Using literal-string for wpdb::prepare()

[craigfrancis]

Both Psalm 4.8 and PHPStan 0.12.97 have the literal-string type, which can be used to ensure a string is defined by the developer (i.e. does not contain any user values). This is really useful and simple way to prevent SQL Injection Vulnerabilities.

I have created patches for #52506 so identifiers (table/field names) can be escaped via a new %i parameter; and #54042 makes it easier/safer to do WHERE id IN (%...d) style queries.

Hopefully these will be accepted for WordPress 6.1. I've had a few reviews already, and the first patch will be discussed at the next "Early Scrub" meeting (on the 19th May 2022, 18:00 UTC on the Slack #core channel.

Both of these patches will allow the $query parameter to be a literal-string, e.g.

$wpdb->prepare('SELECT * FROM %i WHERE ID IN (%...d)', $table, $ids);

While it might be worth waiting for WordPress 6.1... would it be ok to try setting @param literal-string $query on the wpdb::prepare() method?

[szepeviktor]

Duplicate of #33