * Does not support argument numbering/swapping. 
    538540         * 
     
    541543         * Both %d and %s should be left unquoted in the query string. 
    542544         * 
    543545         * <code> 
    544          * wpdb::prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d", "foo", 1337 ) 
     546         * $wpdb->prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d", "foo", 1337 ); 
     547         * $wpdb->prepare( "UPDATE $wpdb->posts SET guid = '100%% Satisfied' WHERE ID = %s", $stringin ); 
    545548         * </code> 
    546549         * 
     550         * Care must be taken not to allow direct user input to the second param, which enables array manipulation. 
     551         * 
    547552         * @link http://php.net/sprintf Description of syntax. 
    548553         * @since 2.3.0 
    549554         * 
     
    562567                        $args = $args[0]; 
    563568                $query = str_replace("'%s'", '%s', $query); // in case someone mistakenly already singlequoted it 
    564569                $query = str_replace('"%s"', '%s', $query); // doublequote unquoting 
    565                 $query = str_replace('%s', "'%s'", $query); // quote the strings 
     570                $query = preg_replace('|(?<!%)%s|', "'%s'", $query); //quote the strings, Avoiding escaped strings 
    566571                array_walk($args, array(&$this, 'escape_by_ref')); 
    567572                return @vsprintf($query, $args); 
    568573        }