[wp-trac] [WordPress Trac] #11608: wpdb->prepare() is broken
WordPress Trac
wp-trac at lists.automattic.com
Thu Dec 24 23:06:45 UTC 2009
#11608: wpdb->prepare() is broken
--------------------------+-------------------------------------------------
Reporter: hakre | Owner: ryan
Type: defect (bug) | Status: new
Priority: high | Milestone: 2.9.1
Component: Security | Version: 2.9
Severity: critical | Keywords: needs-patch dev-feedback
--------------------------+-------------------------------------------------
the wpdb->prepare() statement plays an utterly important role in database
access. This function is not properly implemented. To name it correctly,
this function is more or less a wrapper for sprintf / vsprintf which adds
some fuzz in the proxy.
Tickets like #11318 pointed to structural problems. Eventhough tricky devs
like DD32 can do it working for them it's a plain oversight that data gets
manipulated by that function that might render safe queries unsafe and
therefore actually opens the gate for sql injections instead of closing
them.
Example: {{{CONST = 'percentage stupid or %stupid is the question'}}}
even following the rules to act vsprintf / sprintf (like documented in
code) will run you into problems:
Example: {{{CONST = 'percentage stupid or %%stupid is the question'}}}
Please stop this madness and create a ->prepare function that works
solidly.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11608>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list