Make WordPress Core

Ticket #31624: named-placeholders-prepare.diff

File named-placeholders-prepare.diff, 1.8 KB (added by ozthegreat, 10 years ago)

->prepare() named placeholders

  • wp-includes/wp-db.php

    diff --git wp-includes/wp-db.php wp-includes/wp-db.php
    index 5393240..403f945 100644
    class wpdb { 
    12021202                        return;
    12031203
    12041204                // This is not meant to be foolproof -- but it will catch obviously incorrect usage.
    1205                 if ( strpos( $query, '%' ) === false ) {
     1205                if ( strpos( $query, '%' ) === false && strpos( $query, ':' ) === false ) {
    12061206                        _doing_it_wrong( 'wpdb::prepare', sprintf( __( 'The query argument of %s must have a placeholder.' ), 'wpdb::prepare()' ), '3.9' );
    12071207                }
    12081208
    class wpdb { 
    12111211                // If args were passed as an array (as in vsprintf), move them up
    12121212                if ( isset( $args[0] ) && is_array($args[0]) )
    12131213                        $args = $args[0];
     1214
     1215                array_walk( $args, array( $this, 'escape_by_ref' ) );
     1216
     1217                // If args were passed as associative array then they're named params
     1218                if ( array_values($args) !== $args ) {
     1219                        foreach ( $args as $key => $value ) {
     1220                                // Make sure all $keys have ':' preceding them
     1221                                $new_key = ':' . ltrim( $key, ':' );
     1222                                unset( $args[$key] );
     1223                                $args[ $new_key ] = $value;
     1224                                // In case someone mistakenly already singlequoted/doublequoted it
     1225                                $query = str_replace( array( "'$new_key'", '"' . $new_key . '"') , $new_key, $query );
     1226                        }
     1227                        return strtr( $query, $args );
     1228                }
     1229
     1230                // Else it's in traditional vsprintf format
    12141231                $query = str_replace( "'%s'", '%s', $query ); // in case someone mistakenly already singlequoted it
    12151232                $query = str_replace( '"%s"', '%s', $query ); // doublequote unquoting
    12161233                $query = preg_replace( '|(?<!%)%f|' , '%F', $query ); // Force floats to be locale unaware
    12171234                $query = preg_replace( '|(?<!%)%s|', "'%s'", $query ); // quote the strings, avoiding escaped strings like %%s
    1218                 array_walk( $args, array( $this, 'escape_by_ref' ) );
     1235
    12191236                return @vsprintf( $query, $args );
    12201237        }
    12211238