Database: Restore numbered placeholders in wpdb::prepare()
.
[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used. This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders. See #41925. git-svn-id: https://develop.svn.wordpress.org/trunk@42056 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
parent
15f74e83fa
commit
a39d599adf
@ -3754,6 +3754,11 @@ function _deep_replace( $search, $subject ) {
|
||||
* Sometimes, spot-escaping is required or useful. One example
|
||||
* is preparing an array for use in an IN clause.
|
||||
*
|
||||
* NOTE: Since 4.8.3, '%' characters will be replaced with a placeholder string,
|
||||
* this prevents certain SQLi attacks from taking place. This change in behaviour
|
||||
* may cause issues for code that expects the return value of esc_sql() to be useable
|
||||
* for other purposes.
|
||||
*
|
||||
* @since 2.8.0
|
||||
*
|
||||
* @global wpdb $wpdb WordPress database abstraction object.
|
||||
|
@ -364,12 +364,11 @@ function delete_metadata($meta_type, $object_id, $meta_key, $meta_value = '', $d
|
||||
return false;
|
||||
|
||||
if ( $delete_all ) {
|
||||
$value_clause = '';
|
||||
if ( '' !== $meta_value && null !== $meta_value && false !== $meta_value ) {
|
||||
$value_clause = $wpdb->prepare( " AND meta_value = %s", $meta_value );
|
||||
$object_ids = $wpdb->get_col( $wpdb->prepare( "SELECT $type_column FROM $table WHERE meta_key = %s AND meta_value = %s", $meta_key, $meta_value ) );
|
||||
} else {
|
||||
$object_ids = $wpdb->get_col( $wpdb->prepare( "SELECT $type_column FROM $table WHERE meta_key = %s", $meta_key ) );
|
||||
}
|
||||
|
||||
$object_ids = $wpdb->get_col( $wpdb->prepare( "SELECT $type_column FROM $table WHERE meta_key = %s $value_clause", $meta_key ) );
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -4317,10 +4317,10 @@ function get_page_by_path( $page_path, $output = OBJECT, $post_type = 'page' ) {
|
||||
$page_path = str_replace('%2F', '/', $page_path);
|
||||
$page_path = str_replace('%20', ' ', $page_path);
|
||||
$parts = explode( '/', trim( $page_path, '/' ) );
|
||||
$parts = esc_sql( $parts );
|
||||
$parts = array_map( 'sanitize_title_for_query', $parts );
|
||||
$escaped_parts = esc_sql( $parts );
|
||||
|
||||
$in_string = "'" . implode( "','", $parts ) . "'";
|
||||
$in_string = "'" . implode( "','", $escaped_parts ) . "'";
|
||||
|
||||
if ( is_array( $post_type ) ) {
|
||||
$post_types = $post_type;
|
||||
|
@ -1106,12 +1106,11 @@ class wpdb {
|
||||
function _real_escape( $string ) {
|
||||
if ( $this->dbh ) {
|
||||
if ( $this->use_mysqli ) {
|
||||
return mysqli_real_escape_string( $this->dbh, $string );
|
||||
$escaped = mysqli_real_escape_string( $this->dbh, $string );
|
||||
} else {
|
||||
return mysql_real_escape_string( $string, $this->dbh );
|
||||
$escaped = mysql_real_escape_string( $string, $this->dbh );
|
||||
}
|
||||
}
|
||||
|
||||
} else {
|
||||
$class = get_class( $this );
|
||||
if ( function_exists( '__' ) ) {
|
||||
/* translators: %s: database access abstraction class, usually wpdb or a class extending wpdb */
|
||||
@ -1119,7 +1118,10 @@ class wpdb {
|
||||
} else {
|
||||
_doing_it_wrong( $class, sprintf( '%s must set a database connection for use with escaping.', $class ), '3.6.0' );
|
||||
}
|
||||
return addslashes( $string );
|
||||
$escaped = addslashes( $string );
|
||||
}
|
||||
|
||||
return $this->add_placeholder_escape( $escaped );
|
||||
}
|
||||
|
||||
/**
|
||||
@ -1201,13 +1203,13 @@ class wpdb {
|
||||
*
|
||||
* All placeholders MUST be left unquoted in the query string. A corresponding argument MUST be passed for each placeholder.
|
||||
*
|
||||
* For compatibility with old behavior, numbered or formatted string placeholders (eg, %1$s, %5s) will not have quotes
|
||||
* added by this function, so should be passed with appropriate quotes around them for your usage.
|
||||
*
|
||||
* Literal percentage signs (%) in the query string must be written as %%. Percentage wildcards (for example,
|
||||
* to use in LIKE syntax) must be passed via a substitution argument containing the complete LIKE string, these
|
||||
* cannot be inserted directly in the query string. Also see {@see esc_like()}.
|
||||
*
|
||||
* This method DOES NOT support sign, padding, alignment, width or precision specifiers.
|
||||
* This method DOES NOT support argument numbering or swapping.
|
||||
*
|
||||
* Arguments may be passed as individual arguments to the method, or as a single array containing all arguments. A combination
|
||||
* of the two is not supported.
|
||||
*
|
||||
@ -1225,8 +1227,9 @@ class wpdb {
|
||||
* @return string|void Sanitized query string, if there is a query to prepare.
|
||||
*/
|
||||
public function prepare( $query, $args ) {
|
||||
if ( is_null( $query ) )
|
||||
if ( is_null( $query ) ) {
|
||||
return;
|
||||
}
|
||||
|
||||
// This is not meant to be foolproof -- but it will catch obviously incorrect usage.
|
||||
if ( strpos( $query, '%' ) === false ) {
|
||||
@ -1237,8 +1240,10 @@ class wpdb {
|
||||
$args = func_get_args();
|
||||
array_shift( $args );
|
||||
|
||||
// If args were passed as an array (as in vsprintf), move them up
|
||||
// If args were passed as an array (as in vsprintf), move them up.
|
||||
$passed_as_array = false;
|
||||
if ( is_array( $args[0] ) && count( $args ) == 1 ) {
|
||||
$passed_as_array = true;
|
||||
$args = $args[0];
|
||||
}
|
||||
|
||||
@ -1249,28 +1254,62 @@ class wpdb {
|
||||
}
|
||||
}
|
||||
|
||||
$query = str_replace( "'%s'", '%s', $query ); // in case someone mistakenly already singlequoted it
|
||||
$query = str_replace( '"%s"', '%s', $query ); // doublequote unquoting
|
||||
$query = preg_replace( '|(?<!%)%f|' , '%F', $query ); // Force floats to be locale unaware
|
||||
$query = preg_replace( '|(?<!%)%s|', "'%s'", $query ); // quote the strings, avoiding escaped strings like %%s
|
||||
$query = preg_replace( '/%(?:%|$|([^dsF]))/', '%%\\1', $query ); // escape any unescaped percents
|
||||
/*
|
||||
* Specify the formatting allowed in a placeholder. The following are allowed:
|
||||
*
|
||||
* - Sign specifier. eg, $+d
|
||||
* - Numbered placeholders. eg, %1$s
|
||||
* - Padding specifier, including custom padding characters. eg, %05s, %'#5s
|
||||
* - Alignment specifier. eg, %05-s
|
||||
* - Precision specifier. eg, %.2f
|
||||
*/
|
||||
$allowed_format = '(?:[1-9][0-9]*[$])?[-+0-9]*(?: |0|\'.)?[-+0-9]*(?:\.[0-9]+)?';
|
||||
|
||||
// Count the number of valid placeholders in the query
|
||||
$placeholders = preg_match_all( '/(^|[^%]|(%%)+)%[sdF]/', $query, $matches );
|
||||
/*
|
||||
* If a %s placeholder already has quotes around it, removing the existing quotes and re-inserting them
|
||||
* ensures the quotes are consistent.
|
||||
*
|
||||
* For backwards compatibility, this is only applied to %s, and not to placeholders like %1$s, which are frequently
|
||||
* used in the middle of longer strings, or as table name placeholders.
|
||||
*/
|
||||
$query = str_replace( "'%s'", '%s', $query ); // Strip any existing single quotes.
|
||||
$query = str_replace( '"%s"', '%s', $query ); // Strip any existing double quotes.
|
||||
$query = preg_replace( '/(?<!%)%s/', "'%s'", $query ); // Quote the strings, avoiding escaped strings like %%s.
|
||||
|
||||
if ( count ( $args ) !== $placeholders ) {
|
||||
$query = preg_replace( "/(?<!%)(%($allowed_format)?f)/" , '%\\2F', $query ); // Force floats to be locale unaware.
|
||||
|
||||
$query = preg_replace( "/%(?:%|$|(?!($allowed_format)?[sdF]))/", '%%\\1', $query ); // Escape any unescaped percents.
|
||||
|
||||
// Count the number of valid placeholders in the query.
|
||||
$placeholders = preg_match_all( "/(^|[^%]|(%%)+)%($allowed_format)?[sdF]/", $query, $matches );
|
||||
|
||||
if ( count( $args ) !== $placeholders ) {
|
||||
if ( 1 === $placeholders && $passed_as_array ) {
|
||||
// If the passed query only expected one argument, but the wrong number of arguments were sent as an array, bail.
|
||||
wp_load_translations_early();
|
||||
_doing_it_wrong( 'wpdb::prepare', __( 'The query only expected one placeholder, but an array of multiple placeholders was sent.' ), '4.9.0' );
|
||||
|
||||
return;
|
||||
} else {
|
||||
/*
|
||||
* If we don't have the right number of placeholders, but they were passed as individual arguments,
|
||||
* or we were expecting multiple arguments in an array, throw a warning.
|
||||
*/
|
||||
wp_load_translations_early();
|
||||
_doing_it_wrong( 'wpdb::prepare',
|
||||
/* translators: 1: number of placeholders, 2: number of arguments passed */
|
||||
sprintf( __( 'The query does not contain the correct number of placeholders (%1$d) for the number of arguments passed (%2$d).' ),
|
||||
$placeholders,
|
||||
count( $args ) ),
|
||||
'4.9.0'
|
||||
'4.8.3'
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
array_walk( $args, array( $this, 'escape_by_ref' ) );
|
||||
return @vsprintf( $query, $args );
|
||||
$query = @vsprintf( $query, $args );
|
||||
|
||||
return $this->add_placeholder_escape( $query );
|
||||
}
|
||||
|
||||
/**
|
||||
@ -1893,6 +1932,64 @@ class wpdb {
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Generates and returns a placeholder escape string for use in queries returned by ::prepare().
|
||||
*
|
||||
* @since 4.8.3
|
||||
*
|
||||
* @return string String to escape placeholders.
|
||||
*/
|
||||
public function placeholder_escape() {
|
||||
static $placeholder;
|
||||
|
||||
if ( ! $placeholder ) {
|
||||
// If ext/hash is not present, compat.php's hash_hmac() does not support sha256.
|
||||
$algo = function_exists( 'hash' ) ? 'sha256' : 'sha1';
|
||||
// Old WP installs may not have AUTH_SALT defined.
|
||||
$salt = defined( 'AUTH_SALT' ) ? AUTH_SALT : rand();
|
||||
|
||||
$placeholder = '{' . hash_hmac( $algo, uniqid( $salt, true ), $salt ) . '}';
|
||||
}
|
||||
|
||||
/*
|
||||
* Add the filter to remove the placeholder escaper. Uses priority 0, so that anything
|
||||
* else attached to this filter will recieve the query with the placeholder string removed.
|
||||
*/
|
||||
if ( ! has_filter( 'query', array( $this, 'remove_placeholder_escape' ) ) ) {
|
||||
add_filter( 'query', array( $this, 'remove_placeholder_escape' ), 0 );
|
||||
}
|
||||
|
||||
return $placeholder;
|
||||
}
|
||||
|
||||
/**
|
||||
* Adds a placeholder escape string, to escape anything that resembles a printf() placeholder.
|
||||
*
|
||||
* @since 4.8.3
|
||||
*
|
||||
* @param string $query The query to escape.
|
||||
* @return string The query with the placeholder escape string inserted where necessary.
|
||||
*/
|
||||
public function add_placeholder_escape( $query ) {
|
||||
/*
|
||||
* To prevent returning anything that even vaguely resembles a placeholder,
|
||||
* we clobber every % we can find.
|
||||
*/
|
||||
return str_replace( '%', $this->placeholder_escape(), $query );
|
||||
}
|
||||
|
||||
/**
|
||||
* Removes the placeholder escape strings from a query.
|
||||
*
|
||||
* @since 4.8.3
|
||||
*
|
||||
* @param string $query The query from which the placeholder will be removed.
|
||||
* @return string The query with the placeholder removed.
|
||||
*/
|
||||
public function remove_placeholder_escape( $query ) {
|
||||
return str_replace( $this->placeholder_escape(), '%', $query );
|
||||
}
|
||||
|
||||
/**
|
||||
* Insert a row into a table.
|
||||
*
|
||||
|
@ -1218,22 +1218,24 @@ class Tests_Comment_Query extends WP_UnitTestCase {
|
||||
* @ticket 35513
|
||||
*/
|
||||
public function test_search_int_0_should_not_be_ignored() {
|
||||
global $wpdb;
|
||||
$q = new WP_Comment_Query();
|
||||
$q->query( array(
|
||||
'search' => 0,
|
||||
) );
|
||||
$this->assertContains( "comment_author LIKE '%0%'", $q->request );
|
||||
$this->assertContains( "comment_author LIKE '%0%'", $wpdb->remove_placeholder_escape( $q->request ) );
|
||||
}
|
||||
|
||||
/**
|
||||
* @ticket 35513
|
||||
*/
|
||||
public function test_search_string_0_should_not_be_ignored() {
|
||||
global $wpdb;
|
||||
$q = new WP_Comment_Query();
|
||||
$q->query( array(
|
||||
'search' => '0',
|
||||
) );
|
||||
$this->assertContains( "comment_author LIKE '%0%'", $q->request );
|
||||
$this->assertContains( "comment_author LIKE '%0%'", $wpdb->remove_placeholder_escape( $q->request ) );
|
||||
}
|
||||
|
||||
public function test_orderby_default() {
|
||||
|
@ -512,11 +512,12 @@ class Tests_WP_Date_Query extends WP_UnitTestCase {
|
||||
* @ticket 34228
|
||||
*/
|
||||
public function test_build_time_query_should_not_discard_hour_0() {
|
||||
global $wpdb;
|
||||
$q = new WP_Date_Query( array() );
|
||||
|
||||
$found = $q->build_time_query( 'post_date', '=', 0, 10 );
|
||||
|
||||
$this->assertContains( '%H', $found );
|
||||
$this->assertContains( '%H', $wpdb->remove_placeholder_escape( $found ) );
|
||||
}
|
||||
|
||||
public function test_build_time_query_compare_in() {
|
||||
@ -612,33 +613,36 @@ class Tests_WP_Date_Query extends WP_UnitTestCase {
|
||||
}
|
||||
|
||||
public function test_build_time_query_hour_minute() {
|
||||
global $wpdb;
|
||||
$q = new WP_Date_Query( array() );
|
||||
|
||||
$found = $q->build_time_query( 'post_date', '=', 5, 15 );
|
||||
|
||||
// $compare value is floating point - use regex to account for
|
||||
// varying precision on different PHP installations
|
||||
$this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i' \) = 5\.150*/", $found );
|
||||
$this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i' \) = 5\.150*/", $wpdb->remove_placeholder_escape( $found ) );
|
||||
}
|
||||
|
||||
public function test_build_time_query_hour_minute_second() {
|
||||
global $wpdb;
|
||||
$q = new WP_Date_Query( array() );
|
||||
|
||||
$found = $q->build_time_query( 'post_date', '=', 5, 15, 35 );
|
||||
|
||||
// $compare value is floating point - use regex to account for
|
||||
// varying precision on different PHP installations
|
||||
$this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i%s' \) = 5\.15350*/", $found );
|
||||
$this->assertRegExp( "/DATE_FORMAT\( post_date, '%H\.%i%s' \) = 5\.15350*/", $wpdb->remove_placeholder_escape( $found ) );
|
||||
}
|
||||
|
||||
public function test_build_time_query_minute_second() {
|
||||
global $wpdb;
|
||||
$q = new WP_Date_Query( array() );
|
||||
|
||||
$found = $q->build_time_query( 'post_date', '=', null, 15, 35 );
|
||||
|
||||
// $compare value is floating point - use regex to account for
|
||||
// varying precision on different PHP installations
|
||||
$this->assertRegExp( "/DATE_FORMAT\( post_date, '0\.%i%s' \) = 0\.15350*/", $found );
|
||||
$this->assertRegExp( "/DATE_FORMAT\( post_date, '0\.%i%s' \) = 0\.15350*/", $wpdb->remove_placeholder_escape( $found ) );
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -270,6 +270,9 @@ class Tests_DB extends WP_UnitTestCase {
|
||||
public function test_double_escaped_placeholders() {
|
||||
global $wpdb;
|
||||
$sql = $wpdb->prepare( "UPDATE test_table SET string_column = '%%f is a float, %%d is an int %d, %%s is a string', field = %s", 3, '4' );
|
||||
$this->assertContains( $wpdb->placeholder_escape(), $sql );
|
||||
|
||||
$sql = $wpdb->remove_placeholder_escape( $sql );
|
||||
$this->assertEquals( "UPDATE test_table SET string_column = '%f is a float, %d is an int 3, %s is a string', field = '4'", $sql );
|
||||
}
|
||||
|
||||
@ -432,12 +435,12 @@ class Tests_DB extends WP_UnitTestCase {
|
||||
array(
|
||||
"SELECT * FROM $wpdb->users WHERE id = %d AND %% AND user_login = %s",
|
||||
array( 1, "admin", "extra-arg" ),
|
||||
"SELECT * FROM $wpdb->users WHERE id = 1 AND % AND user_login = 'admin'",
|
||||
"SELECT * FROM $wpdb->users WHERE id = 1 AND {$wpdb->placeholder_escape()} AND user_login = 'admin'",
|
||||
),
|
||||
array(
|
||||
"SELECT * FROM $wpdb->users WHERE id = %%%d AND %F AND %f AND user_login = %s",
|
||||
array( 1, 2.3, "4.5", "admin", "extra-arg" ),
|
||||
"SELECT * FROM $wpdb->users WHERE id = %1 AND 2.300000 AND 4.500000 AND user_login = 'admin'",
|
||||
"SELECT * FROM $wpdb->users WHERE id = {$wpdb->placeholder_escape()}1 AND 2.300000 AND 4.500000 AND user_login = 'admin'",
|
||||
),
|
||||
array(
|
||||
"SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s",
|
||||
@ -1185,13 +1188,327 @@ class Tests_DB extends WP_UnitTestCase {
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
* @dataProvider data_prepare_with_placeholders
|
||||
*/
|
||||
function test_prepare_with_unescaped_percents() {
|
||||
function test_prepare_with_placeholders_and_individual_args( $sql, $values, $incorrect_usage, $expected) {
|
||||
global $wpdb;
|
||||
|
||||
$sql = $wpdb->prepare( '%d %1$d %%% %', 1 );
|
||||
$this->assertEquals( '1 %1$d %% %', $sql );
|
||||
if ( $incorrect_usage ) {
|
||||
$this->setExpectedIncorrectUsage( 'wpdb::prepare' );
|
||||
}
|
||||
|
||||
if ( ! is_array( $values ) ) {
|
||||
$values = array( $values );
|
||||
}
|
||||
|
||||
array_unshift( $values, $sql );
|
||||
|
||||
$sql = call_user_func_array( array( $wpdb, 'prepare' ), $values );
|
||||
$this->assertEquals( $expected, $sql );
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider data_prepare_with_placeholders
|
||||
*/
|
||||
function test_prepare_with_placeholders_and_array_args( $sql, $values, $incorrect_usage, $expected) {
|
||||
global $wpdb;
|
||||
|
||||
if ( $incorrect_usage ) {
|
||||
$this->setExpectedIncorrectUsage( 'wpdb::prepare' );
|
||||
}
|
||||
|
||||
if ( ! is_array( $values ) ) {
|
||||
$values = array( $values );
|
||||
}
|
||||
|
||||
$sql = call_user_func_array( array( $wpdb, 'prepare' ), array( $sql, $values ) );
|
||||
$this->assertEquals( $expected, $sql );
|
||||
}
|
||||
|
||||
function data_prepare_with_placeholders() {
|
||||
global $wpdb;
|
||||
|
||||
return array(
|
||||
array(
|
||||
'%5s', // SQL to prepare
|
||||
'foo', // Value to insert in the SQL
|
||||
false, // Whether to expect an incorrect usage error or not
|
||||
' foo', // Expected output
|
||||
),
|
||||
array(
|
||||
'%1$d %%% % %%1$d%% %%%1$d%%',
|
||||
1,
|
||||
true,
|
||||
"1 {$wpdb->placeholder_escape()}{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}1\$d{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}1{$wpdb->placeholder_escape()}",
|
||||
),
|
||||
array(
|
||||
'%-5s',
|
||||
'foo',
|
||||
false,
|
||||
'foo ',
|
||||
),
|
||||
array(
|
||||
'%05s',
|
||||
'foo',
|
||||
false,
|
||||
'00foo',
|
||||
),
|
||||
array(
|
||||
"%'#5s",
|
||||
'foo',
|
||||
false,
|
||||
'##foo',
|
||||
),
|
||||
array(
|
||||
'%.3s',
|
||||
'foobar',
|
||||
false,
|
||||
'foo',
|
||||
),
|
||||
array(
|
||||
'%.3f',
|
||||
5.123456,
|
||||
false,
|
||||
'5.123',
|
||||
),
|
||||
array(
|
||||
'%.3f',
|
||||
5.12,
|
||||
false,
|
||||
'5.120',
|
||||
),
|
||||
array(
|
||||
'%s',
|
||||
' %s ',
|
||||
false,
|
||||
"' {$wpdb->placeholder_escape()}s '",
|
||||
),
|
||||
array(
|
||||
'%1$s',
|
||||
' %s ',
|
||||
false,
|
||||
" {$wpdb->placeholder_escape()}s ",
|
||||
),
|
||||
array(
|
||||
'%1$s',
|
||||
' %1$s ',
|
||||
false,
|
||||
" {$wpdb->placeholder_escape()}1\$s ",
|
||||
),
|
||||
array(
|
||||
'%d %1$d %%% %',
|
||||
1,
|
||||
true,
|
||||
"1 1 {$wpdb->placeholder_escape()}{$wpdb->placeholder_escape()} {$wpdb->placeholder_escape()}",
|
||||
),
|
||||
array(
|
||||
'%d %2$s',
|
||||
array( 1, 'hello' ),
|
||||
false,
|
||||
"1 hello",
|
||||
),
|
||||
array(
|
||||
"'%s'",
|
||||
'hello',
|
||||
false,
|
||||
"'hello'",
|
||||
),
|
||||
array(
|
||||
'"%s"',
|
||||
'hello',
|
||||
false,
|
||||
"'hello'",
|
||||
),
|
||||
array(
|
||||
"%s '%1\$s'",
|
||||
'hello',
|
||||
true,
|
||||
"'hello' 'hello'",
|
||||
),
|
||||
array(
|
||||
"%s '%1\$s'",
|
||||
'hello',
|
||||
true,
|
||||
"'hello' 'hello'",
|
||||
),
|
||||
array(
|
||||
'%s "%1$s"',
|
||||
'hello',
|
||||
true,
|
||||
"'hello' \"hello\"",
|
||||
),
|
||||
array(
|
||||
"%%s %%'%1\$s'",
|
||||
'hello',
|
||||
false,
|
||||
"{$wpdb->placeholder_escape()}s {$wpdb->placeholder_escape()}'hello'",
|
||||
),
|
||||
array(
|
||||
'%%s %%"%1$s"',
|
||||
'hello',
|
||||
false,
|
||||
"{$wpdb->placeholder_escape()}s {$wpdb->placeholder_escape()}\"hello\"",
|
||||
),
|
||||
array(
|
||||
'%s',
|
||||
' % s ',
|
||||
false,
|
||||
"' {$wpdb->placeholder_escape()} s '",
|
||||
),
|
||||
array(
|
||||
'%%f %%"%1$f"',
|
||||
3,
|
||||
false,
|
||||
"{$wpdb->placeholder_escape()}f {$wpdb->placeholder_escape()}\"3.000000\"",
|
||||
),
|
||||
array(
|
||||
'WHERE second=\'%2$s\' AND first=\'%1$s\'',
|
||||
array( 'first arg', 'second arg' ),
|
||||
false,
|
||||
"WHERE second='second arg' AND first='first arg'",
|
||||
),
|
||||
array(
|
||||
'WHERE second=%2$d AND first=%1$d',
|
||||
array( 1, 2 ),
|
||||
false,
|
||||
"WHERE second=2 AND first=1",
|
||||
),
|
||||
array(
|
||||
"'%'%%s",
|
||||
'hello',
|
||||
true,
|
||||
"'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s",
|
||||
),
|
||||
array(
|
||||
"'%'%%s%s",
|
||||
'hello',
|
||||
false,
|
||||
"'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s'hello'",
|
||||
),
|
||||
array(
|
||||
"'%'%%s %s",
|
||||
'hello',
|
||||
false,
|
||||
"'{$wpdb->placeholder_escape()}'{$wpdb->placeholder_escape()}s 'hello'",
|
||||
),
|
||||
array(
|
||||
"'%-'#5s' '%'#-+-5s'",
|
||||
array( 'hello', 'foo' ),
|
||||
false,
|
||||
"'hello' 'foo##'",
|
||||
),
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @dataProvider data_escape_and_prepare
|
||||
*/
|
||||
function test_escape_and_prepare( $escape, $sql, $values, $incorrect_usage, $expected ) {
|
||||
global $wpdb;
|
||||
|
||||
if ( $incorrect_usage ) {
|
||||
$this->setExpectedIncorrectUsage( 'wpdb::prepare' );
|
||||
}
|
||||
|
||||
$escape = esc_sql( $escape );
|
||||
|
||||
$sql = str_replace( '{ESCAPE}', $escape, $sql );
|
||||
|
||||
$actual = $wpdb->prepare( $sql, $values );
|
||||
|
||||
$this->assertEquals( $expected, $actual );
|
||||
}
|
||||
|
||||
function data_escape_and_prepare() {
|
||||
global $wpdb;
|
||||
return array(
|
||||
array(
|
||||
'%s', // String to pass through esc_url()
|
||||
' {ESCAPE} ', // Query to insert the output of esc_url() into, replacing "{ESCAPE}"
|
||||
'foo', // Data to send to prepare()
|
||||
true, // Whether to expect an incorrect usage error or not
|
||||
" {$wpdb->placeholder_escape()}s ", // Expected output
|
||||
),
|
||||
array(
|
||||
'foo%sbar',
|
||||
"SELECT * FROM bar WHERE foo='{ESCAPE}' OR baz=%s",
|
||||
array( ' SQLi -- -', 'pewpewpew' ),
|
||||
true,
|
||||
null,
|
||||
),
|
||||
array(
|
||||
'%s',
|
||||
' %s {ESCAPE} ',
|
||||
'foo',
|
||||
false,
|
||||
" 'foo' {$wpdb->placeholder_escape()}s ",
|
||||
),
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* @expectedIncorrectUsage wpdb::prepare
|
||||
*/
|
||||
function test_double_prepare() {
|
||||
global $wpdb;
|
||||
|
||||
$part = $wpdb->prepare( ' AND meta_value = %s', ' %s ' );
|
||||
$this->assertNotContains( '%s', $part );
|
||||
$query = $wpdb->prepare( 'SELECT * FROM {$wpdb->postmeta} WHERE meta_key = %s $part', array( 'foo', 'bar' ) );
|
||||
$this->assertNull( $query );
|
||||
}
|
||||
|
||||
function test_prepare_numeric_placeholders_float_args() {
|
||||
global $wpdb;
|
||||
|
||||
$actual = $wpdb->prepare(
|
||||
'WHERE second=%2$f AND first=%1$f',
|
||||
1.1,
|
||||
2.2
|
||||
);
|
||||
|
||||
/* Floats can be right padded, need to assert differently */
|
||||
$this->assertContains( ' first=1.1', $actual );
|
||||
$this->assertContains( ' second=2.2', $actual );
|
||||
}
|
||||
|
||||
function test_prepare_numeric_placeholders_float_array() {
|
||||
global $wpdb;
|
||||
|
||||
$actual = $wpdb->prepare(
|
||||
'WHERE second=%2$f AND first=%1$f',
|
||||
array( 1.1, 2.2 )
|
||||
);
|
||||
|
||||
/* Floats can be right padded, need to assert differently */
|
||||
$this->assertContains( ' first=1.1', $actual );
|
||||
$this->assertContains( ' second=2.2', $actual );
|
||||
}
|
||||
|
||||
function test_query_unescapes_placeholders() {
|
||||
global $wpdb;
|
||||
|
||||
$value = ' %s ';
|
||||
|
||||
$wpdb->query( "CREATE TABLE {$wpdb->prefix}test_placeholder( a VARCHAR(100) );" );
|
||||
$sql = $wpdb->prepare( "INSERT INTO {$wpdb->prefix}test_placeholder VALUES(%s)", $value );
|
||||
$wpdb->query( $sql );
|
||||
|
||||
$actual = $wpdb->get_var( "SELECT a FROM {$wpdb->prefix}test_placeholder" );
|
||||
|
||||
$wpdb->query( "DROP TABLE {$wpdb->prefix}test_placeholder" );
|
||||
|
||||
$this->assertNotContains( '%s', $sql );
|
||||
$this->assertEquals( $value, $actual );
|
||||
}
|
||||
|
||||
function test_esc_sql_with_unsupported_placeholder_type() {
|
||||
global $wpdb;
|
||||
|
||||
$sql = $wpdb->prepare( ' %s %1$c ', 'foo' );
|
||||
$sql = $wpdb->prepare( " $sql %s ", 'foo' );
|
||||
|
||||
$this->assertEquals( " 'foo' {$wpdb->placeholder_escape()}1\$c 'foo' ", $sql );
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -85,7 +85,7 @@ class WP_Test_REST_Posts_Controller extends WP_Test_REST_Post_Type_Controller_Te
|
||||
global $wpdb;
|
||||
$expected_clause = str_replace( '{posts}', $wpdb->posts, $pattern );
|
||||
$this->assertCount( 1, $this->posts_clauses );
|
||||
$this->assertEquals( $expected_clause, $this->posts_clauses[0][ $clause ] );
|
||||
$this->assertEquals( $expected_clause, $wpdb->remove_placeholder_escape( $this->posts_clauses[0][ $clause ] ) );
|
||||
}
|
||||
|
||||
public function assertPostsOrderedBy( $pattern ) {
|
||||
|
@ -38,6 +38,21 @@ define( 'DB_HOST', 'localhost' );
|
||||
define( 'DB_CHARSET', 'utf8' );
|
||||
define( 'DB_COLLATE', '' );
|
||||
|
||||
/**#@+
|
||||
* Authentication Unique Keys and Salts.
|
||||
*
|
||||
* Change these to different unique phrases!
|
||||
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
|
||||
*/
|
||||
define('AUTH_KEY', 'put your unique phrase here');
|
||||
define('SECURE_AUTH_KEY', 'put your unique phrase here');
|
||||
define('LOGGED_IN_KEY', 'put your unique phrase here');
|
||||
define('NONCE_KEY', 'put your unique phrase here');
|
||||
define('AUTH_SALT', 'put your unique phrase here');
|
||||
define('SECURE_AUTH_SALT', 'put your unique phrase here');
|
||||
define('LOGGED_IN_SALT', 'put your unique phrase here');
|
||||
define('NONCE_SALT', 'put your unique phrase here');
|
||||
|
||||
$table_prefix = 'wptests_'; // Only numbers, letters, and underscores please!
|
||||
|
||||
define( 'WP_TESTS_DOMAIN', 'example.org' );
|
||||
|
Loading…
Reference in New Issue
Block a user