David Baumwald ac64f38b66 Database: Add %i placeholder support to $wpdb->prepare to escape table and column names. ...

WordPress does not currently provide an explicit method for escaping SQL table and column names. This leads to potential security vulnerabilities, and makes reviewing code for security unnecessarily difficult.  Also, static analysis tools also flag the queries as having unescaped SQL input.

Tables and column names in queries are usually in-the-raw, since using the existing `%s` will straight quote the value, making the query invalid.

This change introduces a new `%i` placeholder in `$wpdb->prepare` to properly quote table and column names using backticks.

Props tellyworth, iandunn, craigfrancis, peterwilsoncc, johnbillion, apokalyptik.
Fixes #52506.

git-svn-id: https://develop.svn.wordpress.org/trunk@53575 602fd350-edb4-49c9-b593-d223f7449a82

2022-06-24 20:33:56 +00:00

..

e2e

Build/Test Tools: Update some NPM dependencies to the latest versions.

2022-04-08 20:05:03 +00:00

gutenberg

Block Editor: Update the Gutenberg branch used to launch Gutenberg e2e tests.

2021-06-01 09:21:36 +00:00

phpunit

Database: Add %i placeholder support to $wpdb->prepare to escape table and column names.

2022-06-24 20:33:56 +00:00

qunit

REST API: Fixes /wp/v2/pattern-directory/patterns endpoint response for slug parameter.

2022-05-02 13:58:48 +00:00

visual-regression

Build/Test Tools: Update some NPM dependencies to the latest versions.

2022-04-08 20:05:03 +00:00