WordPress.org

Make WordPress Core

Changeset 41508


Ignore:
Timestamp:
09/19/2017 06:45:16 PM (8 months ago)
Author:
aaroncampbell
Message:

Database: Hardening to bring wpdb::prepare() inline with documentation.

wpdb::prepare() supports %s, %d, and %F as placeholders in the query string. Any other non-escaped % will be escaped.

Merges [41496] to 3.7 branch.

Location:
branches/3.7
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • branches/3.7

  • branches/3.7/src

  • branches/3.7/src/wp-includes/wp-db.php

    r41495 r41508  
    10571057        $query = preg_replace( '|(?<!%)%f|' , '%F', $query ); // Force floats to be locale unaware
    10581058        $query = preg_replace( '|(?<!%)%s|', "'%s'", $query ); // quote the strings, avoiding escaped strings like %%s
     1059        $query = preg_replace( '/%(?:%|$|([^dsF]))/', '%%\\1', $query ); // escape any unescaped percents
    10591060        array_walk( $args, array( $this, 'escape_by_ref' ) );
    10601061        return @vsprintf( $query, $args );
  • branches/3.7/tests/phpunit/tests/db.php

    r41482 r41508  
    607607        return 'fake_col_charset';
    608608    }
     609
     610    /**
     611     *
     612     */
     613    function test_prepare_with_unescaped_percents() {
     614        global $wpdb;
     615
     616        $sql = $wpdb->prepare( '%d %1$d %%% %', 1 );
     617        $this->assertEquals( '1 %1$d %% %', $sql );
     618    }
    609619}
    610620
Note: See TracChangeset for help on using the changeset viewer.