Make WordPress Core

Opened 10 years ago

Closed 10 years ago

#29801 closed defect (bug) (fixed)

Improper value sanitization in WP_Date_Query::build_value() can lead to incorrect results

Reported by: boonebgorges's profile boonebgorges Owned by:
Milestone: 4.1 Priority: normal
Severity: minor Version:
Component: Date/Time Keywords:
Focuses: Cc:

Description

WP_Date_Query::build_value() sanitizes the $value param for two purposes: (1) for safe use in SQL queries, and (2) to make sure that the values provided make sense with the $compare operator. However, the reliance on intval() means that the following cases arise:

  • With compare IN and NOT IN, values like 'foo' turn into (0) while 'foo1' turns into (1)
  • With compare BETWEEN and NOT BETWEEN, a singleton array as the $value will be sanitized down to 1, leading to clauses like BETWEEN 1 AND 1

In each of these cases, the query might end up returning unexpected results. I suggest returning false out of build_query() when an invalid value is passed. The attached patch does this using is_numeric().

A related issue that I've also addressed in the patch: for BETWEEN and NOT BETWEEN, passing a two-membered array like array( 2 => 5, 3 => 6 ) would result in the query failing, because the parser is expected array keys 0 and 1. I suggest that in cases where two numeric values are passed, we use them, regardless of the keys.

Attachments (2)

29801.patch (5.6 KB) - added by boonebgorges 10 years ago.
29801.02.patch (6.3 KB) - added by boonebgorges 10 years ago.

Download all attachments as: .zip

Change History (3)

@boonebgorges
10 years ago

#1 @boonebgorges
10 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Commit message seems to have missed this. Fixed in r29797.

Note: See TracTickets for help on using tickets.