Database: Hardening for `wpdb::prepare()`

Previously if you passed an array of values for placeholders, additional values could be passed as well. Now additional values will be ignored. Merges [41470] to 4.7 branch. git-svn-id: https://develop.svn.wordpress.org/branches/4.7@41472 602fd350-edb4-49c9-b593-d223f7449a82
2017-09-19 14:58:49 +00:00 · 2017-09-19 14:58:49 +00:00 · 66f675be1c
parent 1dcdbc9d60
commit 66f675be1c
2 changed files with 50 additions and 1 deletions
--- a/src/wp-includes/wp-db.php
+++ b/src/wp-includes/wp-db.php
@ -1299,9 +1299,18 @@ class wpdb {

 		$args = func_get_args();
 		array_shift( $args );
+
 		// If args were passed as an array (as in vsprintf), move them up
-		if ( isset( $args[0] ) && is_array($args[0]) )
+		if ( is_array( $args[0] ) && count( $args ) == 1 ) {
 			$args = $args[0];
+		}
+
+		foreach ( $args as $arg ) {
+			if ( ! is_scalar( $arg ) ) {
+				_doing_it_wrong( 'wpdb::prepare', sprintf( 'Unsupported value type (%s).', gettype( $arg ) ), '4.7.6' );
+			}
+		}
+
 		$query = str_replace( "'%s'", '%s', $query ); // in case someone mistakenly already singlequoted it
 		$query = str_replace( '"%s"', '%s', $query ); // doublequote unquoting
 		$query = preg_replace( '|(?<!%)%f|' , '%F', $query ); // Force floats to be locale unaware
--- a/tests/phpunit/tests/db.php
+++ b/tests/phpunit/tests/db.php
@ -354,6 +354,46 @@ class Tests_DB extends WP_UnitTestCase {
 		$this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 0", $prepared );
 	}

+	function test_prepare_sprintf() {
+		global $wpdb;
+
+		$prepared = $wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", 1, "admin" );
+		$this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = 'admin'", $prepared );
+	}
+
+	/**
+	 * @expectedIncorrectUsage wpdb::prepare
+	 */
+	function test_prepare_sprintf_invalid_args() {
+		global $wpdb;
+
+		$prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", 1, array( "admin" ) );
+		$this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = ''", $prepared );
+
+		$prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( 1 ), "admin" );
+		$this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 0 AND user_login = 'admin'", $prepared );
+	}
+
+        function test_prepare_vsprintf() {
+                global $wpdb;
+
+		$prepared = $wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( 1, "admin" ) );
+		$this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = 'admin'", $prepared );
+	}
+
+	/**
+	 * @expectedIncorrectUsage wpdb::prepare
+	 */
+	function test_prepare_vsprintf_invalid_args() {
+		global $wpdb;
+
+		$prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( 1, array( "admin" ) ) );
+		$this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = ''", $prepared );
+
+		$prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( array( 1 ), "admin" ) );
+		$this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 0 AND user_login = 'admin'", $prepared );
+        }
+
 	function test_db_version() {
 		global $wpdb;