Changeset 42057 for branches/4.8/src/wp-includes/formatting.php

Timestamp:

10/31/2017 12:22:07 PM (9 years ago)

Author:

pento

Message:

Database: Restore numbered placeholders in wpdb::prepare().

[41496] removed support for numbered placeholders in queries send through wpdb::prepare(), which, despite being undocumented, were quite commonly used.

This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to wpdb::prepare(), given the number of placeholders.

Merges [41662], [42056] to the 4.8 branch.
See #41925.

Location:

branches/4.8

Files:

• . (modified) (1 prop)
• src/wp-includes/formatting.php (modified) (1 diff)

branches/4.8/src/wp-includes/formatting.php

@@ -3739 +3739 @@
  * is preparing an array for use in an IN clause.
  *
+ * NOTE: Since 4.8.3, '%' characters will be replaced with a placeholder string,
+ * this prevents certain SQLi attacks from taking place. This change in behaviour
+ * may cause issues for code that expects the return value of esc_sql() to be useable
+ * for other purposes.
+ *
  * @since 2.8.0
  *