Make WordPress Core

Changeset 41471


Ignore:
Timestamp:
09/19/2017 02:54:03 PM (7 years ago)
Author:
aaroncampbell
Message:

Database: Hardening for wpdb::prepare()

Previously if you passed an array of values for placeholders, additional values could be passed as well. Now additional values will be ignored.

Merges [41470] to 4.8 branch.

Location:
branches/4.8
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/4.8

  • branches/4.8/src/wp-includes/wp-db.php

    r39323 r41471  
    13001300        $args = func_get_args();
    13011301        array_shift( $args );
     1302
    13021303        // If args were passed as an array (as in vsprintf), move them up
    1303         if ( isset( $args[0] ) && is_array($args[0]) )
     1304        if ( is_array( $args[0] ) && count( $args ) == 1 ) {
    13041305            $args = $args[0];
     1306        }
     1307
     1308        foreach ( $args as $arg ) {
     1309            if ( ! is_scalar( $arg ) ) {
     1310                _doing_it_wrong( 'wpdb::prepare', sprintf( 'Unsupported value type (%s).', gettype( $arg ) ), '4.8.2' );
     1311            }
     1312        }
     1313
    13051314        $query = str_replace( "'%s'", '%s', $query ); // in case someone mistakenly already singlequoted it
    13061315        $query = str_replace( '"%s"', '%s', $query ); // doublequote unquoting
  • branches/4.8/tests/phpunit/tests/db.php

    r40544 r41471  
    355355    }
    356356
     357    function test_prepare_sprintf() {
     358        global $wpdb;
     359
     360        $prepared = $wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", 1, "admin" );
     361        $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = 'admin'", $prepared );
     362    }
     363
     364    /**
     365     * @expectedIncorrectUsage wpdb::prepare
     366     */
     367    function test_prepare_sprintf_invalid_args() {
     368        global $wpdb;
     369
     370        $prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", 1, array( "admin" ) );
     371        $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = ''", $prepared );
     372
     373        $prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( 1 ), "admin" );
     374        $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 0 AND user_login = 'admin'", $prepared );
     375    }
     376
     377        function test_prepare_vsprintf() {
     378                global $wpdb;
     379
     380        $prepared = $wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( 1, "admin" ) );
     381        $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = 'admin'", $prepared );
     382    }
     383
     384    /**
     385     * @expectedIncorrectUsage wpdb::prepare
     386     */
     387    function test_prepare_vsprintf_invalid_args() {
     388        global $wpdb;
     389
     390        $prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( 1, array( "admin" ) ) );
     391        $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = ''", $prepared );
     392
     393        $prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( array( 1 ), "admin" ) );
     394        $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 0 AND user_login = 'admin'", $prepared );
     395        }
     396
    357397    function test_db_version() {
    358398        global $wpdb;
Note: See TracChangeset for help on using the changeset viewer.