[wp-hackers] $wpdb->prepare and dynamic field names

[Otto]

On Wed, Mar 2, 2011 at 3:45 PM, Steve Taylor <steve at sltaylor.co.uk> wrote:
> Following from Mark Jaquith's handy presentation
> (http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/),
> I'm scouring my themes and plugins to check the security measures.
>
> One issue so far. I have a query like this:
>
> $field = $wpdb->get_results("
>        SELECT  meta_value
>        FROM    $table
>        WHERE   meta_key        = '$key'
>        AND             $id_field       = $id
>        LIMIT           0, 1
> ");
>
> It's just checking whether a custom field is set for a specific object
> (a post or user - hence the dynamic table and ID field references,
> which are decided before this query).
>
> If I use $wpdb->prepare, what would I do with $table and $id_field.
> Wouldn't using %s automatically stick quotes around them and
> invalidate the query?

Yes it would, however presumably your $table and $id_field are
hardcoded in some fashion, or at least generated by data that is
hardcoded into the plugin and not data that comes from the user input.

Using prepare lets the data be escaped properly, because the data can
change and sometimes comes from the user input. However your users
aren't putting in column or tables names, are they? If they are,
you've got deeper problems.


-Otto