Index: wp-includes/wp-db.php
===================================================================
--- wp-includes/wp-db.php (revision 12559)
+++ wp-includes/wp-db.php (working copy)
@@ -530,26 +530,38 @@
}
/**
- * Prepares a SQL query for safe execution. Uses sprintf()-like syntax.
+ * Mimicks a prepare of a SQL query for execution.
+ *
+ * The following placeholders can be used for values:
+ *
+ * %d (decimal number)
+ * %s (string)
+ * %% (%)
+ *
+ * Both %d and %s should be left unquoted in the query string.
*
+ *
+ * wpdb::prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d", "foo", 1337 )
+ *
+ *
+ * NOTE: This has nothing to do with prepared statements your database might support.
+ *
+ * More technical information:
+ *
+ * Uses sprintf()-like syntax.
+ *
* This function only supports a small subset of the sprintf syntax; it only supports %d (decimal number), %s (string).
* Does not support sign, padding, alignment, width or precision specifiers.
* Does not support argument numbering/swapping.
*
* May be called like {@link http://php.net/sprintf sprintf()} or like {@link http://php.net/vsprintf vsprintf()}.
*
- * Both %d and %s should be left unquoted in the query string.
- *
- *
- * wpdb::prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d", "foo", 1337 )
- *
- *
* @link http://php.net/sprintf Description of syntax.
* @since 2.3.0
*
- * @param string $query Query statement with sprintf()-like placeholders
- * @param array|mixed $args The array of variables to substitute into the query's placeholders if being called like {@link http://php.net/vsprintf vsprintf()}, or the first variable to substitute into the query's placeholders if being called like {@link http://php.net/sprintf sprintf()}.
- * @param mixed $args,... further variables to substitute into the query's placeholders if being called like {@link http://php.net/sprintf sprintf()}.
+ * @param string $query Query statement with wpdb->prepare placeholders
+ * @param array|mixed $args The array of variables to substitute into the query's placeholders if being called compareable to {@link http://php.net/vsprintf vsprintf()}, or the first variable to substitute into the query's placeholders if being called like {@link http://php.net/sprintf sprintf()}.
+ * @param mixed $args,... further variables to substitute.
* @return null|string Sanitized query string
*/
function prepare($query = null) { // ( $query, *$args )
@@ -560,14 +572,50 @@
// If args were passed as an array (as in vsprintf), move them up
if ( isset($args[0]) && is_array($args[0]) )
$args = $args[0];
- $query = str_replace("'%s'", '%s', $query); // in case someone mistakenly already singlequoted it
- $query = str_replace('"%s"', '%s', $query); // doublequote unquoting
- $query = str_replace('%s', "'%s'", $query); // quote the strings
+
+ $query = $this->_prepare_quote_lits($query); //quote %s in query-pattern
+ $query = str_replace( array( "''%s''", "\"'%'\"" ), "'%s'", $query ); // in case someone mistakenly already single/double quoted it
+
array_walk($args, array(&$this, 'escape_by_ref'));
return @vsprintf($query, $args);
}
/**
+ * helper function for prepare()
+ *
+ * will quote %s tokens with single quotes
+ * allowed tokens are: %%, %d and %s
+ *
+ * can do strict parsing and return false if the query is
+ * not valid.
+ *
+ * @access private
+ * @param string $query wpdb prepare-pattern that needs to be single-quoted to %s
+ * @param bool $strict (optional) wether or not do strict parsing of the query
+ * @return string pattern with single quotes added around %s literals
+ * @return bool false on syntax error if $strict param is true
+ */
+ function _prepare_quote_lits( $query, $strict = false ) {
+ $query = (string) $query;
+ $m = strlen( $query );
+ for ( $i = -1; $c = $query[++$i], $i < $m; ) {
+ if ( '%' == $c ) {
+ switch ( $query[$i+1] ) {
+ case 's':
+ $query = substr( $query, 0, $i) . "'%s'" . substr( $query, $i+=2 );
+ case '%':
+ case 'd':
+ $i++;
+ break;
+ default: # illegal pattern
+ if ( $strict ) return false;
+ }
+ }
+ }
+ return $query;
+ }
+
+ /**
* Print SQL/DB error.
*
* @since 0.71