vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2025-10-16 12:05:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
ac64f38b66
wordpress-develop/tests
History
David Baumwald ac64f38b66 Database: Add %i placeholder support to $wpdb->prepare to escape table and column names. 
WordPress does not currently provide an explicit method for escaping SQL table and column names. This leads to potential security vulnerabilities, and makes reviewing code for security unnecessarily difficult.  Also, static analysis tools also flag the queries as having unescaped SQL input.

Tables and column names in queries are usually in-the-raw, since using the existing `%s` will straight quote the value, making the query invalid.

This change introduces a new `%i` placeholder in `$wpdb->prepare` to properly quote table and column names using backticks.

Props tellyworth, iandunn, craigfrancis, peterwilsoncc, johnbillion, apokalyptik.
Fixes #52506.

git-svn-id: https://develop.svn.wordpress.org/trunk@53575 602fd350-edb4-49c9-b593-d223f7449a82
2022-06-24 20:33:56 +00:00
..
e2e Build/Test Tools: Update some NPM dependencies to the latest versions. 2022-04-08 20:05:03 +00:00
gutenberg Block Editor: Update the Gutenberg branch used to launch Gutenberg e2e tests. 2021-06-01 09:21:36 +00:00
phpunit Database: Add %i placeholder support to $wpdb->prepare to escape table and column names. 2022-06-24 20:33:56 +00:00
qunit REST API: Fixes /wp/v2/pattern-directory/patterns endpoint response for slug parameter. 2022-05-02 13:58:48 +00:00
visual-regression Build/Test Tools: Update some NPM dependencies to the latest versions. 2022-04-08 20:05:03 +00:00