Ticket #11608: 11608.2.diff

wp-db.php

@@ -533 +533 @@
          * Prepares a SQL query for safe execution.  Uses sprintf()-like syntax.
          *
          * This function only supports a small subset of the sprintf syntax; it only supports %d (decimal number), %s (string).
+         * All % characters inside $query string literals, including LIKE wildcards, must be double %-escaped as %%.
+         *
          * Does not support sign, padding, alignment, width or precision specifiers.
          * Does not support argument numbering/swapping.
          *
@@ -541 +543 @@
          * Both %d and %s should be left unquoted in the query string.
          *
          * <code>
-         * wpdb::prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d", "foo", 1337 )
+         * $wpdb->prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d", "foo", 1337 );
+         * $wpdb->prepare( "UPDATE $wpdb->posts SET guid = '100%% Satisfied' WHERE ID = %s", $stringin );
          * </code>
          *
+         * Care must be taken not to allow direct user input to the second param, which enables array manipulation.
+         *
          * @link http://php.net/sprintf Description of syntax.
          * @since 2.3.0
          *
@@ -562 +567 @@
                         $args = $args[0];
                 $query = str_replace("'%s'", '%s', $query); // in case someone mistakenly already singlequoted it
                 $query = str_replace('"%s"', '%s', $query); // doublequote unquoting
-                $query = str_replace('%s', "'%s'", $query); // quote the strings
+                $query = preg_replace('|(?<!%)%s|', "'%s'", $query); //quote the strings, Avoiding escaped strings
                 array_walk($args, array(&$this, 'escape_by_ref'));
                 return @vsprintf($query, $args);
         }