#41983 closed task (blessed) (fixed)
Lead by example: pass unquoted placeholders to $wpdb->prepare()
Reported by: | jrf | Owned by: | pento |
---|---|---|---|
Milestone: | 4.9 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Database | Keywords: | |
Focuses: | docs | Cc: |
Description
In the aftermath of last weeks security release which broke a lot of SQL queries in plugins, a new sniff has been added to WPCS to check for incorrect placeholders.
The sniff also verifies that placeholders - as per the documentation - are left unquoted.
Having run this sniff over Core, it turns out that there are some fixes to be made.
See the below report.
I suggest tagging this as an easy-pick for new contributors.
FILE: \src\wp-admin\includes\class-wp-importer.php ---------------------------------------------------------------------------------------- FOUND 2 ERRORS AFFECTING 2 LINES ---------------------------------------------------------------------------------------- 32 | ERROR | Placeholders should be unquoted in the query string in $wpdb->prepare(). Found: | | '%s'. 68 | ERROR | Placeholders should be unquoted in the query string in $wpdb->prepare(). Found: | | '%s'. ---------------------------------------------------------------------------------------- FILE: \src\wp-admin\includes\nav-menu.php ---------------------------------------------------------------------------------------- FOUND 1 ERROR AFFECTING 1 LINE ---------------------------------------------------------------------------------------- 999 | ERROR | Placeholders should be unquoted in the query string in $wpdb->prepare(). | | Found: '%d'. ---------------------------------------------------------------------------------------- FILE: \src\wp-includes\functions.php ---------------------------------------------------------------------------------------- FOUND 2 ERRORS AFFECTING 2 LINES ---------------------------------------------------------------------------------------- 4807 | ERROR | Placeholders should be unquoted in the query string in $wpdb->prepare(). | | Found: '%d'. 4824 | ERROR | Placeholders should be unquoted in the query string in $wpdb->prepare(). | | Found: '%d'. ---------------------------------------------------------------------------------------- FILE: \src\wp-includes\taxonomy.php ---------------------------------------------------------------------------------------- FOUND 2 ERRORS AFFECTING 2 LINES ---------------------------------------------------------------------------------------- 3788 | ERROR | Placeholders should be unquoted in the query string in $wpdb->prepare(). | | Found: '%s'. ----------------------------------------------------------------------------------------
Refs:
Attachments (1)
Change History (17)
#3
@
7 years ago
@johnjamesjacoby Thanks for adding the patch and good call on the doc fix. I think the descriptive documentation could be improved a little as well to state that %
wildcards to be used with LIKE
should not be passed to the function as that is unclear unless you study the code sample.
The wpdb->prepare()
documentation should probably also be more explicit about how %
wildcards in LIKE
statements should be passed. /cc @DrewAPicture
Also: did you mean to commit this extra file to the patch: wp-content/db-plugins/ludicrousdb
?
#4
@
7 years ago
- Focuses docs added
- Milestone changed from Awaiting Review to 4.9
- Type changed from defect (bug) to task (blessed)
- Version trunk deleted
#5
@
7 years ago
did you mean to commit this extra file to the patch
No; sorry. I'll update the original patch to remove that bit.
I agree it's a good idea to be more explicit and obvious about how prepare()
expects to be used. Good call!
#6
follow-up:
↓ 7
@
7 years ago
@johnjamesjacoby Thanks, but am I correct in that your updated patch no longer contains the doc fix to the esc_like()
example code ?
#8
@
7 years ago
am I correct in that your updated patch no longer contains the doc fix
It looks like it's there for me. Maybe caching related, because I just replaced the existing patch vs. adding a new one.
#11
@
7 years ago
@pento Thanks for the commit.
Should I open a new ticket for the still open question regarding documentation related improvements ? Or should this ticket stay open for that ?
I think the descriptive documentation could be improved a little as well to state that % wildcards to be used with LIKE should not be passed to the function as that is unclear unless you study the code sample.
The wpdb->prepare() documentation should probably also be more explicit about how % wildcards in LIKE statements should be passed.
#12
@
7 years ago
- Keywords has-patch removed
- Resolution fixed deleted
- Status changed from closed to reopened
@jrf: Ah, good point. I'll improve the docs there.
#14
@
7 years ago
@pento Thanks, that does make it clearer.
One further improvement suggestion regarding the wording:
-/- Percentage wildcards (for example, to use in LIKE syntax) must be passed in the string argument, it cannot be inserted in the query string.
+/+ Percentage wildcards (for example, to use in LIKE syntax) must be passed via a substitution argument containing the complete LIKE string, these cannot be inserted directly in the query string. Also see {@see esc_like()}.
/cc @GaryJ Is that phrasing clear enough or have you got a better suggestion ?
I love this suggestion, but think the recent scrutiny around this API means any patch is better than waiting.
Attached patch also includes a PHPDoc fix to the
wpdb::esc_like()
method.