From 16a56fae1f922b442d4261e4f47b2cb9cd1b80f3 Mon Sep 17 00:00:00 2001 From: Gary Pendergast Date: Tue, 31 Oct 2017 12:33:25 +0000 Subject: [PATCH] Database: Restore numbered placeholders in `wpdb::prepare()`. [41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used. This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders. Merges [41662], [42056] to the 4.7 branch. See #41925. git-svn-id: https://develop.svn.wordpress.org/branches/4.7@42058 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/post.php | 4 +- src/wp-includes/wp-db.php | 181 ++++++-- tests/phpunit/tests/comment/query.php | 6 +- tests/phpunit/tests/date/query.php | 12 +- tests/phpunit/tests/db.php | 398 +++++++++++++++++- .../tests/rest-api/rest-posts-controller.php | 2 +- tests/phpunit/tests/term/meta.php | 2 +- wp-tests-config-sample.php | 15 + 8 files changed, 569 insertions(+), 51 deletions(-) diff --git a/src/wp-includes/post.php b/src/wp-includes/post.php index d9c64f5bfe..0d020c11b4 100644 --- a/src/wp-includes/post.php +++ b/src/wp-includes/post.php @@ -4241,10 +4241,10 @@ function get_page_by_path( $page_path, $output = OBJECT, $post_type = 'page' ) { $page_path = str_replace('%2F', '/', $page_path); $page_path = str_replace('%20', ' ', $page_path); $parts = explode( '/', trim( $page_path, '/' ) ); - $parts = esc_sql( $parts ); $parts = array_map( 'sanitize_title_for_query', $parts ); + $escaped_parts = esc_sql( $parts ); - $in_string = "'" . implode( "','", $parts ) . "'"; + $in_string = "'" . implode( "','", $escaped_parts ) . "'"; if ( is_array( $post_type ) ) { $post_types = $post_type; diff --git a/src/wp-includes/wp-db.php b/src/wp-includes/wp-db.php index 0b5a55e81f..553cd39d9f 100644 --- a/src/wp-includes/wp-db.php +++ b/src/wp-includes/wp-db.php @@ -1168,20 +1168,22 @@ class wpdb { function _real_escape( $string ) { if ( $this->dbh ) { if ( $this->use_mysqli ) { - return mysqli_real_escape_string( $this->dbh, $string ); + $escaped = mysqli_real_escape_string( $this->dbh, $string ); } else { - return mysql_real_escape_string( $string, $this->dbh ); + $escaped = mysql_real_escape_string( $string, $this->dbh ); } + } else { + $class = get_class( $this ); + if ( function_exists( '__' ) ) { + /* translators: %s: database access abstraction class, usually wpdb or a class extending wpdb */ + _doing_it_wrong( $class, sprintf( __( '%s must set a database connection for use with escaping.' ), $class ), '3.6.0' ); + } else { + _doing_it_wrong( $class, sprintf( '%s must set a database connection for use with escaping.', $class ), '3.6.0' ); + } + $escaped = addslashes( $string ); } - $class = get_class( $this ); - if ( function_exists( '__' ) ) { - /* translators: %s: database access abstraction class, usually wpdb or a class extending wpdb */ - _doing_it_wrong( $class, sprintf( __( '%s must set a database connection for use with escaping.' ), $class ), '3.6.0' ); - } else { - _doing_it_wrong( $class, sprintf( '%s must set a database connection for use with escaping.', $class ), '3.6.0' ); - } - return addslashes( $string ); + return $this->add_placeholder_escape( $escaped ); } /** @@ -1257,67 +1259,120 @@ class wpdb { /** * Prepares a SQL query for safe execution. Uses sprintf()-like syntax. * - * The following directives can be used in the query format string: + * The following placeholders can be used in the query string: * %d (integer) * %f (float) * %s (string) - * %% (literal percentage sign - no argument needed) * - * All of %d, %f, and %s are to be left unquoted in the query string and they need an argument passed for them. - * Literals (%) as parts of the query must be properly written as %%. + * All placeholders MUST be left unquoted in the query string. A corresponding argument MUST be passed for each placeholder. * - * This function only supports a small subset of the sprintf syntax; it only supports %d (integer), %f (float), and %s (string). - * Does not support sign, padding, alignment, width or precision specifiers. - * Does not support argument numbering/swapping. + * For compatibility with old behavior, numbered or formatted string placeholders (eg, %1$s, %5s) will not have quotes + * added by this function, so should be passed with appropriate quotes around them for your usage. * - * May be called like {@link https://secure.php.net/sprintf sprintf()} or like {@link https://secure.php.net/vsprintf vsprintf()}. + * Literal percentage signs (%) in the query string must be written as %%. Percentage wildcards (for example, + * to use in LIKE syntax) must be passed via a substitution argument containing the complete LIKE string, these + * cannot be inserted directly in the query string. Also see {@see esc_like()}. * - * Both %d and %s should be left unquoted in the query string. + * Arguments may be passed as individual arguments to the method, or as a single array containing all arguments. A combination + * of the two is not supported. * - * $wpdb->prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d", 'foo', 1337 ); + * Examples: + * $wpdb->prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d OR `other_field` LIKE %s", array( 'foo', 1337, '%bar' ) ); * $wpdb->prepare( "SELECT DATE_FORMAT(`field`, '%%c') FROM `table` WHERE `column` = %s", 'foo' ); * * @link https://secure.php.net/sprintf Description of syntax. * @since 2.3.0 * * @param string $query Query statement with sprintf()-like placeholders - * @param array|mixed $args The array of variables to substitute into the query's placeholders if being called like - * {@link https://secure.php.net/vsprintf vsprintf()}, or the first variable to substitute into the query's placeholders if - * being called like {@link https://secure.php.net/sprintf sprintf()}. - * @param mixed $args,... further variables to substitute into the query's placeholders if being called like - * {@link https://secure.php.net/sprintf sprintf()}. + * @param array|mixed $args The array of variables to substitute into the query's placeholders if being called with an array of arguments, + * or the first variable to substitute into the query's placeholders if being called with individual arguments. + * @param mixed $args,... further variables to substitute into the query's placeholders if being called wih individual arguments. * @return string|void Sanitized query string, if there is a query to prepare. */ public function prepare( $query, $args ) { - if ( is_null( $query ) ) + if ( is_null( $query ) ) { return; + } // This is not meant to be foolproof -- but it will catch obviously incorrect usage. if ( strpos( $query, '%' ) === false ) { + wp_load_translations_early(); _doing_it_wrong( 'wpdb::prepare', sprintf( __( 'The query argument of %s must have a placeholder.' ), 'wpdb::prepare()' ), '3.9.0' ); } $args = func_get_args(); array_shift( $args ); - // If args were passed as an array (as in vsprintf), move them up + // If args were passed as an array (as in vsprintf), move them up. + $passed_as_array = false; if ( is_array( $args[0] ) && count( $args ) == 1 ) { + $passed_as_array = true; $args = $args[0]; } foreach ( $args as $arg ) { if ( ! is_scalar( $arg ) && ! is_null( $arg ) ) { - _doing_it_wrong( 'wpdb::prepare', sprintf( 'Unsupported value type (%s).', gettype( $arg ) ), '4.7.6' ); + wp_load_translations_early(); + _doing_it_wrong( 'wpdb::prepare', sprintf( __( 'Unsupported value type (%s).' ), gettype( $arg ) ), '4.8.2' ); + } + } + + /* + * Specify the formatting allowed in a placeholder. The following are allowed: + * + * - Sign specifier. eg, $+d + * - Numbered placeholders. eg, %1$s + * - Padding specifier, including custom padding characters. eg, %05s, %'#5s + * - Alignment specifier. eg, %05-s + * - Precision specifier. eg, %.2f + */ + $allowed_format = '(?:[1-9][0-9]*[$])?[-+0-9]*(?: |0|\'.)?[-+0-9]*(?:\.[0-9]+)?'; + + /* + * If a %s placeholder already has quotes around it, removing the existing quotes and re-inserting them + * ensures the quotes are consistent. + * + * For backwards compatibility, this is only applied to %s, and not to placeholders like %1$s, which are frequently + * used in the middle of longer strings, or as table name placeholders. + */ + $query = str_replace( "'%s'", '%s', $query ); // Strip any existing single quotes. + $query = str_replace( '"%s"', '%s', $query ); // Strip any existing double quotes. + $query = preg_replace( '/(?add_placeholder_escape( $query ); } /** @@ -1895,6 +1950,64 @@ class wpdb { } } + /** + * Generates and returns a placeholder escape string for use in queries returned by ::prepare(). + * + * @since 4.8.3 + * + * @return string String to escape placeholders. + */ + public function placeholder_escape() { + static $placeholder; + + if ( ! $placeholder ) { + // If ext/hash is not present, compat.php's hash_hmac() does not support sha256. + $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1'; + // Old WP installs may not have AUTH_SALT defined. + $salt = defined( 'AUTH_SALT' ) ? AUTH_SALT : rand(); + + $placeholder = '{' . hash_hmac( $algo, uniqid( $salt, true ), $salt ) . '}'; + } + + /* + * Add the filter to remove the placeholder escaper. Uses priority 0, so that anything + * else attached to this filter will recieve the query with the placeholder string removed. + */ + if ( ! has_filter( 'query', array( $this, 'remove_placeholder_escape' ) ) ) { + add_filter( 'query', array( $this, 'remove_placeholder_escape' ), 0 ); + } + + return $placeholder; + } + + /** + * Adds a placeholder escape string, to escape anything that resembles a printf() placeholder. + * + * @since 4.8.3 + * + * @param string $query The query to escape. + * @return string The query with the placeholder escape string inserted where necessary. + */ + public function add_placeholder_escape( $query ) { + /* + * To prevent returning anything that even vaguely resembles a placeholder, + * we clobber every % we can find. + */ + return str_replace( '%', $this->placeholder_escape(), $query ); + } + + /** + * Removes the placeholder escape strings from a query. + * + * @since 4.8.3 + * + * @param string $query The query from which the placeholder will be removed. + * @return string The query with the placeholder removed. + */ + public function remove_placeholder_escape( $query ) { + return str_replace( $this->placeholder_escape(), '%', $query ); + } + /** * Insert a row into a table. * diff --git a/tests/phpunit/tests/comment/query.php b/tests/phpunit/tests/comment/query.php index ff4e3aced3..97aa4151cb 100644 --- a/tests/phpunit/tests/comment/query.php +++ b/tests/phpunit/tests/comment/query.php @@ -1218,22 +1218,24 @@ class Tests_Comment_Query extends WP_UnitTestCase { * @ticket 35513 */ public function test_search_int_0_should_not_be_ignored() { + global $wpdb; $q = new WP_Comment_Query(); $q->query( array( 'search' => 0, ) ); - $this->assertContains( "comment_author LIKE '%0%'", $q->request ); + $this->assertContains( "comment_author LIKE '%0%'", $wpdb->remove_placeholder_escape( $q->request ) ); } /** * @ticket 35513 */ public function test_search_string_0_should_not_be_ignored() { + global $wpdb; $q = new WP_Comment_Query(); $q->query( array( 'search' => '0', ) ); - $this->assertContains( "comment_author LIKE '%0%'", $q->request ); + $this->assertContains( "comment_author LIKE '%0%'", $wpdb->remove_placeholder_escape( $q->request ) ); } public function test_orderby_default() { diff --git a/tests/phpunit/tests/date/query.php b/tests/phpunit/tests/date/query.php index cc848be868..b5cfac8217 100644 --- a/tests/phpunit/tests/date/query.php +++ b/tests/phpunit/tests/date/query.php @@ -512,11 +512,12 @@ class Tests_WP_Date_Query extends WP_UnitTestCase { * @ticket 34228 */ public function test_build_time_query_should_not_discard_hour_0() { + global $wpdb; $q = new WP_Date_Query( array() ); $found = $q->build_time_query( 'post_date', '=', 0, 10 ); - $this->assertContains( '%H', $found ); + $this->assertContains( '%H', $wpdb->remove_placeholder_escape( $found ) ); } public function test_build_time_query_compare_in() { @@ -612,33 +613,36 @@ class Tests_WP_Date_Query extends WP_UnitTestCase { } public function test_build_time_query_hour_minute() { + global $wpdb; $q = new WP_Date_Query( array() ); $found = $q->build_time_query( 'post_date', '=', 5, 15 ); // $compare value is floating point - use regex to account for // varying precision on different PHP installations - $this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i' \) = 5\.150*/", $found ); + $this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i' \) = 5\.150*/", $wpdb->remove_placeholder_escape( $found ) ); } public function test_build_time_query_hour_minute_second() { + global $wpdb; $q = new WP_Date_Query( array() ); $found = $q->build_time_query( 'post_date', '=', 5, 15, 35 ); // $compare value is floating point - use regex to account for // varying precision on different PHP installations - $this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i%s' \) = 5\.15350*/", $found ); + $this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i%s' \) = 5\.15350*/", $wpdb->remove_placeholder_escape( $found ) ); } public function test_build_time_query_minute_second() { + global $wpdb; $q = new WP_Date_Query( array() ); $found = $q->build_time_query( 'post_date', '=', null, 15, 35 ); // $compare value is floating point - use regex to account for // varying precision on different PHP installations - $this->assertRegExp( "/DATE_FORMAT\( post_date, '0\.%i%s' \) = 0\.15350*/", $found ); + $this->assertRegExp( "/DATE_FORMAT\( post_date, '0\.%i%s' \) = 0\.15350*/", $wpdb->remove_placeholder_escape( $found ) ); } /** diff --git a/tests/phpunit/tests/db.php b/tests/phpunit/tests/db.php index 26c324e81a..978cb6f274 100644 --- a/tests/phpunit/tests/db.php +++ b/tests/phpunit/tests/db.php @@ -270,6 +270,9 @@ class Tests_DB extends WP_UnitTestCase { public function test_double_escaped_placeholders() { global $wpdb; $sql = $wpdb->prepare( "UPDATE test_table SET string_column = '%%f is a float, %%d is an int %d, %%s is a string', field = %s", 3, '4' ); + $this->assertContains( $wpdb->placeholder_escape(), $sql ); + + $sql = $wpdb->remove_placeholder_escape( $sql ); $this->assertEquals( "UPDATE test_table SET string_column = '%f is a float, %d is an int 3, %s is a string', field = '4'", $sql ); } @@ -375,8 +378,8 @@ class Tests_DB extends WP_UnitTestCase { $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 0 AND user_login = 'admin'", $prepared ); } - function test_prepare_vsprintf() { - global $wpdb; + function test_prepare_vsprintf() { + global $wpdb; $prepared = $wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( 1, "admin" ) ); $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = 'admin'", $prepared ); @@ -393,7 +396,74 @@ class Tests_DB extends WP_UnitTestCase { $prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( array( 1 ), "admin" ) ); $this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 0 AND user_login = 'admin'", $prepared ); - } + } + + /** + * @ticket 42040 + * @dataProvider data_prepare_incorrect_arg_count + * @expectedIncorrectUsage wpdb::prepare + */ + public function test_prepare_incorrect_arg_count( $query, $args, $expected ) { + global $wpdb; + + // $query is the first argument to be passed to wpdb::prepare() + array_unshift( $args, $query ); + + $prepared = @call_user_func_array( array( $wpdb, 'prepare' ), $args ); + $this->assertEquals( $expected, $prepared ); + } + + public function data_prepare_incorrect_arg_count() { + global $wpdb; + + return array( + array( + "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", // Query + array( 1, "admin", "extra-arg" ), // ::prepare() args, to be passed via call_user_func_array + "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = 'admin'", // Expected output + ), + array( + "SELECT * FROM $wpdb->users WHERE id = %%%d AND user_login = %s", + array( 1 ), + false, + ), + array( + "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", + array( array( 1, "admin", "extra-arg" ) ), + "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = 'admin'", + ), + array( + "SELECT * FROM $wpdb->users WHERE id = %d AND %% AND user_login = %s", + array( 1, "admin", "extra-arg" ), + "SELECT * FROM $wpdb->users WHERE id = 1 AND {$wpdb->placeholder_escape()} AND user_login = 'admin'", + ), + array( + "SELECT * FROM $wpdb->users WHERE id = %%%d AND %F AND %f AND user_login = %s", + array( 1, 2.3, "4.5", "admin", "extra-arg" ), + "SELECT * FROM $wpdb->users WHERE id = {$wpdb->placeholder_escape()}1 AND 2.300000 AND 4.500000 AND user_login = 'admin'", + ), + array( + "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", + array( array( 1 ), "admin", "extra-arg" ), + "SELECT * FROM $wpdb->users WHERE id = 0 AND user_login = 'admin'", + ), + array( + "SELECT * FROM $wpdb->users WHERE id = %d and user_nicename = %s and user_status = %d and user_login = %s", + array( 1, "admin", 0 ), + '', + ), + array( + "SELECT * FROM $wpdb->users WHERE id = %d and user_nicename = %s and user_status = %d and user_login = %s", + array( array( 1, "admin", 0 ) ), + '', + ), + array( + "SELECT * FROM $wpdb->users WHERE id = %d and %% and user_login = %s and user_status = %d and user_login = %s", + array( 1, "admin", "extra-arg" ), + '', + ), + ); + } function test_db_version() { global $wpdb; @@ -1118,12 +1188,326 @@ class Tests_DB extends WP_UnitTestCase { } /** - * + * @dataProvider data_prepare_with_placeholders */ - function test_prepare_with_unescaped_percents() { + function test_prepare_with_placeholders_and_individual_args( $sql, $values, $incorrect_usage, $expected) { global $wpdb; - $sql = $wpdb->prepare( '%d %1$d %%% %', 1 ); - $this->assertEquals( '1 %1$d %% %', $sql ); + if ( $incorrect_usage ) { + $this->setExpectedIncorrectUsage( 'wpdb::prepare' ); + } + + if ( ! is_array( $values ) ) { + $values = array( $values ); + } + + array_unshift( $values, $sql ); + + $sql = call_user_func_array( array( $wpdb, 'prepare' ), $values ); + $this->assertEquals( $expected, $sql ); + } + + /** + * @dataProvider data_prepare_with_placeholders + */ + function test_prepare_with_placeholders_and_array_args( $sql, $values, $incorrect_usage, $expected) { + global $wpdb; + + if ( $incorrect_usage ) { + $this->setExpectedIncorrectUsage( 'wpdb::prepare' ); + } + + if ( ! is_array( $values ) ) { + $values = array( $values ); + } + + $sql = call_user_func_array( array( $wpdb, 'prepare' ), array( $sql, $values ) ); + $this->assertEquals( $expected, $sql ); + } + + function data_prepare_with_placeholders() { + global $wpdb; + + return array( + array( + '%5s', // SQL to prepare + 'foo', // Value to insert in the SQL + false, // Whether to expect an incorrect usage error or not + ' foo', // Expected output + ), + array( + '%1$d %%% % %%1$d%% %%%1$d%%', + 1, + true, + "1 {$wpdb->placeholder_escape()}{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}1\$d{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}1{$wpdb->placeholder_escape()}", + ), + array( + '%-5s', + 'foo', + false, + 'foo ', + ), + array( + '%05s', + 'foo', + false, + '00foo', + ), + array( + "%'#5s", + 'foo', + false, + '##foo', + ), + array( + '%.3s', + 'foobar', + false, + 'foo', + ), + array( + '%.3f', + 5.123456, + false, + '5.123', + ), + array( + '%.3f', + 5.12, + false, + '5.120', + ), + array( + '%s', + ' %s ', + false, + "' {$wpdb->placeholder_escape()}s '", + ), + array( + '%1$s', + ' %s ', + false, + " {$wpdb->placeholder_escape()}s ", + ), + array( + '%1$s', + ' %1$s ', + false, + " {$wpdb->placeholder_escape()}1\$s ", + ), + array( + '%d %1$d %%% %', + 1, + true, + "1 1 {$wpdb->placeholder_escape()}{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}", + ), + array( + '%d %2$s', + array( 1, 'hello' ), + false, + "1 hello", + ), + array( + "'%s'", + 'hello', + false, + "'hello'", + ), + array( + '"%s"', + 'hello', + false, + "'hello'", + ), + array( + "%s '%1\$s'", + 'hello', + true, + "'hello' 'hello'", + ), + array( + "%s '%1\$s'", + 'hello', + true, + "'hello' 'hello'", + ), + array( + '%s "%1$s"', + 'hello', + true, + "'hello' \"hello\"", + ), + array( + "%%s %%'%1\$s'", + 'hello', + false, + "{$wpdb->placeholder_escape()}s {$wpdb->placeholder_escape()}'hello'", + ), + array( + '%%s %%"%1$s"', + 'hello', + false, + "{$wpdb->placeholder_escape()}s {$wpdb->placeholder_escape()}\"hello\"", + ), + array( + '%s', + ' % s ', + false, + "' {$wpdb->placeholder_escape()} s '", + ), + array( + '%%f %%"%1$f"', + 3, + false, + "{$wpdb->placeholder_escape()}f {$wpdb->placeholder_escape()}\"3.000000\"", + ), + array( + 'WHERE second=\'%2$s\' AND first=\'%1$s\'', + array( 'first arg', 'second arg' ), + false, + "WHERE second='second arg' AND first='first arg'", + ), + array( + 'WHERE second=%2$d AND first=%1$d', + array( 1, 2 ), + false, + "WHERE second=2 AND first=1", + ), + array( + "'%'%%s", + 'hello', + true, + "'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s", + ), + array( + "'%'%%s%s", + 'hello', + false, + "'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s'hello'", + ), + array( + "'%'%%s %s", + 'hello', + false, + "'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s 'hello'", + ), + array( + "'%-'#5s' '%'#-+-5s'", + array( 'hello', 'foo' ), + false, + "'hello' 'foo##'", + ), + ); + } + + /** + * @dataProvider data_escape_and_prepare + */ + function test_escape_and_prepare( $escape, $sql, $values, $incorrect_usage, $expected ) { + global $wpdb; + + if ( $incorrect_usage ) { + $this->setExpectedIncorrectUsage( 'wpdb::prepare' ); + } + + $escape = esc_sql( $escape ); + + $sql = str_replace( '{ESCAPE}', $escape, $sql ); + + $actual = $wpdb->prepare( $sql, $values ); + + $this->assertEquals( $expected, $actual ); + } + + function data_escape_and_prepare() { + global $wpdb; + return array( + array( + '%s', // String to pass through esc_url() + ' {ESCAPE} ', // Query to insert the output of esc_url() into, replacing "{ESCAPE}" + 'foo', // Data to send to prepare() + true, // Whether to expect an incorrect usage error or not + " {$wpdb->placeholder_escape()}s ", // Expected output + ), + array( + 'foo%sbar', + "SELECT * FROM bar WHERE foo='{ESCAPE}' OR baz=%s", + array( ' SQLi -- -', 'pewpewpew' ), + true, + null, + ), + array( + '%s', + ' %s {ESCAPE} ', + 'foo', + false, + " 'foo' {$wpdb->placeholder_escape()}s ", + ), + ); + } + + /** + * @expectedIncorrectUsage wpdb::prepare + */ + function test_double_prepare() { + global $wpdb; + + $part = $wpdb->prepare( ' AND meta_value = %s', ' %s ' ); + $this->assertNotContains( '%s', $part ); + $query = $wpdb->prepare( 'SELECT * FROM {$wpdb->postmeta} WHERE meta_key = %s $part', array( 'foo', 'bar' ) ); + $this->assertNull( $query ); + } + + function test_prepare_numeric_placeholders_float_args() { + global $wpdb; + + $actual = $wpdb->prepare( + 'WHERE second=%2$f AND first=%1$f', + 1.1, + 2.2 + ); + + /* Floats can be right padded, need to assert differently */ + $this->assertContains( ' first=1.1', $actual ); + $this->assertContains( ' second=2.2', $actual ); + } + + function test_prepare_numeric_placeholders_float_array() { + global $wpdb; + + $actual = $wpdb->prepare( + 'WHERE second=%2$f AND first=%1$f', + array( 1.1, 2.2 ) + ); + + /* Floats can be right padded, need to assert differently */ + $this->assertContains( ' first=1.1', $actual ); + $this->assertContains( ' second=2.2', $actual ); + } + + function test_query_unescapes_placeholders() { + global $wpdb; + + $value = ' %s '; + + $wpdb->query( "CREATE TABLE {$wpdb->prefix}test_placeholder( a VARCHAR(100) );" ); + $sql = $wpdb->prepare( "INSERT INTO {$wpdb->prefix}test_placeholder VALUES(%s)", $value ); + $wpdb->query( $sql ); + + $actual = $wpdb->get_var( "SELECT a FROM {$wpdb->prefix}test_placeholder" ); + + $wpdb->query( "DROP TABLE {$wpdb->prefix}test_placeholder" ); + + $this->assertNotContains( '%s', $sql ); + $this->assertEquals( $value, $actual ); + } + + function test_esc_sql_with_unsupported_placeholder_type() { + global $wpdb; + + $sql = $wpdb->prepare( ' %s %1$c ', 'foo' ); + $sql = $wpdb->prepare( " $sql %s ", 'foo' ); + + $this->assertEquals( " 'foo' {$wpdb->placeholder_escape()}1\$c 'foo' ", $sql ); } } diff --git a/tests/phpunit/tests/rest-api/rest-posts-controller.php b/tests/phpunit/tests/rest-api/rest-posts-controller.php index db94b71d5f..49a51bb642 100644 --- a/tests/phpunit/tests/rest-api/rest-posts-controller.php +++ b/tests/phpunit/tests/rest-api/rest-posts-controller.php @@ -84,7 +84,7 @@ class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te global $wpdb; $expected_clause = str_replace( '{posts}', $wpdb->posts, $pattern ); $this->assertCount( 1, $this->posts_clauses ); - $this->assertEquals( $expected_clause, $this->posts_clauses[0][ $clause ] ); + $this->assertEquals( $expected_clause, $wpdb->remove_placeholder_escape( $this->posts_clauses[0][ $clause ] ) ); } public function assertPostsOrderedBy( $pattern ) { diff --git a/tests/phpunit/tests/term/meta.php b/tests/phpunit/tests/term/meta.php index ac309dc622..b88140aad4 100644 --- a/tests/phpunit/tests/term/meta.php +++ b/tests/phpunit/tests/term/meta.php @@ -358,7 +358,7 @@ class Tests_Term_Meta extends WP_UnitTestCase { register_taxonomy( 'wptests_tax', 'post' ); $t1 = wp_insert_term( 'Foo', 'wptests_tax' ); - add_term_meta( $t1, 'foo', 'bar' ); + add_term_meta( $t1['term_id'], 'foo', 'bar' ); register_taxonomy( 'wptests_tax_2', 'post' ); register_taxonomy( 'wptests_tax_3', 'post' ); diff --git a/wp-tests-config-sample.php b/wp-tests-config-sample.php index 3ea3c0296a..3965745805 100644 --- a/wp-tests-config-sample.php +++ b/wp-tests-config-sample.php @@ -38,6 +38,21 @@ define( 'DB_HOST', 'localhost' ); define( 'DB_CHARSET', 'utf8' ); define( 'DB_COLLATE', '' ); +/**#@+ + * Authentication Unique Keys and Salts. + * + * Change these to different unique phrases! + * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service} + */ +define('AUTH_KEY', 'put your unique phrase here'); +define('SECURE_AUTH_KEY', 'put your unique phrase here'); +define('LOGGED_IN_KEY', 'put your unique phrase here'); +define('NONCE_KEY', 'put your unique phrase here'); +define('AUTH_SALT', 'put your unique phrase here'); +define('SECURE_AUTH_SALT', 'put your unique phrase here'); +define('LOGGED_IN_SALT', 'put your unique phrase here'); +define('NONCE_SALT', 'put your unique phrase here'); + $table_prefix = 'wptests_'; // Only numbers, letters, and underscores please! define( 'WP_TESTS_DOMAIN', 'example.org' );