| | 11 | |
| | 12 | From the time spent writing the patch I understood that the original vulnerability with %1$s was that it was not quoted and would result in a SQL injection, nothing more, nothing else. |
| | 13 | |
| | 14 | So $wpdb->prepare( 'SELECT * FROM wp_posts WHERE post_ID = %1$s', '1 OR 1 = 1' ); would yield |
| | 15 | |
| | 16 | SELECT * FROM wp_posts WHERE post_ID = 1 OR 1 = 1; a classic injection. |
| | 17 | |
| | 18 | Yes, it's bad. Anyone who used it without quoting it like '%1%s' is vulnerable. A false sense of security was attained by those who did. Let's make things right again. For everyone. For those who wanted numbered placeholders but read that WordPress doesn't support it, for those who found out that it worked and used it in a vulnerable way, and for those who used it in a safe way but can now no longer use it. |
| | 19 | |
| | 20 | Let's make wpdb::prepare great again. |