[wp-trac] [WordPress Trac] #11608: wpdb->prepare() is broken

WordPress Trac wp-trac at lists.automattic.com
Fri Dec 25 00:34:28 UTC 2009


#11608: wpdb->prepare() is broken
-----------------------------+----------------------------------------------
 Reporter:  hakre            |       Owner:  ryan            
     Type:  feature request  |      Status:  new             
 Priority:  normal           |   Milestone:  Future Release  
Component:  Database         |     Version:  2.9             
 Severity:  normal           |    Keywords:  has-patch tested
-----------------------------+----------------------------------------------

Comment(by hakre):

 Replying to [comment:1 dd32]:
 > Priority and Severity: It works securely at present if the basic printf
 rules are followed.
 False prediction.

 > Can you please supply some examples of what doesnt work? What problems
 are run into when using '%%' for example?
 Execute and read the code to see for yourself. There is nothing better
 than the own reception. As you wrote in the other ticket you are not
 properly getting the whole view, so a little playing around won't be wrong
 I assume.

 > The data being passed into the function may contain whatever it wants,
 That doesnt affect the parser, The only location where you have to be
 careful, Is the Query itself, If you require to use '%' in there, then it
 needs to be escaped properly, That is the only time it should cause an
 error.
 Per definition query '''''is data''''' passed into the function.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/11608#comment:12>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list