Context Navigation

wp-db.php

Timestamp:

09/19/2017 03:05:16 PM (9 years ago)

Author:

aaroncampbell

Message:

Database: Hardening for wpdb::prepare()

Previously if you passed an array of values for placeholders, additional values could be passed as well. Now additional values will be ignored.

Merges [41470] to 3.7 branch.

Location:

branches/3.7

Files:

branches/3.7
- Property svn:mergeinfo changed
  /trunk merged: 41470
branches/3.7/src
- Property svn:mergeinfo changed
  /trunk/src merged: 41470

-                      r33997
+                      r41482
         $args = func_get_args();
         array_shift( $args );
         // If args were passed as an array (as in vsprintf), move them up
         if ( isset( $args[0] ) && is_array($args[0]) )
+        if ( is_array( $args[0] ) && count( $args ) == 1 ) {
             $args = $args[0];
+        }
+        foreach ( $args as $arg ) {
+            if ( ! is_scalar( $arg ) ) {
+                _doing_it_wrong( 'wpdb::prepare', sprintf( 'Unsupported value type (%s).', gettype( $arg ) ), '3.7.22' );
+            }
+        }
         $query = str_replace( "'%s'", '%s', $query ); // in case someone mistakenly already singlequoted it
         $query = str_replace( '"%s"', '%s', $query ); // doublequote unquoting

Note: See TracChangeset for help on using the changeset viewer.