### Eclipse Workspace Patch 1.0
#P wordpress-trunk
Index: wp-includes/wp-db.php
===================================================================
--- wp-includes/wp-db.php	(revision 12559)
+++ wp-includes/wp-db.php	(working copy)
@@ -530,26 +530,38 @@
 	}
 
 	/**
-	 * Prepares a SQL query for safe execution.  Uses sprintf()-like syntax.
+	 * Mimicks a prepare of a SQL query for execution.  
+	 * 
+	 * The following placeholders can be used for values:
+	 * 
+	 *   %d (decimal number)
+	 *   %s (string)
+	 *   %% (%)
+	 *   
+	 * Both %d and %s should be left unquoted in the query string.
 	 *
+	 * <code>
+	 * wpdb::prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d", "foo", 1337 )
+	 * </code>
+	 * 
+	 * NOTE: This has nothing to do with prepared statements your database might support.
+	 *  
+	 * More technical information:
+	 * 
+	 * Uses sprintf()-like syntax.
+	 *
 	 * This function only supports a small subset of the sprintf syntax; it only supports %d (decimal number), %s (string).
 	 * Does not support sign, padding, alignment, width or precision specifiers.
 	 * Does not support argument numbering/swapping.
 	 *
 	 * May be called like {@link http://php.net/sprintf sprintf()} or like {@link http://php.net/vsprintf vsprintf()}.
 	 *
-	 * Both %d and %s should be left unquoted in the query string.
-	 *
-	 * <code>
-	 * wpdb::prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d", "foo", 1337 )
-	 * </code>
-	 *
 	 * @link http://php.net/sprintf Description of syntax.
 	 * @since 2.3.0
 	 *
-	 * @param string $query Query statement with sprintf()-like placeholders
-	 * @param array|mixed $args The array of variables to substitute into the query's placeholders if being called like {@link http://php.net/vsprintf vsprintf()}, or the first variable to substitute into the query's placeholders if being called like {@link http://php.net/sprintf sprintf()}.
-	 * @param mixed $args,... further variables to substitute into the query's placeholders if being called like {@link http://php.net/sprintf sprintf()}.
+	 * @param string $query Query statement with wpdb->prepare placeholders (%%, %d, $s)
+	 * @param array|mixed $args The array of variables to substitute into the query's placeholders if being called compareable to {@link http://php.net/vsprintf vsprintf()}, or the first variable to substitute into the query's placeholders if being called like {@link http://php.net/sprintf sprintf()}.
+	 * @param mixed $args,... further variables to substitute.
 	 * @return null|string Sanitized query string
 	 */
 	function prepare($query = null) { // ( $query, *$args )
@@ -560,14 +572,57 @@
 		// If args were passed as an array (as in vsprintf), move them up
 		if ( isset($args[0]) && is_array($args[0]) )
 			$args = $args[0];
-		$query = str_replace("'%s'", '%s', $query); // in case someone mistakenly already singlequoted it
-		$query = str_replace('"%s"', '%s', $query); // doublequote unquoting
-		$query = str_replace('%s', "'%s'", $query); // quote the strings
+
+		$check = $this->_prepare_quote_lits($query, true); //quote %s in query-pattern syntax check
+		if ( false === $check ) {
+			$this->last_query = null;			
+			$this->print_error( sprintf( /*WP_I18N_DB_PREPARE_ERROR*/" \$db->prepare(string query, *args) -- Prepare '%s' is not syntactically correct."/*/WP_I18N_DB_PREPARE_ERROR*/, $query ) );			
+		}
+
+		$query = $this->_prepare_quote_lits($query); //quote %s in query-pattern				
+		$query = str_replace( array( "''%s''", "\"'%'\"" ), "'%s'", $query ); // in case someone mistakenly already single/double quoted it
+
 		array_walk($args, array(&$this, 'escape_by_ref'));
 		return @vsprintf($query, $args);
 	}
 
 	/**
+	 * helper function for prepare()
+	 * 
+	 * will quote %s tokens with single quotes
+	 * allowed tokens are: %%, %d and %s
+	 * 
+	 * can do strict parsing and return false if the query is  
+	 * not valid.
+	 * 
+	 * @access private
+	 * @param  string $query  wpdb prepare-pattern that needs to be single-quoted to %s
+	 * @param  bool   $strict (optional) wether or not do strict parsing of the query 
+	 * @return string pattern with single quotes added around %s literals
+	 * @return bool   false on syntax error if $strict param is true
+	 */
+	function _prepare_quote_lits( $query, $strict = false ) {
+		$query = (string) $query;				
+		$m     = strlen( $query );		
+		for ( $i = 0; $i < $m; $i++) {			
+			if ( '%' == $query[$i] ) {
+				$c = ( ++$i < $m ) ? $query[$i] : '' ;			
+				switch ( $c ) {
+					case 's':												
+						$query = substr( $query, 0, $i-1) . "'%s'" . substr( $query, ++$i );
+						$i++;
+					case '%':
+					case 'd':						
+						break;
+					default: # illegal pattern
+						if ( $strict ) return false;
+				}
+			}
+		}
+		return $query;
+	}
+
+	/**
 	 * Print SQL/DB error.
 	 *
 	 * @since 0.71
@@ -605,14 +660,11 @@
 		if ( !$this->show_errors )
 			return false;
 
-		$str = htmlspecialchars($str, ENT_QUOTES);
-		$query = htmlspecialchars($this->last_query, ENT_QUOTES);
+		$str   = htmlspecialchars( $str,              ENT_QUOTES );
+		$query = htmlspecialchars( $this->last_query, ENT_QUOTES );
+		$query = $query ? sprintf( '<code>%s</code>', $query ) : '' ;			
 
-		// If there is an error then take note of it
-		print "<div id='error'>
-		<p class='wpdberror'><strong>WordPress database error:</strong> [$str]<br />
-		<code>$query</code></p>
-		</div>";
+		printf('<div id="error"><p class="wpdberror"><strong>WordPress database error:</strong> [%s]<br />%s</p>', $str, $query);
 	}
 
 	/**