[wp-trac] [WordPress Trac] #11608: wpdb->prepare() is broken

WordPress Trac wp-trac at lists.automattic.com
Tue Dec 29 13:45:10 UTC 2009


#11608: wpdb->prepare() is broken
--------------------------+-------------------------------------------------
 Reporter:  hakre         |       Owner:  ryan     
     Type:  defect (bug)  |      Status:  new      
 Priority:  normal        |   Milestone:  3.0      
Component:  Database      |     Version:  2.9      
 Severity:  normal        |    Keywords:  has-patch
--------------------------+-------------------------------------------------
Changes (by hakre):

  * keywords:  reporter-feedback => has-patch


Comment:

 Replying to [comment:47 westi]:
 > After reading through all the comments above I can not see a clear
 definition of the '''bug''' here that exists in {{{$wpdb->prepare}}}.

 You're right, the clear definition of the bug is missing:

  1. Improper handling of input data in wpdb->prepare()
  2. Invalid docblock in wpdb->prepare()

 The function just does not behave properly on input data. Often it's
 argumented that problems will be catched by vsprintf() in it, but that's
 just not the case (just one example: {{{$wpdb->prepare( $query = '% wrong
 query', '' )}}}).

 I hope you share the point that wpdb->prepare() is an important function
 being interface to core coders and many plugin authors. Next to
 encouraging them to actually use that function, it should at least provide
 a certain level of stability and enough defensive potential that it can
 take up with the input by us and our beloved users.

 It was not far ago I criticised code in the WPDB class (again) that it
 does not provide a secure level of data escaping. In that discussion Sivel
 pointed to '''''wpdb->prepare() as the only function''''' that provides a
 proper mysql escape via the classes public interface. I would like to see
 that one at least properly implemented.

 The last paragraph is for background information regarding this ticket's
 title:[[BR]]
  '''wpdb->prepare() is broken'''.

 Flaws I saw so far:

  1. wpdb->prepare()'s docblock says it return NULL on error, actually that
 function does return FALSE and STRINGs on error as well. By returning
 STRINGs the user is not able to determine wether or not prepare failed on
 the query-pattern provided.
  2. wpdb->prepare()'s docblock does not properly document the substitution
 pattern, especially the usage of %%.
  3. wpdb->prepare() does not validate the $query parameter
  4. wpdb->prepare() passes unvalidated data to vsprintf().
  5. wpdb->prepare() ocasionally modifies the user's input on best guess
 (w/o being documented properly), by definition there is no need to do so.

 ''Regarding 5.:'' I think this is a bug, to retain backwards compability
 it might be too late to take this out ([comment:27 ref. to DDB]). I have
 at least improved that in my patch, but it does not solve that issue, so
 it is only ''more stable'' which is  relative to say at least. Let's
 attribute this as hardening.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/11608#comment:52>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list