You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Both Psalm 4.8 and PHPStan 0.12.97 have the literal-string type, which can be used to ensure a string is defined by the developer (i.e. does not contain any user values). This is really useful and simple way to prevent SQL Injection Vulnerabilities.
I have created patches for #52506 so identifiers (table/field names) can be escaped via a new %i parameter; and #54042 makes it easier/safer to do WHERE id IN (%...d) style queries.
Hopefully these will be accepted for WordPress 6.1. I've had a few reviews already, and the first patch will be discussed at the next "Early Scrub" meeting (on the 19th May 2022, 18:00 UTC on the Slack #core channel.
Both of these patches will allow the $query parameter to be a literal-string, e.g.
$wpdb->prepare('SELECT * FROM %i WHERE ID IN (%...d)', $table, $ids);
While it might be worth waiting for WordPress 6.1... would it be ok to try setting @param literal-string $query on the wpdb::prepare() method?
The text was updated successfully, but these errors were encountered:
Both Psalm 4.8 and PHPStan 0.12.97 have the
literal-string
type, which can be used to ensure a string is defined by the developer (i.e. does not contain any user values). This is really useful and simple way to prevent SQL Injection Vulnerabilities.I have created patches for #52506 so identifiers (table/field names) can be escaped via a new
%i
parameter; and #54042 makes it easier/safer to doWHERE id IN (%...d)
style queries.Hopefully these will be accepted for WordPress 6.1. I've had a few reviews already, and the first patch will be discussed at the next "Early Scrub" meeting (on the 19th May 2022, 18:00 UTC on the Slack #core channel.
Both of these patches will allow the
$query
parameter to be aliteral-string
, e.g.While it might be worth waiting for WordPress 6.1... would it be ok to try setting
@param literal-string $query
on thewpdb::prepare()
method?The text was updated successfully, but these errors were encountered: