#25604 closed enhancement (fixed)
first argument of wpdb::prepare should have a placeholder
Reported by: | ounziw | Owned by: | nacin |
---|---|---|---|
Milestone: | 3.9 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Database | Keywords: | has-patch commit |
Focuses: | Cc: |
Description
wpdb::prepare is a function which escapes for SQL.
Some plugins/themes use wpdb::prepare in a wrong way, and they may have a vulerability.
Bad Example
$wpdb->prepare( "SELECT * FROM table WHERE id = $id", null);
I propose to add
if ( strpos($query,'%') === false || strpos($query,'$') !== false ) _doing_it_wrong( 'wpdb::prepare', 'first argument of wpdb::prepare() should have a preceholder.', '3.7' );
to check the first argument of wpdb::prepare
Attachments (4)
Change History (15)
#1
in reply to:
↑ description
@
11 years ago
#2
@
11 years ago
I like the idea of checking for the complete absence of a placeholder. The check for $ won't work (the variable will already be parsed by then).
#3
@
11 years ago
Thanks, Nacin.
I removed the $ check.
if ( strpos($query,'%') === false ) _doing_it_wrong( 'wpdb::prepare', 'first argument of wpdb::prepare() should have a preceholder.', '3.7' );
#5
@
11 years ago
Thanks, rmccue,
I update the patch.
http://core.trac.wordpress.org/attachment/ticket/25604/check_first_argument_of_wpdb__prepare_has_a_placeholder3.patch
#7
@
11 years ago
- Component changed from Warnings/Notices to Database
- Keywords has-patch needs-refresh added
- Milestone changed from Awaiting Review to 3.9
Looking good. This patch needs to be updated a bit. Namely:
- Whitespace inside strpos() parentheses and after the comma to match our coding standards.
- The string should probably be translated by being wrapped in the
__()
function. - Braces should be used for this if conditional (recent coding standards change).
- Version number will need to be updated to 3.9.
__METHOD__
can be used in lieu of 'wpdb::prepare'.
#9
@
11 years ago
- Keywords commit added; needs-refresh removed
I'd like to review the text of the warning itself but this is otherwise good. Thanks!
it should be
(If no %, it means no placeholder, and if there is $, it must be a variable which should be escaped)