Ticket #11608: 11608.3.patch

wp-includes/wp-db.php

@@ -530 +530 @@
         }
 
         /**
-         * Prepares a SQL query for safe execution.  Uses sprintf()-like syntax.
+         * Mimicks a prepare of a SQL query for execution.  
+         * 
+         * The following placeholders can be used for values:
+         * 
+         *   %d (decimal number)
+         *   %s (string)
+         *   %% (%)
+         *   
+         * Both %d and %s should be left unquoted in the query string.
          *
+         * <code>
+         * wpdb::prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d", "foo", 1337 )
+         * </code>
+         * 
+         * NOTE: This has nothing to do with prepared statements your database might support.
+         *  
+         * More technical information:
+         * 
+         * Uses sprintf()-like syntax.
+         *
          * This function only supports a small subset of the sprintf syntax; it only supports %d (decimal number), %s (string).
          * Does not support sign, padding, alignment, width or precision specifiers.
          * Does not support argument numbering/swapping.
          *
          * May be called like {@link http://php.net/sprintf sprintf()} or like {@link http://php.net/vsprintf vsprintf()}.
          *
-         * Both %d and %s should be left unquoted in the query string.
-         *
-         * <code>
-         * wpdb::prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d", "foo", 1337 )
-         * </code>
-         *
          * @link http://php.net/sprintf Description of syntax.
          * @since 2.3.0
          *
-         * @param string $query Query statement with sprintf()-like placeholders
-         * @param array|mixed $args The array of variables to substitute into the query's placeholders if being called like {@link http://php.net/vsprintf vsprintf()}, or the first variable to substitute into the query's placeholders if being called like {@link http://php.net/sprintf sprintf()}.
-         * @param mixed $args,... further variables to substitute into the query's placeholders if being called like {@link http://php.net/sprintf sprintf()}.
+         * @param string $query Query statement with wpdb->prepare placeholders
+         * @param array|mixed $args The array of variables to substitute into the query's placeholders if being called compareable to {@link http://php.net/vsprintf vsprintf()}, or the first variable to substitute into the query's placeholders if being called like {@link http://php.net/sprintf sprintf()}.
+         * @param mixed $args,... further variables to substitute.
          * @return null|string Sanitized query string
          */
         function prepare($query = null) { // ( $query, *$args )
@@ -560 +572 @@
                 // If args were passed as an array (as in vsprintf), move them up
                 if ( isset($args[0]) && is_array($args[0]) )
                         $args = $args[0];
-                $query = str_replace("'%s'", '%s', $query); // in case someone mistakenly already singlequoted it
-                $query = str_replace('"%s"', '%s', $query); // doublequote unquoting
-                $query = str_replace('%s', "'%s'", $query); // quote the strings
+
+                $query = $this->_prepare_quote_lits($query); //quote %s in query-pattern                                
+                $query = str_replace( array( "''%s''", "\"'%'\"" ), "'%s'", $query ); // in case someone mistakenly already single/double quoted it
+
                 array_walk($args, array(&$this, 'escape_by_ref'));
                 return @vsprintf($query, $args);
         }
 
         /**
+         * helper function for prepare()
+         * 
+         * will quote %s tokens with single quotes
+         * allowed tokens are: %%, %d and %s
+         * 
+         * can do strict parsing and return false if the query is  
+         * not valid.
+         * 
+         * @access private
+         * @param  string $query  wpdb prepare-pattern that needs to be single-quoted to %s
+         * @param  bool   $strict (optional) wether or not do strict parsing of the query 
+         * @return string pattern with single quotes added around %s literals
+         * @return bool   false on syntax error if $strict param is true
+         */
+        function _prepare_quote_lits( $query, $strict = false ) {
+                $query = (string) $query;                               
+                $m = strlen( $query );          
+                for ( $i = -1; $c = $query[++$i], $i < $m; ) {
+                        if ( '%' == $c ) {                              
+                                switch ( $query[$i+1] ) {
+                                        case 's':
+                                                $query = substr( $query, 0, $i) . "'%s'" . substr( $query, $i+=2 );
+                                        case '%':
+                                        case 'd':
+                                                $i++;
+                                                break;
+                                        default: # illegal pattern
+                                                if ( $strict ) return false;
+                                }
+                        }
+                }
+                return $query;
+        }
+
+        /**
          * Print SQL/DB error.
          *
          * @since 0.71