Opened 11 months ago
Last modified 11 months ago
#49705 new defect (bug)
Sanitizing input for parameterized queries + update_meta_cache
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | critical | Version: | 5.3.2 |
Component: | Options, Meta APIs | Keywords: | |
Focuses: | coding-standards | Cc: |
Description
So, should we just pass anything we get straight to the database?
There are definitely things you can check about user input, but this is highly context-dependent. Because sanitization is ill-defined and mis-used, I prefer to call this validation.
I checked the WordPress core function which is not sanitized even this is one of the most used function in across the WordPress.
In below code get_result with no prepare statement. I don;t know the reason why?
$meta_list = $wpdb->get_results( "SELECT $column, meta_key, meta_value FROM $table WHERE $column IN ($id_list) ORDER BY $id_column ASC", ARRAY_A );
This function should be something like this:
$id_list_sanity = implode( ', ', array_fill( 0, count( $id_list ), '%d' ) ); $meta_list = $wpdb->get_results( $wpdb->prepare( " SELECT $column, meta_key, meta_value FROM $table WHERE $column IN ($id_list_sanity) ORDER BY $id_column DESC" ,$id_list),ARRAY_A );
Function Name: update_meta_cache
File: wp-includes/meta.php
Line: #825
Change History (2)
Note: See
TracTickets for help on using
tickets.
Hi there, welcome to WordPress Trac! Thanks for the report.
Just noting that
$id_list
is constructed from the function's$object_ids
parameter, which is sanitized using intval() earler.