Make WordPress Core


Ignore:
Timestamp:
09/19/2017 03:02:57 PM (7 years ago)
Author:
aaroncampbell
Message:

Database: Hardening for wpdb::prepare()

Previously if you passed an array of values for placeholders, additional values could be passed as well. Now additional values will be ignored.

Merges [41470] to 3.9 branch.

Location:
branches/3.9
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/3.9

  • branches/3.9/tests/phpunit/tests/db.php

    r33995 r41480  
    255255    }
    256256
     257    function test_prepare_sprintf() {
     258        global $wpdb;
     259
     260        $prepared = $wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", 1, "admin" );
     261        $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = 'admin'", $prepared );
     262    }
     263
     264    /**
     265     * @expectedIncorrectUsage wpdb::prepare
     266     */
     267    function test_prepare_sprintf_invalid_args() {
     268        global $wpdb;
     269
     270        $prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", 1, array( "admin" ) );
     271        $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = ''", $prepared );
     272
     273        $prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( 1 ), "admin" );
     274        $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 0 AND user_login = 'admin'", $prepared );
     275    }
     276
     277        function test_prepare_vsprintf() {
     278                global $wpdb;
     279
     280        $prepared = $wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( 1, "admin" ) );
     281        $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = 'admin'", $prepared );
     282    }
     283
     284    /**
     285     * @expectedIncorrectUsage wpdb::prepare
     286     */
     287    function test_prepare_vsprintf_invalid_args() {
     288        global $wpdb;
     289
     290        $prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( 1, array( "admin" ) ) );
     291        $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = ''", $prepared );
     292
     293        $prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( array( 1 ), "admin" ) );
     294        $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 0 AND user_login = 'admin'", $prepared );
     295        }
     296
    257297    function test_db_version() {
    258298        global $wpdb;
Note: See TracChangeset for help on using the changeset viewer.