Make WordPress Core

Opened 16 months ago

Last modified 15 months ago

#57678 new defect (bug)

Missing use of placeholders and $wpdb->prepare()

Reported by: mahekkalola's profile mahekkalola Owned by:
Milestone: Awaiting Review Priority: normal
Severity: major Version:
Component: Query Keywords: has-patch dev-feedback
Focuses: coding-standards Cc:

Description

Use placeholders and $wpdb->prepare(); found interpolated variable $prefix at "SELECT $prefix"

file path: wordpress/wp-admin/setup-config.php
Line Number: 325

Attachments (3)

Screenshot from 2023-02-09 15-43-52.png (15.7 KB) - added by mahekkalola 16 months ago.
this is the line 325 from version(6.2 beta) which has not used $wpdb->prepare()
2595-fixed-the-bug.patch (712 bytes) - added by chiragrathod103 16 months ago.
57678.diff (860 bytes) - added by chiragrathod103 16 months ago.
Created a diff file

Download all attachments as: .zip

Change History (7)

@mahekkalola
16 months ago

this is the line 325 from version(6.2 beta) which has not used $wpdb->prepare()

#1 @chiragrathod103
16 months ago

  • Keywords has-patch added; needs-patch removed

@chiragrathod103
16 months ago

Created a diff file

#2 follow-up: @johnbillion
16 months ago

  • Keywords close reporter-feedback added

Thank you both for the ticket and the patch.

  • Have you checked the code that surrounds this to find out what it's doing?
  • Have you tested the patch?

I think you'll find this is an exceptional circumstance as this query is a syntax check for the database prefix entered by the user, and wrapping it in prepare() will prevent it from detecting a disallowed prefix.

#3 in reply to: ↑ 2 @chiragrathod103
16 months ago

@johnbillion Thanks for the response.

Let's assume WP was already installed and by mistake config file was removed, and some created new config files, and the user added the wrong prefix in the config file then it will get this one screen when we use the "query" function ( https://prnt.sc/3mounErt7b0U )

But if we will use the "prepare" function then it will prevent users let them knowing that they are using incorrect prefix as shown in this screenshot( https://prnt.sc/CY0_e51YsVI5 )

#4 @chiragrathod103
15 months ago

  • Keywords dev-feedback added; close reporter-feedback removed
Note: See TracTickets for help on using tickets.