mirror of
https://github.com/gosticks/wordpress-develop.git
synced 2026-07-01 07:40:07 +00:00
Database: Restore numbered placeholders in wpdb::prepare().
[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used. This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders. See #41925. git-svn-id: https://develop.svn.wordpress.org/trunk@42056 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
@@ -270,6 +270,9 @@ class Tests_DB extends WP_UnitTestCase {
|
||||
public function test_double_escaped_placeholders() {
|
||||
global $wpdb;
|
||||
$sql = $wpdb->prepare( "UPDATE test_table SET string_column = '%%f is a float, %%d is an int %d, %%s is a string', field = %s", 3, '4' );
|
||||
$this->assertContains( $wpdb->placeholder_escape(), $sql );
|
||||
|
||||
$sql = $wpdb->remove_placeholder_escape( $sql );
|
||||
$this->assertEquals( "UPDATE test_table SET string_column = '%f is a float, %d is an int 3, %s is a string', field = '4'", $sql );
|
||||
}
|
||||
|
||||
@@ -432,12 +435,12 @@ class Tests_DB extends WP_UnitTestCase {
|
||||
array(
|
||||
"SELECT * FROM $wpdb->users WHERE id = %d AND %% AND user_login = %s",
|
||||
array( 1, "admin", "extra-arg" ),
|
||||
"SELECT * FROM $wpdb->users WHERE id = 1 AND % AND user_login = 'admin'",
|
||||
"SELECT * FROM $wpdb->users WHERE id = 1 AND {$wpdb->placeholder_escape()} AND user_login = 'admin'",
|
||||
),
|
||||
array(
|
||||
"SELECT * FROM $wpdb->users WHERE id = %%%d AND %F AND %f AND user_login = %s",
|
||||
array( 1, 2.3, "4.5", "admin", "extra-arg" ),
|
||||
"SELECT * FROM $wpdb->users WHERE id = %1 AND 2.300000 AND 4.500000 AND user_login = 'admin'",
|
||||
"SELECT * FROM $wpdb->users WHERE id = {$wpdb->placeholder_escape()}1 AND 2.300000 AND 4.500000 AND user_login = 'admin'",
|
||||
),
|
||||
array(
|
||||
"SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s",
|
||||
@@ -1185,13 +1188,327 @@ class Tests_DB extends WP_UnitTestCase {
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
* @dataProvider data_prepare_with_placeholders
|
||||
*/
|
||||
function test_prepare_with_unescaped_percents() {
|
||||
function test_prepare_with_placeholders_and_individual_args( $sql, $values, $incorrect_usage, $expected) {
|
||||
global $wpdb;
|
||||
|
||||
$sql = $wpdb->prepare( '%d %1$d %%% %', 1 );
|
||||
$this->assertEquals( '1 %1$d %% %', $sql );
|
||||
if ( $incorrect_usage ) {
|
||||
$this->setExpectedIncorrectUsage( 'wpdb::prepare' );
|
||||
}
|
||||
|
||||
if ( ! is_array( $values ) ) {
|
||||
$values = array( $values );
|
||||
}
|
||||
|
||||
array_unshift( $values, $sql );
|
||||
|
||||
$sql = call_user_func_array( array( $wpdb, 'prepare' ), $values );
|
||||
$this->assertEquals( $expected, $sql );
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider data_prepare_with_placeholders
|
||||
*/
|
||||
function test_prepare_with_placeholders_and_array_args( $sql, $values, $incorrect_usage, $expected) {
|
||||
global $wpdb;
|
||||
|
||||
if ( $incorrect_usage ) {
|
||||
$this->setExpectedIncorrectUsage( 'wpdb::prepare' );
|
||||
}
|
||||
|
||||
if ( ! is_array( $values ) ) {
|
||||
$values = array( $values );
|
||||
}
|
||||
|
||||
$sql = call_user_func_array( array( $wpdb, 'prepare' ), array( $sql, $values ) );
|
||||
$this->assertEquals( $expected, $sql );
|
||||
}
|
||||
|
||||
function data_prepare_with_placeholders() {
|
||||
global $wpdb;
|
||||
|
||||
return array(
|
||||
array(
|
||||
'%5s', // SQL to prepare
|
||||
'foo', // Value to insert in the SQL
|
||||
false, // Whether to expect an incorrect usage error or not
|
||||
' foo', // Expected output
|
||||
),
|
||||
array(
|
||||
'%1$d %%% % %%1$d%% %%%1$d%%',
|
||||
1,
|
||||
true,
|
||||
"1 {$wpdb->placeholder_escape()}{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}1\$d{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}1{$wpdb->placeholder_escape()}",
|
||||
),
|
||||
array(
|
||||
'%-5s',
|
||||
'foo',
|
||||
false,
|
||||
'foo ',
|
||||
),
|
||||
array(
|
||||
'%05s',
|
||||
'foo',
|
||||
false,
|
||||
'00foo',
|
||||
),
|
||||
array(
|
||||
"%'#5s",
|
||||
'foo',
|
||||
false,
|
||||
'##foo',
|
||||
),
|
||||
array(
|
||||
'%.3s',
|
||||
'foobar',
|
||||
false,
|
||||
'foo',
|
||||
),
|
||||
array(
|
||||
'%.3f',
|
||||
5.123456,
|
||||
false,
|
||||
'5.123',
|
||||
),
|
||||
array(
|
||||
'%.3f',
|
||||
5.12,
|
||||
false,
|
||||
'5.120',
|
||||
),
|
||||
array(
|
||||
'%s',
|
||||
' %s ',
|
||||
false,
|
||||
"' {$wpdb->placeholder_escape()}s '",
|
||||
),
|
||||
array(
|
||||
'%1$s',
|
||||
' %s ',
|
||||
false,
|
||||
" {$wpdb->placeholder_escape()}s ",
|
||||
),
|
||||
array(
|
||||
'%1$s',
|
||||
' %1$s ',
|
||||
false,
|
||||
" {$wpdb->placeholder_escape()}1\$s ",
|
||||
),
|
||||
array(
|
||||
'%d %1$d %%% %',
|
||||
1,
|
||||
true,
|
||||
"1 1 {$wpdb->placeholder_escape()}{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}",
|
||||
),
|
||||
array(
|
||||
'%d %2$s',
|
||||
array( 1, 'hello' ),
|
||||
false,
|
||||
"1 hello",
|
||||
),
|
||||
array(
|
||||
"'%s'",
|
||||
'hello',
|
||||
false,
|
||||
"'hello'",
|
||||
),
|
||||
array(
|
||||
'"%s"',
|
||||
'hello',
|
||||
false,
|
||||
"'hello'",
|
||||
),
|
||||
array(
|
||||
"%s '%1\$s'",
|
||||
'hello',
|
||||
true,
|
||||
"'hello' 'hello'",
|
||||
),
|
||||
array(
|
||||
"%s '%1\$s'",
|
||||
'hello',
|
||||
true,
|
||||
"'hello' 'hello'",
|
||||
),
|
||||
array(
|
||||
'%s "%1$s"',
|
||||
'hello',
|
||||
true,
|
||||
"'hello' \"hello\"",
|
||||
),
|
||||
array(
|
||||
"%%s %%'%1\$s'",
|
||||
'hello',
|
||||
false,
|
||||
"{$wpdb->placeholder_escape()}s {$wpdb->placeholder_escape()}'hello'",
|
||||
),
|
||||
array(
|
||||
'%%s %%"%1$s"',
|
||||
'hello',
|
||||
false,
|
||||
"{$wpdb->placeholder_escape()}s {$wpdb->placeholder_escape()}\"hello\"",
|
||||
),
|
||||
array(
|
||||
'%s',
|
||||
' % s ',
|
||||
false,
|
||||
"' {$wpdb->placeholder_escape()} s '",
|
||||
),
|
||||
array(
|
||||
'%%f %%"%1$f"',
|
||||
3,
|
||||
false,
|
||||
"{$wpdb->placeholder_escape()}f {$wpdb->placeholder_escape()}\"3.000000\"",
|
||||
),
|
||||
array(
|
||||
'WHERE second=\'%2$s\' AND first=\'%1$s\'',
|
||||
array( 'first arg', 'second arg' ),
|
||||
false,
|
||||
"WHERE second='second arg' AND first='first arg'",
|
||||
),
|
||||
array(
|
||||
'WHERE second=%2$d AND first=%1$d',
|
||||
array( 1, 2 ),
|
||||
false,
|
||||
"WHERE second=2 AND first=1",
|
||||
),
|
||||
array(
|
||||
"'%'%%s",
|
||||
'hello',
|
||||
true,
|
||||
"'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s",
|
||||
),
|
||||
array(
|
||||
"'%'%%s%s",
|
||||
'hello',
|
||||
false,
|
||||
"'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s'hello'",
|
||||
),
|
||||
array(
|
||||
"'%'%%s %s",
|
||||
'hello',
|
||||
false,
|
||||
"'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s 'hello'",
|
||||
),
|
||||
array(
|
||||
"'%-'#5s' '%'#-+-5s'",
|
||||
array( 'hello', 'foo' ),
|
||||
false,
|
||||
"'hello' 'foo##'",
|
||||
),
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider data_escape_and_prepare
|
||||
*/
|
||||
function test_escape_and_prepare( $escape, $sql, $values, $incorrect_usage, $expected ) {
|
||||
global $wpdb;
|
||||
|
||||
if ( $incorrect_usage ) {
|
||||
$this->setExpectedIncorrectUsage( 'wpdb::prepare' );
|
||||
}
|
||||
|
||||
$escape = esc_sql( $escape );
|
||||
|
||||
$sql = str_replace( '{ESCAPE}', $escape, $sql );
|
||||
|
||||
$actual = $wpdb->prepare( $sql, $values );
|
||||
|
||||
$this->assertEquals( $expected, $actual );
|
||||
}
|
||||
|
||||
function data_escape_and_prepare() {
|
||||
global $wpdb;
|
||||
return array(
|
||||
array(
|
||||
'%s', // String to pass through esc_url()
|
||||
' {ESCAPE} ', // Query to insert the output of esc_url() into, replacing "{ESCAPE}"
|
||||
'foo', // Data to send to prepare()
|
||||
true, // Whether to expect an incorrect usage error or not
|
||||
" {$wpdb->placeholder_escape()}s ", // Expected output
|
||||
),
|
||||
array(
|
||||
'foo%sbar',
|
||||
"SELECT * FROM bar WHERE foo='{ESCAPE}' OR baz=%s",
|
||||
array( ' SQLi -- -', 'pewpewpew' ),
|
||||
true,
|
||||
null,
|
||||
),
|
||||
array(
|
||||
'%s',
|
||||
' %s {ESCAPE} ',
|
||||
'foo',
|
||||
false,
|
||||
" 'foo' {$wpdb->placeholder_escape()}s ",
|
||||
),
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @expectedIncorrectUsage wpdb::prepare
|
||||
*/
|
||||
function test_double_prepare() {
|
||||
global $wpdb;
|
||||
|
||||
$part = $wpdb->prepare( ' AND meta_value = %s', ' %s ' );
|
||||
$this->assertNotContains( '%s', $part );
|
||||
$query = $wpdb->prepare( 'SELECT * FROM {$wpdb->postmeta} WHERE meta_key = %s $part', array( 'foo', 'bar' ) );
|
||||
$this->assertNull( $query );
|
||||
}
|
||||
|
||||
function test_prepare_numeric_placeholders_float_args() {
|
||||
global $wpdb;
|
||||
|
||||
$actual = $wpdb->prepare(
|
||||
'WHERE second=%2$f AND first=%1$f',
|
||||
1.1,
|
||||
2.2
|
||||
);
|
||||
|
||||
/* Floats can be right padded, need to assert differently */
|
||||
$this->assertContains( ' first=1.1', $actual );
|
||||
$this->assertContains( ' second=2.2', $actual );
|
||||
}
|
||||
|
||||
function test_prepare_numeric_placeholders_float_array() {
|
||||
global $wpdb;
|
||||
|
||||
$actual = $wpdb->prepare(
|
||||
'WHERE second=%2$f AND first=%1$f',
|
||||
array( 1.1, 2.2 )
|
||||
);
|
||||
|
||||
/* Floats can be right padded, need to assert differently */
|
||||
$this->assertContains( ' first=1.1', $actual );
|
||||
$this->assertContains( ' second=2.2', $actual );
|
||||
}
|
||||
|
||||
function test_query_unescapes_placeholders() {
|
||||
global $wpdb;
|
||||
|
||||
$value = ' %s ';
|
||||
|
||||
$wpdb->query( "CREATE TABLE {$wpdb->prefix}test_placeholder( a VARCHAR(100) );" );
|
||||
$sql = $wpdb->prepare( "INSERT INTO {$wpdb->prefix}test_placeholder VALUES(%s)", $value );
|
||||
$wpdb->query( $sql );
|
||||
|
||||
$actual = $wpdb->get_var( "SELECT a FROM {$wpdb->prefix}test_placeholder" );
|
||||
|
||||
$wpdb->query( "DROP TABLE {$wpdb->prefix}test_placeholder" );
|
||||
|
||||
$this->assertNotContains( '%s', $sql );
|
||||
$this->assertEquals( $value, $actual );
|
||||
}
|
||||
|
||||
function test_esc_sql_with_unsupported_placeholder_type() {
|
||||
global $wpdb;
|
||||
|
||||
$sql = $wpdb->prepare( ' %s %1$c ', 'foo' );
|
||||
$sql = $wpdb->prepare( " $sql %s ", 'foo' );
|
||||
|
||||
$this->assertEquals( " 'foo' {$wpdb->placeholder_escape()}1\$c 'foo' ", $sql );
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
Reference in New Issue
Block a user