Changeset 42059
- Timestamp:
- 10/31/2017 12:40:24 PM (7 years ago)
- Location:
- branches/4.6
- Files:
-
- 8 edited
-
. (modified) (1 prop)
-
src/wp-includes/post.php (modified) (1 diff)
-
src/wp-includes/wp-db.php (modified) (6 diffs)
-
tests/phpunit/tests/comment/query.php (modified) (2 diffs)
-
tests/phpunit/tests/date/query.php (modified) (5 diffs)
-
tests/phpunit/tests/db.php (modified) (4 diffs)
-
tests/phpunit/tests/term/meta.php (modified) (1 diff)
-
wp-tests-config-sample.php (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
branches/4.6
- Property svn:mergeinfo changed
/trunk merged: 41662,42056
- Property svn:mergeinfo changed
-
branches/4.6/src/wp-includes/post.php
r38264 r42059 4131 4131 $page_path = str_replace('%20', ' ', $page_path); 4132 4132 $parts = explode( '/', trim( $page_path, '/' ) ); 4133 $parts = esc_sql( $parts );4134 4133 $parts = array_map( 'sanitize_title_for_query', $parts ); 4135 4136 $in_string = "'" . implode( "','", $parts ) . "'"; 4134 $escaped_parts = esc_sql( $parts ); 4135 4136 $in_string = "'" . implode( "','", $escaped_parts ) . "'"; 4137 4137 4138 4138 if ( is_array( $post_type ) ) { -
branches/4.6/src/wp-includes/wp-db.php
r41499 r42059 1169 1169 if ( $this->dbh ) { 1170 1170 if ( $this->use_mysqli ) { 1171 returnmysqli_real_escape_string( $this->dbh, $string );1171 $escaped = mysqli_real_escape_string( $this->dbh, $string ); 1172 1172 } else { 1173 return mysql_real_escape_string( $string, $this->dbh ); 1174 } 1175 } 1176 1177 $class = get_class( $this ); 1178 if ( function_exists( '__' ) ) { 1179 /* translators: %s: database access abstraction class, usually wpdb or a class extending wpdb */ 1180 _doing_it_wrong( $class, sprintf( __( '%s must set a database connection for use with escaping.' ), $class ), '3.6.0' ); 1173 $escaped = mysql_real_escape_string( $string, $this->dbh ); 1174 } 1181 1175 } else { 1182 _doing_it_wrong( $class, sprintf( '%s must set a database connection for use with escaping.', $class ), '3.6.0' ); 1183 } 1184 return addslashes( $string ); 1176 $class = get_class( $this ); 1177 if ( function_exists( '__' ) ) { 1178 /* translators: %s: database access abstraction class, usually wpdb or a class extending wpdb */ 1179 _doing_it_wrong( $class, sprintf( __( '%s must set a database connection for use with escaping.' ), $class ), '3.6.0' ); 1180 } else { 1181 _doing_it_wrong( $class, sprintf( '%s must set a database connection for use with escaping.', $class ), '3.6.0' ); 1182 } 1183 $escaped = addslashes( $string ); 1184 } 1185 1186 return $this->add_placeholder_escape( $escaped ); 1185 1187 } 1186 1188 … … 1257 1259 * Prepares a SQL query for safe execution. Uses sprintf()-like syntax. 1258 1260 * 1259 * The following directives can be used in the query formatstring:1261 * The following placeholders can be used in the query string: 1260 1262 * %d (integer) 1261 1263 * %f (float) 1262 1264 * %s (string) 1263 * %% (literal percentage sign - no argument needed) 1264 * 1265 * All of %d, %f, and %s are to be left unquoted in the query string and they need an argument passed for them. 1266 * Literals (%) as parts of the query must be properly written as %%. 1267 * 1268 * This function only supports a small subset of the sprintf syntax; it only supports %d (integer), %f (float), and %s (string). 1269 * Does not support sign, padding, alignment, width or precision specifiers. 1270 * Does not support argument numbering/swapping. 1271 * 1272 * May be called like {@link https://secure.php.net/sprintf sprintf()} or like {@link https://secure.php.net/vsprintf vsprintf()}. 1273 * 1274 * Both %d and %s should be left unquoted in the query string. 1275 * 1276 * wpdb::prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d", 'foo', 1337 ) 1277 * wpdb::prepare( "SELECT DATE_FORMAT(`field`, '%%c') FROM `table` WHERE `column` = %s", 'foo' ); 1265 * 1266 * All placeholders MUST be left unquoted in the query string. A corresponding argument MUST be passed for each placeholder. 1267 * 1268 * For compatibility with old behavior, numbered or formatted string placeholders (eg, %1$s, %5s) will not have quotes 1269 * added by this function, so should be passed with appropriate quotes around them for your usage. 1270 * 1271 * Literal percentage signs (%) in the query string must be written as %%. Percentage wildcards (for example, 1272 * to use in LIKE syntax) must be passed via a substitution argument containing the complete LIKE string, these 1273 * cannot be inserted directly in the query string. Also see {@see esc_like()}. 1274 * 1275 * Arguments may be passed as individual arguments to the method, or as a single array containing all arguments. A combination 1276 * of the two is not supported. 1277 * 1278 * Examples: 1279 * $wpdb->prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d OR `other_field` LIKE %s", array( 'foo', 1337, '%bar' ) ); 1280 * $wpdb->prepare( "SELECT DATE_FORMAT(`field`, '%%c') FROM `table` WHERE `column` = %s", 'foo' ); 1278 1281 * 1279 1282 * @link https://secure.php.net/sprintf Description of syntax. … … 1281 1284 * 1282 1285 * @param string $query Query statement with sprintf()-like placeholders 1283 * @param array|mixed $args The array of variables to substitute into the query's placeholders if being called like 1284 * {@link https://secure.php.net/vsprintf vsprintf()}, or the first variable to substitute into the query's placeholders if 1285 * being called like {@link https://secure.php.net/sprintf sprintf()}. 1286 * @param mixed $args,... further variables to substitute into the query's placeholders if being called like 1287 * {@link https://secure.php.net/sprintf sprintf()}. 1286 * @param array|mixed $args The array of variables to substitute into the query's placeholders if being called with an array of arguments, 1287 * or the first variable to substitute into the query's placeholders if being called with individual arguments. 1288 * @param mixed $args,... further variables to substitute into the query's placeholders if being called wih individual arguments. 1288 1289 * @return string|void Sanitized query string, if there is a query to prepare. 1289 1290 */ 1290 1291 public function prepare( $query, $args ) { 1291 if ( is_null( $query ) ) 1292 if ( is_null( $query ) ) { 1292 1293 return; 1294 } 1293 1295 1294 1296 // This is not meant to be foolproof -- but it will catch obviously incorrect usage. 1295 1297 if ( strpos( $query, '%' ) === false ) { 1298 wp_load_translations_early(); 1296 1299 _doing_it_wrong( 'wpdb::prepare', sprintf( __( 'The query argument of %s must have a placeholder.' ), 'wpdb::prepare()' ), '3.9.0' ); 1297 1300 } … … 1300 1303 array_shift( $args ); 1301 1304 1302 // If args were passed as an array (as in vsprintf), move them up 1305 // If args were passed as an array (as in vsprintf), move them up. 1306 $passed_as_array = false; 1303 1307 if ( is_array( $args[0] ) && count( $args ) == 1 ) { 1308 $passed_as_array = true; 1304 1309 $args = $args[0]; 1305 1310 } … … 1307 1312 foreach ( $args as $arg ) { 1308 1313 if ( ! is_scalar( $arg ) && ! is_null( $arg ) ) { 1309 _doing_it_wrong( 'wpdb::prepare', sprintf( 'Unsupported value type (%s).', gettype( $arg ) ), '4.6.7' ); 1310 } 1311 } 1312 1313 $query = str_replace( "'%s'", '%s', $query ); // in case someone mistakenly already singlequoted it 1314 $query = str_replace( '"%s"', '%s', $query ); // doublequote unquoting 1315 $query = preg_replace( '|(?<!%)%f|' , '%F', $query ); // Force floats to be locale unaware 1316 $query = preg_replace( '|(?<!%)%s|', "'%s'", $query ); // quote the strings, avoiding escaped strings like %%s 1317 $query = preg_replace( '/%(?:%|$|([^dsF]))/', '%%\\1', $query ); // escape any unescaped percents 1314 wp_load_translations_early(); 1315 _doing_it_wrong( 'wpdb::prepare', sprintf( __( 'Unsupported value type (%s).' ), gettype( $arg ) ), '4.8.2' ); 1316 } 1317 } 1318 1319 /* 1320 * Specify the formatting allowed in a placeholder. The following are allowed: 1321 * 1322 * - Sign specifier. eg, $+d 1323 * - Numbered placeholders. eg, %1$s 1324 * - Padding specifier, including custom padding characters. eg, %05s, %'#5s 1325 * - Alignment specifier. eg, %05-s 1326 * - Precision specifier. eg, %.2f 1327 */ 1328 $allowed_format = '(?:[1-9][0-9]*[$])?[-+0-9]*(?: |0|\'.)?[-+0-9]*(?:\.[0-9]+)?'; 1329 1330 /* 1331 * If a %s placeholder already has quotes around it, removing the existing quotes and re-inserting them 1332 * ensures the quotes are consistent. 1333 * 1334 * For backwards compatibility, this is only applied to %s, and not to placeholders like %1$s, which are frequently 1335 * used in the middle of longer strings, or as table name placeholders. 1336 */ 1337 $query = str_replace( "'%s'", '%s', $query ); // Strip any existing single quotes. 1338 $query = str_replace( '"%s"', '%s', $query ); // Strip any existing double quotes. 1339 $query = preg_replace( '/(?<!%)%s/', "'%s'", $query ); // Quote the strings, avoiding escaped strings like %%s. 1340 1341 $query = preg_replace( "/(?<!%)(%($allowed_format)?f)/" , '%\\2F', $query ); // Force floats to be locale unaware. 1342 1343 $query = preg_replace( "/%(?:%|$|(?!($allowed_format)?[sdF]))/", '%%\\1', $query ); // Escape any unescaped percents. 1344 1345 // Count the number of valid placeholders in the query. 1346 $placeholders = preg_match_all( "/(^|[^%]|(%%)+)%($allowed_format)?[sdF]/", $query, $matches ); 1347 1348 if ( count( $args ) !== $placeholders ) { 1349 if ( 1 === $placeholders && $passed_as_array ) { 1350 // If the passed query only expected one argument, but the wrong number of arguments were sent as an array, bail. 1351 wp_load_translations_early(); 1352 _doing_it_wrong( 'wpdb::prepare', __( 'The query only expected one placeholder, but an array of multiple placeholders was sent.' ), '4.9.0' ); 1353 1354 return; 1355 } else { 1356 /* 1357 * If we don't have the right number of placeholders, but they were passed as individual arguments, 1358 * or we were expecting multiple arguments in an array, throw a warning. 1359 */ 1360 wp_load_translations_early(); 1361 _doing_it_wrong( 'wpdb::prepare', 1362 /* translators: 1: number of placeholders, 2: number of arguments passed */ 1363 sprintf( __( 'The query does not contain the correct number of placeholders (%1$d) for the number of arguments passed (%2$d).' ), 1364 $placeholders, 1365 count( $args ) ), 1366 '4.8.3' 1367 ); 1368 } 1369 } 1370 1318 1371 array_walk( $args, array( $this, 'escape_by_ref' ) ); 1319 return @vsprintf( $query, $args ); 1372 $query = @vsprintf( $query, $args ); 1373 1374 return $this->add_placeholder_escape( $query ); 1320 1375 } 1321 1376 … … 1890 1945 $this->queries[] = array( $query, $this->timer_stop(), $this->get_caller() ); 1891 1946 } 1947 } 1948 1949 /** 1950 * Generates and returns a placeholder escape string for use in queries returned by ::prepare(). 1951 * 1952 * @since 4.8.3 1953 * 1954 * @return string String to escape placeholders. 1955 */ 1956 public function placeholder_escape() { 1957 static $placeholder; 1958 1959 if ( ! $placeholder ) { 1960 // If ext/hash is not present, compat.php's hash_hmac() does not support sha256. 1961 $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1'; 1962 // Old WP installs may not have AUTH_SALT defined. 1963 $salt = defined( 'AUTH_SALT' ) ? AUTH_SALT : rand(); 1964 1965 $placeholder = '{' . hash_hmac( $algo, uniqid( $salt, true ), $salt ) . '}'; 1966 } 1967 1968 /* 1969 * Add the filter to remove the placeholder escaper. Uses priority 0, so that anything 1970 * else attached to this filter will recieve the query with the placeholder string removed. 1971 */ 1972 if ( ! has_filter( 'query', array( $this, 'remove_placeholder_escape' ) ) ) { 1973 add_filter( 'query', array( $this, 'remove_placeholder_escape' ), 0 ); 1974 } 1975 1976 return $placeholder; 1977 } 1978 1979 /** 1980 * Adds a placeholder escape string, to escape anything that resembles a printf() placeholder. 1981 * 1982 * @since 4.8.3 1983 * 1984 * @param string $query The query to escape. 1985 * @return string The query with the placeholder escape string inserted where necessary. 1986 */ 1987 public function add_placeholder_escape( $query ) { 1988 /* 1989 * To prevent returning anything that even vaguely resembles a placeholder, 1990 * we clobber every % we can find. 1991 */ 1992 return str_replace( '%', $this->placeholder_escape(), $query ); 1993 } 1994 1995 /** 1996 * Removes the placeholder escape strings from a query. 1997 * 1998 * @since 4.8.3 1999 * 2000 * @param string $query The query from which the placeholder will be removed. 2001 * @return string The query with the placeholder removed. 2002 */ 2003 public function remove_placeholder_escape( $query ) { 2004 return str_replace( $this->placeholder_escape(), '%', $query ); 1892 2005 } 1893 2006 -
branches/4.6/tests/phpunit/tests/comment/query.php
r38537 r42059 1223 1223 */ 1224 1224 public function test_search_int_0_should_not_be_ignored() { 1225 global $wpdb; 1225 1226 $q = new WP_Comment_Query(); 1226 1227 $q->query( array( 1227 1228 'search' => 0, 1228 1229 ) ); 1229 $this->assertContains( "comment_author LIKE '%0%'", $ q->request);1230 $this->assertContains( "comment_author LIKE '%0%'", $wpdb->remove_placeholder_escape( $q->request ) ); 1230 1231 } 1231 1232 … … 1234 1235 */ 1235 1236 public function test_search_string_0_should_not_be_ignored() { 1237 global $wpdb; 1236 1238 $q = new WP_Comment_Query(); 1237 1239 $q->query( array( 1238 1240 'search' => '0', 1239 1241 ) ); 1240 $this->assertContains( "comment_author LIKE '%0%'", $ q->request);1242 $this->assertContains( "comment_author LIKE '%0%'", $wpdb->remove_placeholder_escape( $q->request ) ); 1241 1243 } 1242 1244 -
branches/4.6/tests/phpunit/tests/date/query.php
r35242 r42059 513 513 */ 514 514 public function test_build_time_query_should_not_discard_hour_0() { 515 global $wpdb; 515 516 $q = new WP_Date_Query( array() ); 516 517 517 518 $found = $q->build_time_query( 'post_date', '=', 0, 10 ); 518 519 519 $this->assertContains( '%H', $ found);520 $this->assertContains( '%H', $wpdb->remove_placeholder_escape( $found ) ); 520 521 } 521 522 … … 613 614 614 615 public function test_build_time_query_hour_minute() { 616 global $wpdb; 615 617 $q = new WP_Date_Query( array() ); 616 618 … … 619 621 // $compare value is floating point - use regex to account for 620 622 // varying precision on different PHP installations 621 $this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i' \) = 5\.150*/", $ found);623 $this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i' \) = 5\.150*/", $wpdb->remove_placeholder_escape( $found ) ); 622 624 } 623 625 624 626 public function test_build_time_query_hour_minute_second() { 627 global $wpdb; 625 628 $q = new WP_Date_Query( array() ); 626 629 … … 629 632 // $compare value is floating point - use regex to account for 630 633 // varying precision on different PHP installations 631 $this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i%s' \) = 5\.15350*/", $ found);634 $this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i%s' \) = 5\.15350*/", $wpdb->remove_placeholder_escape( $found ) ); 632 635 } 633 636 634 637 public function test_build_time_query_minute_second() { 638 global $wpdb; 635 639 $q = new WP_Date_Query( array() ); 636 640 … … 639 643 // $compare value is floating point - use regex to account for 640 644 // varying precision on different PHP installations 641 $this->assertRegExp( "/DATE_FORMAT\( post_date, '0\.%i%s' \) = 0\.15350*/", $ found);645 $this->assertRegExp( "/DATE_FORMAT\( post_date, '0\.%i%s' \) = 0\.15350*/", $wpdb->remove_placeholder_escape( $found ) ); 642 646 } 643 647 -
branches/4.6/tests/phpunit/tests/db.php
r41499 r42059 265 265 global $wpdb; 266 266 $sql = $wpdb->prepare( "UPDATE test_table SET string_column = '%%f is a float, %%d is an int %d, %%s is a string', field = %s", 3, '4' ); 267 $this->assertContains( $wpdb->placeholder_escape(), $sql ); 268 269 $sql = $wpdb->remove_placeholder_escape( $sql ); 267 270 $this->assertEquals( "UPDATE test_table SET string_column = '%f is a float, %d is an int 3, %s is a string', field = '4'", $sql ); 268 271 } … … 370 373 } 371 374 372 373 375 function test_prepare_vsprintf() { 376 global $wpdb; 374 377 375 378 $prepared = $wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( 1, "admin" ) ); … … 388 391 $prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( array( 1 ), "admin" ) ); 389 392 $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 0 AND user_login = 'admin'", $prepared ); 390 } 393 } 394 395 /** 396 * @ticket 42040 397 * @dataProvider data_prepare_incorrect_arg_count 398 * @expectedIncorrectUsage wpdb::prepare 399 */ 400 public function test_prepare_incorrect_arg_count( $query, $args, $expected ) { 401 global $wpdb; 402 403 // $query is the first argument to be passed to wpdb::prepare() 404 array_unshift( $args, $query ); 405 406 $prepared = @call_user_func_array( array( $wpdb, 'prepare' ), $args ); 407 $this->assertEquals( $expected, $prepared ); 408 } 409 410 public function data_prepare_incorrect_arg_count() { 411 global $wpdb; 412 413 return array( 414 array( 415 "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", // Query 416 array( 1, "admin", "extra-arg" ), // ::prepare() args, to be passed via call_user_func_array 417 "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = 'admin'", // Expected output 418 ), 419 array( 420 "SELECT * FROM $wpdb->users WHERE id = %%%d AND user_login = %s", 421 array( 1 ), 422 false, 423 ), 424 array( 425 "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", 426 array( array( 1, "admin", "extra-arg" ) ), 427 "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = 'admin'", 428 ), 429 array( 430 "SELECT * FROM $wpdb->users WHERE id = %d AND %% AND user_login = %s", 431 array( 1, "admin", "extra-arg" ), 432 "SELECT * FROM $wpdb->users WHERE id = 1 AND {$wpdb->placeholder_escape()} AND user_login = 'admin'", 433 ), 434 array( 435 "SELECT * FROM $wpdb->users WHERE id = %%%d AND %F AND %f AND user_login = %s", 436 array( 1, 2.3, "4.5", "admin", "extra-arg" ), 437 "SELECT * FROM $wpdb->users WHERE id = {$wpdb->placeholder_escape()}1 AND 2.300000 AND 4.500000 AND user_login = 'admin'", 438 ), 439 array( 440 "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", 441 array( array( 1 ), "admin", "extra-arg" ), 442 "SELECT * FROM $wpdb->users WHERE id = 0 AND user_login = 'admin'", 443 ), 444 array( 445 "SELECT * FROM $wpdb->users WHERE id = %d and user_nicename = %s and user_status = %d and user_login = %s", 446 array( 1, "admin", 0 ), 447 '', 448 ), 449 array( 450 "SELECT * FROM $wpdb->users WHERE id = %d and user_nicename = %s and user_status = %d and user_login = %s", 451 array( array( 1, "admin", 0 ) ), 452 '', 453 ), 454 array( 455 "SELECT * FROM $wpdb->users WHERE id = %d and %% and user_login = %s and user_status = %d and user_login = %s", 456 array( 1, "admin", "extra-arg" ), 457 '', 458 ), 459 ); 460 } 391 461 392 462 function test_db_version() { … … 1092 1162 1093 1163 /** 1094 * 1095 */ 1096 function test_prepare_with_unescaped_percents() { 1097 global $wpdb; 1098 1099 $sql = $wpdb->prepare( '%d %1$d %%% %', 1 ); 1100 $this->assertEquals( '1 %1$d %% %', $sql ); 1164 * @dataProvider data_prepare_with_placeholders 1165 */ 1166 function test_prepare_with_placeholders_and_individual_args( $sql, $values, $incorrect_usage, $expected) { 1167 global $wpdb; 1168 1169 if ( $incorrect_usage ) { 1170 $this->setExpectedIncorrectUsage( 'wpdb::prepare' ); 1171 } 1172 1173 if ( ! is_array( $values ) ) { 1174 $values = array( $values ); 1175 } 1176 1177 array_unshift( $values, $sql ); 1178 1179 $sql = call_user_func_array( array( $wpdb, 'prepare' ), $values ); 1180 $this->assertEquals( $expected, $sql ); 1181 } 1182 1183 /** 1184 * @dataProvider data_prepare_with_placeholders 1185 */ 1186 function test_prepare_with_placeholders_and_array_args( $sql, $values, $incorrect_usage, $expected) { 1187 global $wpdb; 1188 1189 if ( $incorrect_usage ) { 1190 $this->setExpectedIncorrectUsage( 'wpdb::prepare' ); 1191 } 1192 1193 if ( ! is_array( $values ) ) { 1194 $values = array( $values ); 1195 } 1196 1197 $sql = call_user_func_array( array( $wpdb, 'prepare' ), array( $sql, $values ) ); 1198 $this->assertEquals( $expected, $sql ); 1199 } 1200 1201 function data_prepare_with_placeholders() { 1202 global $wpdb; 1203 1204 return array( 1205 array( 1206 '%5s', // SQL to prepare 1207 'foo', // Value to insert in the SQL 1208 false, // Whether to expect an incorrect usage error or not 1209 ' foo', // Expected output 1210 ), 1211 array( 1212 '%1$d %%% % %%1$d%% %%%1$d%%', 1213 1, 1214 true, 1215 "1 {$wpdb->placeholder_escape()}{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}1\$d{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}1{$wpdb->placeholder_escape()}", 1216 ), 1217 array( 1218 '%-5s', 1219 'foo', 1220 false, 1221 'foo ', 1222 ), 1223 array( 1224 '%05s', 1225 'foo', 1226 false, 1227 '00foo', 1228 ), 1229 array( 1230 "%'#5s", 1231 'foo', 1232 false, 1233 '##foo', 1234 ), 1235 array( 1236 '%.3s', 1237 'foobar', 1238 false, 1239 'foo', 1240 ), 1241 array( 1242 '%.3f', 1243 5.123456, 1244 false, 1245 '5.123', 1246 ), 1247 array( 1248 '%.3f', 1249 5.12, 1250 false, 1251 '5.120', 1252 ), 1253 array( 1254 '%s', 1255 ' %s ', 1256 false, 1257 "' {$wpdb->placeholder_escape()}s '", 1258 ), 1259 array( 1260 '%1$s', 1261 ' %s ', 1262 false, 1263 " {$wpdb->placeholder_escape()}s ", 1264 ), 1265 array( 1266 '%1$s', 1267 ' %1$s ', 1268 false, 1269 " {$wpdb->placeholder_escape()}1\$s ", 1270 ), 1271 array( 1272 '%d %1$d %%% %', 1273 1, 1274 true, 1275 "1 1 {$wpdb->placeholder_escape()}{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}", 1276 ), 1277 array( 1278 '%d %2$s', 1279 array( 1, 'hello' ), 1280 false, 1281 "1 hello", 1282 ), 1283 array( 1284 "'%s'", 1285 'hello', 1286 false, 1287 "'hello'", 1288 ), 1289 array( 1290 '"%s"', 1291 'hello', 1292 false, 1293 "'hello'", 1294 ), 1295 array( 1296 "%s '%1\$s'", 1297 'hello', 1298 true, 1299 "'hello' 'hello'", 1300 ), 1301 array( 1302 "%s '%1\$s'", 1303 'hello', 1304 true, 1305 "'hello' 'hello'", 1306 ), 1307 array( 1308 '%s "%1$s"', 1309 'hello', 1310 true, 1311 "'hello' \"hello\"", 1312 ), 1313 array( 1314 "%%s %%'%1\$s'", 1315 'hello', 1316 false, 1317 "{$wpdb->placeholder_escape()}s {$wpdb->placeholder_escape()}'hello'", 1318 ), 1319 array( 1320 '%%s %%"%1$s"', 1321 'hello', 1322 false, 1323 "{$wpdb->placeholder_escape()}s {$wpdb->placeholder_escape()}\"hello\"", 1324 ), 1325 array( 1326 '%s', 1327 ' % s ', 1328 false, 1329 "' {$wpdb->placeholder_escape()} s '", 1330 ), 1331 array( 1332 '%%f %%"%1$f"', 1333 3, 1334 false, 1335 "{$wpdb->placeholder_escape()}f {$wpdb->placeholder_escape()}\"3.000000\"", 1336 ), 1337 array( 1338 'WHERE second=\'%2$s\' AND first=\'%1$s\'', 1339 array( 'first arg', 'second arg' ), 1340 false, 1341 "WHERE second='second arg' AND first='first arg'", 1342 ), 1343 array( 1344 'WHERE second=%2$d AND first=%1$d', 1345 array( 1, 2 ), 1346 false, 1347 "WHERE second=2 AND first=1", 1348 ), 1349 array( 1350 "'%'%%s", 1351 'hello', 1352 true, 1353 "'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s", 1354 ), 1355 array( 1356 "'%'%%s%s", 1357 'hello', 1358 false, 1359 "'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s'hello'", 1360 ), 1361 array( 1362 "'%'%%s %s", 1363 'hello', 1364 false, 1365 "'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s 'hello'", 1366 ), 1367 array( 1368 "'%-'#5s' '%'#-+-5s'", 1369 array( 'hello', 'foo' ), 1370 false, 1371 "'hello' 'foo##'", 1372 ), 1373 ); 1374 } 1375 1376 /** 1377 * @dataProvider data_escape_and_prepare 1378 */ 1379 function test_escape_and_prepare( $escape, $sql, $values, $incorrect_usage, $expected ) { 1380 global $wpdb; 1381 1382 if ( $incorrect_usage ) { 1383 $this->setExpectedIncorrectUsage( 'wpdb::prepare' ); 1384 } 1385 1386 $escape = esc_sql( $escape ); 1387 1388 $sql = str_replace( '{ESCAPE}', $escape, $sql ); 1389 1390 $actual = $wpdb->prepare( $sql, $values ); 1391 1392 $this->assertEquals( $expected, $actual ); 1393 } 1394 1395 function data_escape_and_prepare() { 1396 global $wpdb; 1397 return array( 1398 array( 1399 '%s', // String to pass through esc_url() 1400 ' {ESCAPE} ', // Query to insert the output of esc_url() into, replacing "{ESCAPE}" 1401 'foo', // Data to send to prepare() 1402 true, // Whether to expect an incorrect usage error or not 1403 " {$wpdb->placeholder_escape()}s ", // Expected output 1404 ), 1405 array( 1406 'foo%sbar', 1407 "SELECT * FROM bar WHERE foo='{ESCAPE}' OR baz=%s", 1408 array( ' SQLi -- -', 'pewpewpew' ), 1409 true, 1410 null, 1411 ), 1412 array( 1413 '%s', 1414 ' %s {ESCAPE} ', 1415 'foo', 1416 false, 1417 " 'foo' {$wpdb->placeholder_escape()}s ", 1418 ), 1419 ); 1420 } 1421 1422 /** 1423 * @expectedIncorrectUsage wpdb::prepare 1424 */ 1425 function test_double_prepare() { 1426 global $wpdb; 1427 1428 $part = $wpdb->prepare( ' AND meta_value = %s', ' %s ' ); 1429 $this->assertNotContains( '%s', $part ); 1430 $query = $wpdb->prepare( 'SELECT * FROM {$wpdb->postmeta} WHERE meta_key = %s $part', array( 'foo', 'bar' ) ); 1431 $this->assertNull( $query ); 1432 } 1433 1434 function test_prepare_numeric_placeholders_float_args() { 1435 global $wpdb; 1436 1437 $actual = $wpdb->prepare( 1438 'WHERE second=%2$f AND first=%1$f', 1439 1.1, 1440 2.2 1441 ); 1442 1443 /* Floats can be right padded, need to assert differently */ 1444 $this->assertContains( ' first=1.1', $actual ); 1445 $this->assertContains( ' second=2.2', $actual ); 1446 } 1447 1448 function test_prepare_numeric_placeholders_float_array() { 1449 global $wpdb; 1450 1451 $actual = $wpdb->prepare( 1452 'WHERE second=%2$f AND first=%1$f', 1453 array( 1.1, 2.2 ) 1454 ); 1455 1456 /* Floats can be right padded, need to assert differently */ 1457 $this->assertContains( ' first=1.1', $actual ); 1458 $this->assertContains( ' second=2.2', $actual ); 1459 } 1460 1461 function test_query_unescapes_placeholders() { 1462 global $wpdb; 1463 1464 $value = ' %s '; 1465 1466 $wpdb->query( "CREATE TABLE {$wpdb->prefix}test_placeholder( a VARCHAR(100) );" ); 1467 $sql = $wpdb->prepare( "INSERT INTO {$wpdb->prefix}test_placeholder VALUES(%s)", $value ); 1468 $wpdb->query( $sql ); 1469 1470 $actual = $wpdb->get_var( "SELECT a FROM {$wpdb->prefix}test_placeholder" ); 1471 1472 $wpdb->query( "DROP TABLE {$wpdb->prefix}test_placeholder" ); 1473 1474 $this->assertNotContains( '%s', $sql ); 1475 $this->assertEquals( $value, $actual ); 1476 } 1477 1478 function test_esc_sql_with_unsupported_placeholder_type() { 1479 global $wpdb; 1480 1481 $sql = $wpdb->prepare( ' %s %1$c ', 'foo' ); 1482 $sql = $wpdb->prepare( " $sql %s ", 'foo' ); 1483 1484 $this->assertEquals( " 'foo' {$wpdb->placeholder_escape()}1\$c 'foo' ", $sql ); 1101 1485 } 1102 1486 } -
branches/4.6/tests/phpunit/tests/term/meta.php
r37589 r42059 359 359 register_taxonomy( 'wptests_tax', 'post' ); 360 360 $t1 = wp_insert_term( 'Foo', 'wptests_tax' ); 361 add_term_meta( $t1 , 'foo', 'bar' );361 add_term_meta( $t1['term_id'], 'foo', 'bar' ); 362 362 363 363 register_taxonomy( 'wptests_tax_2', 'post' ); -
branches/4.6/wp-tests-config-sample.php
r36372 r42059 31 31 define( 'DB_COLLATE', '' ); 32 32 33 /**#@+ 34 * Authentication Unique Keys and Salts. 35 * 36 * Change these to different unique phrases! 37 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service} 38 */ 39 define('AUTH_KEY', 'put your unique phrase here'); 40 define('SECURE_AUTH_KEY', 'put your unique phrase here'); 41 define('LOGGED_IN_KEY', 'put your unique phrase here'); 42 define('NONCE_KEY', 'put your unique phrase here'); 43 define('AUTH_SALT', 'put your unique phrase here'); 44 define('SECURE_AUTH_SALT', 'put your unique phrase here'); 45 define('LOGGED_IN_SALT', 'put your unique phrase here'); 46 define('NONCE_SALT', 'put your unique phrase here'); 47 33 48 $table_prefix = 'wptests_'; // Only numbers, letters, and underscores please! 34 49
Note: See TracChangeset
for help on using the changeset viewer.