[wp-hackers] WPDB does not seem to support RENAME TABLE query

Paul Menard paul at codehooligans.com
Sun Sep 22 23:18:29 UTC 2013


How/Why would it be a security concern? The plugin owns the table. This is not a WP core table. The RENAME command requires the same user permissions, ALTER and DROP, as most other WP DB function. Thought the DROP is rarely used. And really it is no different than doing a multiple step SQL comment to 1) DROP the destination table, 2) CREATE TABLE the new destination table, 3) SELECT INSERT INTO from the source to the destination, 4) DROP the source table.

Not that I want to get into the how/why processing of the plugin. Which really was not my point. This is for a very specific client use and not something to distribute to the general public. While the source table is being loaded from a previous export we didn't want to load directly into the live table because the size is upwards of 2G. Plus the data is meant to replace the existing table. So we are loading to a temporary named table first. This lets queries against the live table occur without issue. Once the load finishes the live table is dropped and the RENAME occurs. Simple as that. 

P-




On Sep 22, 2013, at 6:28 PM, Chris McCoy <chris at lod.com> wrote:

> Curious about this, is it really good practice to rename a table in a
> plugin from a security standpoint?
> 
> 
> On 2013-09-22 2:24 PM, "Andrew Nacin" <wp at andrewnacin.com> wrote:
> 
>> On Sat, Sep 21, 2013 at 7:02 PM, Paul Menard <paul at codehooligans.com>
>> wrote:
>> 
>>> Maybe I'm missing something. Or maybe this is just an oversight on the
>>> wpdb class.
>>> 
>>> When calling the SQL RENAME TABLE `table_source` TO `table_dest`;
>>> 
>>> I get a PHP Warning: errno:2 mysql_fetch_object(): supplied argument is
>>> not a valid MySQL result resource /usr/local/www/htdocs/projects/Incsub/
>>> local.inc352-snapshot.com/wp-includes/wp-db.php on line 1225
>>> 
>> 
>> I've honestly never seen someone need to use wpdb to rename a table at
>> runtime. Nothing wrong with wp-db.php being patched to support this. That
>> said, this should work: ALTER TABLE old_name RENAME new_name;
>> 
>> Nacin
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> 
> 
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list