Sanitizing input for parameterized queries + update_meta_cache

[classicalrehan]

So, should we just pass anything we get straight to the database?

There are definitely things you can check about user input, but this is highly context-dependent. Because sanitization is ill-defined and mis-used, I prefer to call this validation.

I checked the WordPress core function which is not sanitized even this is one of the most used function in across the WordPress.

In below code get_result with no prepare statement. I don;t know the reason why?

$meta_list = $wpdb->get_results( "SELECT $column, meta_key, meta_value FROM $table WHERE $column IN ($id_list) ORDER BY $id_column ASC", ARRAY_A );

This function should be something like this:

$id_list_sanity = implode( ', ', array_fill( 0, count( $id_list ), '%d' ) );
                $meta_list = $wpdb->get_results( $wpdb->prepare( "
                   SELECT $column, meta_key, meta_value FROM $table WHERE $column IN ($id_list_sanity) ORDER BY $id_column DESC"
                ,$id_list),ARRAY_A );

Function Name: update_meta_cache
File: wp-includes/meta.php
Line: #825

[SergeyBiryukov]

Hi there, welcome to WordPress Trac! Thanks for the report.

Just noting that $id_list is constructed from the function's $object_ids parameter, which is sanitized using intval() earler​.

[classicalrehan]

Hi @SergeyBiryukov thanks for the reply, I just wanted to know why get_results query not used here wit prepare statement?

[dd32]

Replying to classicalrehan:

I just wanted to know why get_results query not used here wit prepare statement?

To follow up on this old comment - Because prepare isn't necessarily useful here, as intval() is going to be just as secure as sprintf( '%d' ) which is what prepare is and is simpler to read than an array_fill() call.

If WordPress was using proper native prepared queries, then it would make more sense to use it.