From 0ccba3e8bbc12f4a8906421bc3a73c728b9b778e Mon Sep 17 00:00:00 2001
From: Mark Jaquith <markjaquith@git.wordpress.org>
Date: Thu, 5 Jul 2007 17:32:46 +0000
Subject: [PATCH] Automatically quote strings in $wpdb->prepare().  Use
 vsprintf().  see #4553

git-svn-id: https://develop.svn.wordpress.org/trunk@5779 602fd350-edb4-49c9-b593-d223f7449a82
---
 wp-includes/wp-db.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/wp-includes/wp-db.php b/wp-includes/wp-db.php
index 5df97b17f0..6b729a0057 100644
--- a/wp-includes/wp-db.php
+++ b/wp-includes/wp-db.php
@@ -132,8 +132,10 @@ class wpdb {
 			return;
 		$args = func_get_args();
 		$query = array_shift($args);
+		$query = str_replace("'%s'", '%s', $query); // in case someone mistakenly already quoted it
+		$query = str_replace('%s', "'%s'", $query); // quote the strings
 		array_walk($args, array(&$this, 'escape_by_ref'));
-		return @call_user_func_array('sprintf', array_merge(array($query), $args));
+		return @vsprintf($query, $args);
 	}
 
 	// ==================================================================