Opened 17 months ago
Last modified 16 months ago
#57678 new defect (bug)
Missing use of placeholders and $wpdb->prepare()
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | major | Version: | |
| Component: | Query | Keywords: | has-patch dev-feedback |
| Focuses: | coding-standards | Cc: |
Description
Use placeholders and $wpdb->prepare(); found interpolated variable $prefix at "SELECT $prefix"
file path: wordpress/wp-admin/setup-config.php
Line Number: 325
Attachments (3)
Change History (7)
#2
follow-up:
↓ 3
@
17 months ago
- Keywords close reporter-feedback added
Thank you both for the ticket and the patch.
- Have you checked the code that surrounds this to find out what it's doing?
- Have you tested the patch?
I think you'll find this is an exceptional circumstance as this query is a syntax check for the database prefix entered by the user, and wrapping it in prepare() will prevent it from detecting a disallowed prefix.
#3
in reply to:
↑ 2
@
17 months ago
@johnbillion Thanks for the response.
Let's assume WP was already installed and by mistake config file was removed, and some created new config files, and the user added the wrong prefix in the config file then it will get this one screen when we use the "query" function ( https://prnt.sc/3mounErt7b0U )
But if we will use the "prepare" function then it will prevent users let them knowing that they are using incorrect prefix as shown in this screenshot( https://prnt.sc/CY0_e51YsVI5 )
this is the line 325 from version(6.2 beta) which has not used $wpdb->prepare()