Database: Restore numbered placeholders in wpdb::prepare().

[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used. This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders. See #41925. git-svn-id: https://develop.svn.wordpress.org/trunk@42056 602fd350-edb4-49c9-b593-d223f7449a82
2026-06-28 22:30:04 +00:00 · 2017-10-31 11:59:43 +00:00
parent 15f74e83fa
commit a39d599adf
9 changed files with 492 additions and 53 deletions
--- a/src/wp-includes/formatting.php
+++ b/src/wp-includes/formatting.php
@@ -3754,6 +3754,11 @@ function _deep_replace( $search, $subject ) {
 * Sometimes, spot-escaping is required or useful. One example
 * is preparing an array for use in an IN clause.
 *
+ * NOTE: Since 4.8.3, '%' characters will be replaced with a placeholder string,
+ * this prevents certain SQLi attacks from taking place. This change in behaviour
+ * may cause issues for code that expects the return value of esc_sql() to be useable
+ * for other purposes.
+ *
 * @since 2.8.0
 *
 * @global wpdb $wpdb WordPress database abstraction object.