[wp-trac] Re: [WordPress Trac] #4553: Consider using local prepared-statement/sprintf()-like system for last-second SQL escaping

WordPress Trac wp-trac at lists.automattic.com
Thu Jul 5 17:40:51 GMT 2007


#4553: Consider using local prepared-statement/sprintf()-like system for last-
second SQL escaping
---------------------------------------------------------------+------------
 Reporter:  markjaquith                                        |        Owner:  markjaquith
     Type:  task                                               |       Status:  assigned   
 Priority:  normal                                             |    Milestone:  2.3 (trunk)
Component:  Security                                           |      Version:  2.3        
 Severity:  normal                                             |   Resolution:             
 Keywords:  sql prepared statement sprintf injection security  |  
---------------------------------------------------------------+------------
Comment (by markjaquith):

 Okay, now {{{%s}}} gets quoted automatically, after first being unquoted,
 just to be sure.

 New:

 {{{
 $wpdb->query($wpdb->prepare("UPDATE $wpdb->tablename SET foo = %s WHERE
 blah = %s LIMIT %d", $var, $var2, $limit));
 }}}

 Do we have a function that can be used to sanitize column names?
 {{{A-Za-z0-9_\.}}} should be fine.  It's more restrictive than MySQL is,
 but it'd just be used internally.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/4553#comment:11>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list