mirror of
https://github.com/gosticks/wordpress-develop.git
synced 2026-06-28 22:30:04 +00:00
Database: Restore numbered placeholders in wpdb::prepare().
[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used. This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders. See #41925. git-svn-id: https://develop.svn.wordpress.org/trunk@42056 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
@@ -3754,6 +3754,11 @@ function _deep_replace( $search, $subject ) {
|
||||
* Sometimes, spot-escaping is required or useful. One example
|
||||
* is preparing an array for use in an IN clause.
|
||||
*
|
||||
* NOTE: Since 4.8.3, '%' characters will be replaced with a placeholder string,
|
||||
* this prevents certain SQLi attacks from taking place. This change in behaviour
|
||||
* may cause issues for code that expects the return value of esc_sql() to be useable
|
||||
* for other purposes.
|
||||
*
|
||||
* @since 2.8.0
|
||||
*
|
||||
* @global wpdb $wpdb WordPress database abstraction object.
|
||||
|
||||
Reference in New Issue
Block a user