Context Navigation

← Previous Change
Next Change →

formatting.php

Timestamp:

10/31/2017 11:59:43 AM (8 years ago)

Author:

pento

Message:

Database: Restore numbered placeholders in wpdb::prepare().

[41496] removed support for numbered placeholders in queries send through wpdb::prepare(), which, despite being undocumented, were quite commonly used.

This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to wpdb::prepare(), given the number of placeholders.

See #41925.

File:

: 1 edited

trunk/src/wp-includes/formatting.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/src/wp-includes/formatting.php

-                      r41702
+                      r42056
  * is preparing an array for use in an IN clause.
+ *
+ * NOTE: Since 4.8.3, '%' characters will be replaced with a placeholder string,
+ * this prevents certain SQLi attacks from taking place. This change in behaviour
+ * may cause issues for code that expects the return value of esc_sql() to be useable
+ * for other purposes.
+ *
  * @since 2.8.0
+ *

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Make WordPress Core

Context Navigation

Changeset 42056 for trunk/src/wp-includes/formatting.php

Legend:

trunk/src/wp-includes/formatting.php

Download in other formats: