[wp-hackers] small wp-db.php code question

Simon Courtenage courtenage at gmail.com
Tue Sep 18 06:56:46 UTC 2012

Dear wp-hackers,

I'm going through the WP code line-by-line as part of a new project and
have come across the code for the prepare function in wp-db.php.  This
can take a variable number of arguments (up to 3 according to the comments
and usages).  However, I think there is an issue with the 3rd argument,
when present, being over-written by the code.  The prepare() code is

function prepare( $query = null ) { // ( $query, *$args )
        if ( is_null( $query ) )

        $args = func_get_args();
        array_shift( $args );
        // If args were passed as an array (as in vsprintf), move them up
        if ( isset( $args[0] ) && is_array($args[0]) )
            $args = $args[0]; // QUESTION
        $query = str_replace( "'%s'", '%s', $query ); // in case someone
mistakenly already singlequoted it
        $query = str_replace( '"%s"', '%s', $query ); // doublequote
        $query = preg_replace( '|(?<!%)%s|', "'%s'", $query ); // quote the
strings, avoiding escaped strings like %%s
        array_walk( $args, array( &$this, 'escape_by_ref' ) );
        return @vsprintf( $query, $args );

The issue lies with the line I've commented with 'QUESTION'.  This
overwrites the arg array obtained from func_get_args() with the second
argument (after the first was popped from the array) - hence the 3rd arg is
lost.  Have I missed something / is this intended behaviour / is this a bug?

Thanks for reading my first post to this list!


Simon Courtenage


Join me on msgmash <http://www.msgmash.com>!

More information about the wp-hackers mailing list