Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#42494 closed defect (bug) (wontfix)

$wpdb->prepare placeholder count check is invalid for numbered placeholders

Reported by: dominicp's profile dominicp Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.8.3
Component: Database Keywords:
Focuses: Cc:


This is a follow-up to #41925. Apologies if this has already been brought up or if I missed something obvious.

There seems to be a bug in the logic for the extra checks to make sure the correct number of arguments are passed to $wpdb->prepare when using numbered placeholders.

One of the reasons to use them is to reference the same parameter multiple times. So your code can look like this:

$wpdb->prepare( 'SELECT * FROM wpdb_posts WHERE post_title LIKE "%1$s" OR post_content LIKE "%1$s"', array( 'fluffy' ) );

This perfectly valid construction will throw a deprecation error in 4.8.3 due to this code added in [42068].

Change History (2)

#1 @pento
7 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

This is correct. While this usage technically works, it should be considered invalid going forward. Particularly as we explore moving to proper prepared queries (#42352), placeholders will need to be bound to individual values, rather than repeated values. (Naturally, the existing system will continue to work, but will eventually be deprecated.)

#2 @dominicp
7 years ago

Thanks for the explanation. I gathered from #41925 that numbered placeholder were now officially supported, but it looks like I misunderstood.

Note: See TracTickets for help on using tickets.