WordPress.org

Make WordPress Core

Changeset 41508


Ignore:
Timestamp:
09/19/17 18:45:16 (4 weeks ago)
Author:
aaroncampbell
Message:

Database: Hardening to bring wpdb::prepare() inline with documentation.

wpdb::prepare() supports %s, %d, and %F as placeholders in the query string. Any other non-escaped % will be escaped.

Merges [41496] to 3.7 branch.

Location:
branches/3.7
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • branches/3.7

  • branches/3.7/src

  • branches/3.7/src/wp-includes/wp-db.php

    r41495 r41508  
    10571057        $query = preg_replace( '|(?<!%)%f|' , '%F', $query ); // Force floats to be locale unaware 
    10581058        $query = preg_replace( '|(?<!%)%s|', "'%s'", $query ); // quote the strings, avoiding escaped strings like %%s 
     1059        $query = preg_replace( '/%(?:%|$|([^dsF]))/', '%%\\1', $query ); // escape any unescaped percents  
    10591060        array_walk( $args, array( $this, 'escape_by_ref' ) ); 
    10601061        return @vsprintf( $query, $args ); 
  • branches/3.7/tests/phpunit/tests/db.php

    r41482 r41508  
    607607        return 'fake_col_charset'; 
    608608    } 
     609 
     610    /** 
     611     * 
     612     */ 
     613    function test_prepare_with_unescaped_percents() { 
     614        global $wpdb; 
     615 
     616        $sql = $wpdb->prepare( '%d %1$d %%% %', 1 ); 
     617        $this->assertEquals( '1 %1$d %% %', $sql ); 
     618    } 
    609619} 
    610620 
Note: See TracChangeset for help on using the changeset viewer.