Make WordPress Core


Ignore:
Timestamp:
09/19/2017 03:01:22 PM (7 years ago)
Author:
aaroncampbell
Message:

Database: Hardening for wpdb::prepare()

Previously if you passed an array of values for placeholders, additional values could be passed as well. Now additional values will be ignored.

Merges [41470] to 4.2 branch.

Location:
branches/4.2
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.2

  • branches/4.2/tests/phpunit/tests/db.php

    r33992 r41477  
    354354    }
    355355
     356    function test_prepare_sprintf() {
     357        global $wpdb;
     358
     359        $prepared = $wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", 1, "admin" );
     360        $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = 'admin'", $prepared );
     361    }
     362
     363    /**
     364     * @expectedIncorrectUsage wpdb::prepare
     365     */
     366    function test_prepare_sprintf_invalid_args() {
     367        global $wpdb;
     368
     369        $prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", 1, array( "admin" ) );
     370        $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = ''", $prepared );
     371
     372        $prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( 1 ), "admin" );
     373        $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 0 AND user_login = 'admin'", $prepared );
     374    }
     375
     376        function test_prepare_vsprintf() {
     377                global $wpdb;
     378
     379        $prepared = $wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( 1, "admin" ) );
     380        $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = 'admin'", $prepared );
     381    }
     382
     383    /**
     384     * @expectedIncorrectUsage wpdb::prepare
     385     */
     386    function test_prepare_vsprintf_invalid_args() {
     387        global $wpdb;
     388
     389        $prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( 1, array( "admin" ) ) );
     390        $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = ''", $prepared );
     391
     392        $prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( array( 1 ), "admin" ) );
     393        $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 0 AND user_login = 'admin'", $prepared );
     394        }
     395
    356396    function test_db_version() {
    357397        global $wpdb;
Note: See TracChangeset for help on using the changeset viewer.