Changeset 42056
- Timestamp:
- 10/31/2017 11:59:43 AM (7 years ago)
- Location:
- trunk
- Files:
-
- 9 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/formatting.php
r41702 r42056 3755 3755 * is preparing an array for use in an IN clause. 3756 3756 * 3757 * NOTE: Since 4.8.3, '%' characters will be replaced with a placeholder string, 3758 * this prevents certain SQLi attacks from taking place. This change in behaviour 3759 * may cause issues for code that expects the return value of esc_sql() to be useable 3760 * for other purposes. 3761 * 3757 3762 * @since 2.8.0 3758 3763 * -
trunk/src/wp-includes/meta.php
r40603 r42056 365 365 366 366 if ( $delete_all ) { 367 $value_clause = '';368 367 if ( '' !== $meta_value && null !== $meta_value && false !== $meta_value ) { 369 $ value_clause = $wpdb->prepare( " AND meta_value = %s", $meta_value);370 } 371 372 $object_ids = $wpdb->get_col( $wpdb->prepare( "SELECT $type_column FROM $table WHERE meta_key = %s $value_clause", $meta_key ) );368 $object_ids = $wpdb->get_col( $wpdb->prepare( "SELECT $type_column FROM $table WHERE meta_key = %s AND meta_value = %s", $meta_key, $meta_value ) ); 369 } else { 370 $object_ids = $wpdb->get_col( $wpdb->prepare( "SELECT $type_column FROM $table WHERE meta_key = %s", $meta_key ) ); 371 } 373 372 } 374 373 -
trunk/src/wp-includes/post.php
r41849 r42056 4318 4318 $page_path = str_replace('%20', ' ', $page_path); 4319 4319 $parts = explode( '/', trim( $page_path, '/' ) ); 4320 $parts = esc_sql( $parts );4321 4320 $parts = array_map( 'sanitize_title_for_query', $parts ); 4322 4323 $in_string = "'" . implode( "','", $parts ) . "'"; 4321 $escaped_parts = esc_sql( $parts ); 4322 4323 $in_string = "'" . implode( "','", $escaped_parts ) . "'"; 4324 4324 4325 4325 if ( is_array( $post_type ) ) { -
trunk/src/wp-includes/wp-db.php
r41828 r42056 1107 1107 if ( $this->dbh ) { 1108 1108 if ( $this->use_mysqli ) { 1109 returnmysqli_real_escape_string( $this->dbh, $string );1109 $escaped = mysqli_real_escape_string( $this->dbh, $string ); 1110 1110 } else { 1111 return mysql_real_escape_string( $string, $this->dbh ); 1112 } 1113 } 1114 1115 $class = get_class( $this ); 1116 if ( function_exists( '__' ) ) { 1117 /* translators: %s: database access abstraction class, usually wpdb or a class extending wpdb */ 1118 _doing_it_wrong( $class, sprintf( __( '%s must set a database connection for use with escaping.' ), $class ), '3.6.0' ); 1111 $escaped = mysql_real_escape_string( $string, $this->dbh ); 1112 } 1119 1113 } else { 1120 _doing_it_wrong( $class, sprintf( '%s must set a database connection for use with escaping.', $class ), '3.6.0' ); 1121 } 1122 return addslashes( $string ); 1114 $class = get_class( $this ); 1115 if ( function_exists( '__' ) ) { 1116 /* translators: %s: database access abstraction class, usually wpdb or a class extending wpdb */ 1117 _doing_it_wrong( $class, sprintf( __( '%s must set a database connection for use with escaping.' ), $class ), '3.6.0' ); 1118 } else { 1119 _doing_it_wrong( $class, sprintf( '%s must set a database connection for use with escaping.', $class ), '3.6.0' ); 1120 } 1121 $escaped = addslashes( $string ); 1122 } 1123 1124 return $this->add_placeholder_escape( $escaped ); 1123 1125 } 1124 1126 … … 1202 1204 * All placeholders MUST be left unquoted in the query string. A corresponding argument MUST be passed for each placeholder. 1203 1205 * 1206 * For compatibility with old behavior, numbered or formatted string placeholders (eg, %1$s, %5s) will not have quotes 1207 * added by this function, so should be passed with appropriate quotes around them for your usage. 1208 * 1204 1209 * Literal percentage signs (%) in the query string must be written as %%. Percentage wildcards (for example, 1205 1210 * to use in LIKE syntax) must be passed via a substitution argument containing the complete LIKE string, these 1206 1211 * cannot be inserted directly in the query string. Also see {@see esc_like()}. 1207 1212 * 1208 * This method DOES NOT support sign, padding, alignment, width or precision specifiers. 1209 * This method DOES NOT support argument numbering or swapping. 1210 * 1211 * Arguments may be passed as individual arguments to the method, or as a single array containing all arguments. A combination 1213 * Arguments may be passed as individual arguments to the method, or as a single array containing all arguments. A combination 1212 1214 * of the two is not supported. 1213 1215 * … … 1226 1228 */ 1227 1229 public function prepare( $query, $args ) { 1228 if ( is_null( $query ) ) 1230 if ( is_null( $query ) ) { 1229 1231 return; 1232 } 1230 1233 1231 1234 // This is not meant to be foolproof -- but it will catch obviously incorrect usage. … … 1238 1241 array_shift( $args ); 1239 1242 1240 // If args were passed as an array (as in vsprintf), move them up 1243 // If args were passed as an array (as in vsprintf), move them up. 1244 $passed_as_array = false; 1241 1245 if ( is_array( $args[0] ) && count( $args ) == 1 ) { 1246 $passed_as_array = true; 1242 1247 $args = $args[0]; 1243 1248 } … … 1250 1255 } 1251 1256 1252 $query = str_replace( "'%s'", '%s', $query ); // in case someone mistakenly already singlequoted it 1253 $query = str_replace( '"%s"', '%s', $query ); // doublequote unquoting 1254 $query = preg_replace( '|(?<!%)%f|' , '%F', $query ); // Force floats to be locale unaware 1255 $query = preg_replace( '|(?<!%)%s|', "'%s'", $query ); // quote the strings, avoiding escaped strings like %%s 1256 $query = preg_replace( '/%(?:%|$|([^dsF]))/', '%%\\1', $query ); // escape any unescaped percents 1257 1258 // Count the number of valid placeholders in the query 1259 $placeholders = preg_match_all( '/(^|[^%]|(%%)+)%[sdF]/', $query, $matches ); 1260 1261 if ( count ( $args ) !== $placeholders ) { 1262 wp_load_translations_early(); 1263 _doing_it_wrong( 'wpdb::prepare', 1264 /* translators: 1: number of placeholders, 2: number of arguments passed */ 1265 sprintf( __( 'The query does not contain the correct number of placeholders (%1$d) for the number of arguments passed (%2$d).' ), 1266 $placeholders, 1267 count( $args ) ), 1268 '4.9.0' 1269 ); 1257 /* 1258 * Specify the formatting allowed in a placeholder. The following are allowed: 1259 * 1260 * - Sign specifier. eg, $+d 1261 * - Numbered placeholders. eg, %1$s 1262 * - Padding specifier, including custom padding characters. eg, %05s, %'#5s 1263 * - Alignment specifier. eg, %05-s 1264 * - Precision specifier. eg, %.2f 1265 */ 1266 $allowed_format = '(?:[1-9][0-9]*[$])?[-+0-9]*(?: |0|\'.)?[-+0-9]*(?:\.[0-9]+)?'; 1267 1268 /* 1269 * If a %s placeholder already has quotes around it, removing the existing quotes and re-inserting them 1270 * ensures the quotes are consistent. 1271 * 1272 * For backwards compatibility, this is only applied to %s, and not to placeholders like %1$s, which are frequently 1273 * used in the middle of longer strings, or as table name placeholders. 1274 */ 1275 $query = str_replace( "'%s'", '%s', $query ); // Strip any existing single quotes. 1276 $query = str_replace( '"%s"', '%s', $query ); // Strip any existing double quotes. 1277 $query = preg_replace( '/(?<!%)%s/', "'%s'", $query ); // Quote the strings, avoiding escaped strings like %%s. 1278 1279 $query = preg_replace( "/(?<!%)(%($allowed_format)?f)/" , '%\\2F', $query ); // Force floats to be locale unaware. 1280 1281 $query = preg_replace( "/%(?:%|$|(?!($allowed_format)?[sdF]))/", '%%\\1', $query ); // Escape any unescaped percents. 1282 1283 // Count the number of valid placeholders in the query. 1284 $placeholders = preg_match_all( "/(^|[^%]|(%%)+)%($allowed_format)?[sdF]/", $query, $matches ); 1285 1286 if ( count( $args ) !== $placeholders ) { 1287 if ( 1 === $placeholders && $passed_as_array ) { 1288 // If the passed query only expected one argument, but the wrong number of arguments were sent as an array, bail. 1289 wp_load_translations_early(); 1290 _doing_it_wrong( 'wpdb::prepare', __( 'The query only expected one placeholder, but an array of multiple placeholders was sent.' ), '4.9.0' ); 1291 1292 return; 1293 } else { 1294 /* 1295 * If we don't have the right number of placeholders, but they were passed as individual arguments, 1296 * or we were expecting multiple arguments in an array, throw a warning. 1297 */ 1298 wp_load_translations_early(); 1299 _doing_it_wrong( 'wpdb::prepare', 1300 /* translators: 1: number of placeholders, 2: number of arguments passed */ 1301 sprintf( __( 'The query does not contain the correct number of placeholders (%1$d) for the number of arguments passed (%2$d).' ), 1302 $placeholders, 1303 count( $args ) ), 1304 '4.8.3' 1305 ); 1306 } 1270 1307 } 1271 1308 1272 1309 array_walk( $args, array( $this, 'escape_by_ref' ) ); 1273 return @vsprintf( $query, $args ); 1310 $query = @vsprintf( $query, $args ); 1311 1312 return $this->add_placeholder_escape( $query ); 1274 1313 } 1275 1314 … … 1892 1931 $this->queries[] = array( $query, $this->timer_stop(), $this->get_caller() ); 1893 1932 } 1933 } 1934 1935 /** 1936 * Generates and returns a placeholder escape string for use in queries returned by ::prepare(). 1937 * 1938 * @since 4.8.3 1939 * 1940 * @return string String to escape placeholders. 1941 */ 1942 public function placeholder_escape() { 1943 static $placeholder; 1944 1945 if ( ! $placeholder ) { 1946 // If ext/hash is not present, compat.php's hash_hmac() does not support sha256. 1947 $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1'; 1948 // Old WP installs may not have AUTH_SALT defined. 1949 $salt = defined( 'AUTH_SALT' ) ? AUTH_SALT : rand(); 1950 1951 $placeholder = '{' . hash_hmac( $algo, uniqid( $salt, true ), $salt ) . '}'; 1952 } 1953 1954 /* 1955 * Add the filter to remove the placeholder escaper. Uses priority 0, so that anything 1956 * else attached to this filter will recieve the query with the placeholder string removed. 1957 */ 1958 if ( ! has_filter( 'query', array( $this, 'remove_placeholder_escape' ) ) ) { 1959 add_filter( 'query', array( $this, 'remove_placeholder_escape' ), 0 ); 1960 } 1961 1962 return $placeholder; 1963 } 1964 1965 /** 1966 * Adds a placeholder escape string, to escape anything that resembles a printf() placeholder. 1967 * 1968 * @since 4.8.3 1969 * 1970 * @param string $query The query to escape. 1971 * @return string The query with the placeholder escape string inserted where necessary. 1972 */ 1973 public function add_placeholder_escape( $query ) { 1974 /* 1975 * To prevent returning anything that even vaguely resembles a placeholder, 1976 * we clobber every % we can find. 1977 */ 1978 return str_replace( '%', $this->placeholder_escape(), $query ); 1979 } 1980 1981 /** 1982 * Removes the placeholder escape strings from a query. 1983 * 1984 * @since 4.8.3 1985 * 1986 * @param string $query The query from which the placeholder will be removed. 1987 * @return string The query with the placeholder removed. 1988 */ 1989 public function remove_placeholder_escape( $query ) { 1990 return str_replace( $this->placeholder_escape(), '%', $query ); 1894 1991 } 1895 1992 … … 2065 2162 2066 2163 $sql = "UPDATE `$table` SET $fields WHERE $conditions"; 2067 2164 2068 2165 $this->check_current_query = false; 2069 2166 return $this->query( $this->prepare( $sql, $values ) ); -
trunk/tests/phpunit/tests/comment/query.php
r41848 r42056 1219 1219 */ 1220 1220 public function test_search_int_0_should_not_be_ignored() { 1221 global $wpdb; 1221 1222 $q = new WP_Comment_Query(); 1222 1223 $q->query( array( 1223 1224 'search' => 0, 1224 1225 ) ); 1225 $this->assertContains( "comment_author LIKE '%0%'", $ q->request);1226 $this->assertContains( "comment_author LIKE '%0%'", $wpdb->remove_placeholder_escape( $q->request ) ); 1226 1227 } 1227 1228 … … 1230 1231 */ 1231 1232 public function test_search_string_0_should_not_be_ignored() { 1233 global $wpdb; 1232 1234 $q = new WP_Comment_Query(); 1233 1235 $q->query( array( 1234 1236 'search' => '0', 1235 1237 ) ); 1236 $this->assertContains( "comment_author LIKE '%0%'", $ q->request);1238 $this->assertContains( "comment_author LIKE '%0%'", $wpdb->remove_placeholder_escape( $q->request ) ); 1237 1239 } 1238 1240 -
trunk/tests/phpunit/tests/date/query.php
r35242 r42056 513 513 */ 514 514 public function test_build_time_query_should_not_discard_hour_0() { 515 global $wpdb; 515 516 $q = new WP_Date_Query( array() ); 516 517 517 518 $found = $q->build_time_query( 'post_date', '=', 0, 10 ); 518 519 519 $this->assertContains( '%H', $ found);520 $this->assertContains( '%H', $wpdb->remove_placeholder_escape( $found ) ); 520 521 } 521 522 … … 613 614 614 615 public function test_build_time_query_hour_minute() { 616 global $wpdb; 615 617 $q = new WP_Date_Query( array() ); 616 618 … … 619 621 // $compare value is floating point - use regex to account for 620 622 // varying precision on different PHP installations 621 $this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i' \) = 5\.150*/", $ found);623 $this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i' \) = 5\.150*/", $wpdb->remove_placeholder_escape( $found ) ); 622 624 } 623 625 624 626 public function test_build_time_query_hour_minute_second() { 627 global $wpdb; 625 628 $q = new WP_Date_Query( array() ); 626 629 … … 629 632 // $compare value is floating point - use regex to account for 630 633 // varying precision on different PHP installations 631 $this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i%s' \) = 5\.15350*/", $ found);634 $this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i%s' \) = 5\.15350*/", $wpdb->remove_placeholder_escape( $found ) ); 632 635 } 633 636 634 637 public function test_build_time_query_minute_second() { 638 global $wpdb; 635 639 $q = new WP_Date_Query( array() ); 636 640 … … 639 643 // $compare value is floating point - use regex to account for 640 644 // varying precision on different PHP installations 641 $this->assertRegExp( "/DATE_FORMAT\( post_date, '0\.%i%s' \) = 0\.15350*/", $ found);645 $this->assertRegExp( "/DATE_FORMAT\( post_date, '0\.%i%s' \) = 0\.15350*/", $wpdb->remove_placeholder_escape( $found ) ); 642 646 } 643 647 -
trunk/tests/phpunit/tests/db.php
r41820 r42056 271 271 global $wpdb; 272 272 $sql = $wpdb->prepare( "UPDATE test_table SET string_column = '%%f is a float, %%d is an int %d, %%s is a string', field = %s", 3, '4' ); 273 $this->assertContains( $wpdb->placeholder_escape(), $sql ); 274 275 $sql = $wpdb->remove_placeholder_escape( $sql ); 273 276 $this->assertEquals( "UPDATE test_table SET string_column = '%f is a float, %d is an int 3, %s is a string', field = '4'", $sql ); 274 277 } … … 433 436 "SELECT * FROM $wpdb->users WHERE id = %d AND %% AND user_login = %s", 434 437 array( 1, "admin", "extra-arg" ), 435 "SELECT * FROM $wpdb->users WHERE id = 1 AND %AND user_login = 'admin'",438 "SELECT * FROM $wpdb->users WHERE id = 1 AND {$wpdb->placeholder_escape()} AND user_login = 'admin'", 436 439 ), 437 440 array( 438 441 "SELECT * FROM $wpdb->users WHERE id = %%%d AND %F AND %f AND user_login = %s", 439 442 array( 1, 2.3, "4.5", "admin", "extra-arg" ), 440 "SELECT * FROM $wpdb->users WHERE id = %1 AND 2.300000 AND 4.500000 AND user_login = 'admin'",443 "SELECT * FROM $wpdb->users WHERE id = {$wpdb->placeholder_escape()}1 AND 2.300000 AND 4.500000 AND user_login = 'admin'", 441 444 ), 442 445 array( … … 1186 1189 1187 1190 /** 1188 * 1189 */ 1190 function test_prepare_with_unescaped_percents() { 1191 global $wpdb; 1192 1193 $sql = $wpdb->prepare( '%d %1$d %%% %', 1 ); 1194 $this->assertEquals( '1 %1$d %% %', $sql ); 1191 * @dataProvider data_prepare_with_placeholders 1192 */ 1193 function test_prepare_with_placeholders_and_individual_args( $sql, $values, $incorrect_usage, $expected) { 1194 global $wpdb; 1195 1196 if ( $incorrect_usage ) { 1197 $this->setExpectedIncorrectUsage( 'wpdb::prepare' ); 1198 } 1199 1200 if ( ! is_array( $values ) ) { 1201 $values = array( $values ); 1202 } 1203 1204 array_unshift( $values, $sql ); 1205 1206 $sql = call_user_func_array( array( $wpdb, 'prepare' ), $values ); 1207 $this->assertEquals( $expected, $sql ); 1208 } 1209 1210 /** 1211 * @dataProvider data_prepare_with_placeholders 1212 */ 1213 function test_prepare_with_placeholders_and_array_args( $sql, $values, $incorrect_usage, $expected) { 1214 global $wpdb; 1215 1216 if ( $incorrect_usage ) { 1217 $this->setExpectedIncorrectUsage( 'wpdb::prepare' ); 1218 } 1219 1220 if ( ! is_array( $values ) ) { 1221 $values = array( $values ); 1222 } 1223 1224 $sql = call_user_func_array( array( $wpdb, 'prepare' ), array( $sql, $values ) ); 1225 $this->assertEquals( $expected, $sql ); 1226 } 1227 1228 function data_prepare_with_placeholders() { 1229 global $wpdb; 1230 1231 return array( 1232 array( 1233 '%5s', // SQL to prepare 1234 'foo', // Value to insert in the SQL 1235 false, // Whether to expect an incorrect usage error or not 1236 ' foo', // Expected output 1237 ), 1238 array( 1239 '%1$d %%% % %%1$d%% %%%1$d%%', 1240 1, 1241 true, 1242 "1 {$wpdb->placeholder_escape()}{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}1\$d{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}1{$wpdb->placeholder_escape()}", 1243 ), 1244 array( 1245 '%-5s', 1246 'foo', 1247 false, 1248 'foo ', 1249 ), 1250 array( 1251 '%05s', 1252 'foo', 1253 false, 1254 '00foo', 1255 ), 1256 array( 1257 "%'#5s", 1258 'foo', 1259 false, 1260 '##foo', 1261 ), 1262 array( 1263 '%.3s', 1264 'foobar', 1265 false, 1266 'foo', 1267 ), 1268 array( 1269 '%.3f', 1270 5.123456, 1271 false, 1272 '5.123', 1273 ), 1274 array( 1275 '%.3f', 1276 5.12, 1277 false, 1278 '5.120', 1279 ), 1280 array( 1281 '%s', 1282 ' %s ', 1283 false, 1284 "' {$wpdb->placeholder_escape()}s '", 1285 ), 1286 array( 1287 '%1$s', 1288 ' %s ', 1289 false, 1290 " {$wpdb->placeholder_escape()}s ", 1291 ), 1292 array( 1293 '%1$s', 1294 ' %1$s ', 1295 false, 1296 " {$wpdb->placeholder_escape()}1\$s ", 1297 ), 1298 array( 1299 '%d %1$d %%% %', 1300 1, 1301 true, 1302 "1 1 {$wpdb->placeholder_escape()}{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}", 1303 ), 1304 array( 1305 '%d %2$s', 1306 array( 1, 'hello' ), 1307 false, 1308 "1 hello", 1309 ), 1310 array( 1311 "'%s'", 1312 'hello', 1313 false, 1314 "'hello'", 1315 ), 1316 array( 1317 '"%s"', 1318 'hello', 1319 false, 1320 "'hello'", 1321 ), 1322 array( 1323 "%s '%1\$s'", 1324 'hello', 1325 true, 1326 "'hello' 'hello'", 1327 ), 1328 array( 1329 "%s '%1\$s'", 1330 'hello', 1331 true, 1332 "'hello' 'hello'", 1333 ), 1334 array( 1335 '%s "%1$s"', 1336 'hello', 1337 true, 1338 "'hello' \"hello\"", 1339 ), 1340 array( 1341 "%%s %%'%1\$s'", 1342 'hello', 1343 false, 1344 "{$wpdb->placeholder_escape()}s {$wpdb->placeholder_escape()}'hello'", 1345 ), 1346 array( 1347 '%%s %%"%1$s"', 1348 'hello', 1349 false, 1350 "{$wpdb->placeholder_escape()}s {$wpdb->placeholder_escape()}\"hello\"", 1351 ), 1352 array( 1353 '%s', 1354 ' % s ', 1355 false, 1356 "' {$wpdb->placeholder_escape()} s '", 1357 ), 1358 array( 1359 '%%f %%"%1$f"', 1360 3, 1361 false, 1362 "{$wpdb->placeholder_escape()}f {$wpdb->placeholder_escape()}\"3.000000\"", 1363 ), 1364 array( 1365 'WHERE second=\'%2$s\' AND first=\'%1$s\'', 1366 array( 'first arg', 'second arg' ), 1367 false, 1368 "WHERE second='second arg' AND first='first arg'", 1369 ), 1370 array( 1371 'WHERE second=%2$d AND first=%1$d', 1372 array( 1, 2 ), 1373 false, 1374 "WHERE second=2 AND first=1", 1375 ), 1376 array( 1377 "'%'%%s", 1378 'hello', 1379 true, 1380 "'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s", 1381 ), 1382 array( 1383 "'%'%%s%s", 1384 'hello', 1385 false, 1386 "'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s'hello'", 1387 ), 1388 array( 1389 "'%'%%s %s", 1390 'hello', 1391 false, 1392 "'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s 'hello'", 1393 ), 1394 array( 1395 "'%-'#5s' '%'#-+-5s'", 1396 array( 'hello', 'foo' ), 1397 false, 1398 "'hello' 'foo##'", 1399 ), 1400 ); 1401 } 1402 1403 /** 1404 * @dataProvider data_escape_and_prepare 1405 */ 1406 function test_escape_and_prepare( $escape, $sql, $values, $incorrect_usage, $expected ) { 1407 global $wpdb; 1408 1409 if ( $incorrect_usage ) { 1410 $this->setExpectedIncorrectUsage( 'wpdb::prepare' ); 1411 } 1412 1413 $escape = esc_sql( $escape ); 1414 1415 $sql = str_replace( '{ESCAPE}', $escape, $sql ); 1416 1417 $actual = $wpdb->prepare( $sql, $values ); 1418 1419 $this->assertEquals( $expected, $actual ); 1420 } 1421 1422 function data_escape_and_prepare() { 1423 global $wpdb; 1424 return array( 1425 array( 1426 '%s', // String to pass through esc_url() 1427 ' {ESCAPE} ', // Query to insert the output of esc_url() into, replacing "{ESCAPE}" 1428 'foo', // Data to send to prepare() 1429 true, // Whether to expect an incorrect usage error or not 1430 " {$wpdb->placeholder_escape()}s ", // Expected output 1431 ), 1432 array( 1433 'foo%sbar', 1434 "SELECT * FROM bar WHERE foo='{ESCAPE}' OR baz=%s", 1435 array( ' SQLi -- -', 'pewpewpew' ), 1436 true, 1437 null, 1438 ), 1439 array( 1440 '%s', 1441 ' %s {ESCAPE} ', 1442 'foo', 1443 false, 1444 " 'foo' {$wpdb->placeholder_escape()}s ", 1445 ), 1446 ); 1447 } 1448 1449 /** 1450 * @expectedIncorrectUsage wpdb::prepare 1451 */ 1452 function test_double_prepare() { 1453 global $wpdb; 1454 1455 $part = $wpdb->prepare( ' AND meta_value = %s', ' %s ' ); 1456 $this->assertNotContains( '%s', $part ); 1457 $query = $wpdb->prepare( 'SELECT * FROM {$wpdb->postmeta} WHERE meta_key = %s $part', array( 'foo', 'bar' ) ); 1458 $this->assertNull( $query ); 1459 } 1460 1461 function test_prepare_numeric_placeholders_float_args() { 1462 global $wpdb; 1463 1464 $actual = $wpdb->prepare( 1465 'WHERE second=%2$f AND first=%1$f', 1466 1.1, 1467 2.2 1468 ); 1469 1470 /* Floats can be right padded, need to assert differently */ 1471 $this->assertContains( ' first=1.1', $actual ); 1472 $this->assertContains( ' second=2.2', $actual ); 1473 } 1474 1475 function test_prepare_numeric_placeholders_float_array() { 1476 global $wpdb; 1477 1478 $actual = $wpdb->prepare( 1479 'WHERE second=%2$f AND first=%1$f', 1480 array( 1.1, 2.2 ) 1481 ); 1482 1483 /* Floats can be right padded, need to assert differently */ 1484 $this->assertContains( ' first=1.1', $actual ); 1485 $this->assertContains( ' second=2.2', $actual ); 1486 } 1487 1488 function test_query_unescapes_placeholders() { 1489 global $wpdb; 1490 1491 $value = ' %s '; 1492 1493 $wpdb->query( "CREATE TABLE {$wpdb->prefix}test_placeholder( a VARCHAR(100) );" ); 1494 $sql = $wpdb->prepare( "INSERT INTO {$wpdb->prefix}test_placeholder VALUES(%s)", $value ); 1495 $wpdb->query( $sql ); 1496 1497 $actual = $wpdb->get_var( "SELECT a FROM {$wpdb->prefix}test_placeholder" ); 1498 1499 $wpdb->query( "DROP TABLE {$wpdb->prefix}test_placeholder" ); 1500 1501 $this->assertNotContains( '%s', $sql ); 1502 $this->assertEquals( $value, $actual ); 1503 } 1504 1505 function test_esc_sql_with_unsupported_placeholder_type() { 1506 global $wpdb; 1507 1508 $sql = $wpdb->prepare( ' %s %1$c ', 'foo' ); 1509 $sql = $wpdb->prepare( " $sql %s ", 'foo' ); 1510 1511 $this->assertEquals( " 'foo' {$wpdb->placeholder_escape()}1\$c 'foo' ", $sql ); 1195 1512 } 1196 1513 -
trunk/tests/phpunit/tests/rest-api/rest-posts-controller.php
r41979 r42056 86 86 $expected_clause = str_replace( '{posts}', $wpdb->posts, $pattern ); 87 87 $this->assertCount( 1, $this->posts_clauses ); 88 $this->assertEquals( $expected_clause, $ this->posts_clauses[0][ $clause ]);88 $this->assertEquals( $expected_clause, $wpdb->remove_placeholder_escape( $this->posts_clauses[0][ $clause ] ) ); 89 89 } 90 90 -
trunk/wp-tests-config-sample.php
r41289 r42056 39 39 define( 'DB_COLLATE', '' ); 40 40 41 /**#@+ 42 * Authentication Unique Keys and Salts. 43 * 44 * Change these to different unique phrases! 45 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service} 46 */ 47 define('AUTH_KEY', 'put your unique phrase here'); 48 define('SECURE_AUTH_KEY', 'put your unique phrase here'); 49 define('LOGGED_IN_KEY', 'put your unique phrase here'); 50 define('NONCE_KEY', 'put your unique phrase here'); 51 define('AUTH_SALT', 'put your unique phrase here'); 52 define('SECURE_AUTH_SALT', 'put your unique phrase here'); 53 define('LOGGED_IN_SALT', 'put your unique phrase here'); 54 define('NONCE_SALT', 'put your unique phrase here'); 55 41 56 $table_prefix = 'wptests_'; // Only numbers, letters, and underscores please! 42 57
Note: See TracChangeset
for help on using the changeset viewer.