Database: Hardening for wpdb::prepare()

aaroncampbell · aaroncampbell · commit a577ca8fcd97 · 2017-09-19T15:00:28.000Z
Previously if you passed an array of values for placeholders, additional values could be passed as well. Now additional values will be ignored. Merges [41470] to 4.4 branch. git-svn-id: https://develop.svn.wordpress.org/branches/4.4@41475 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/wp-db.php b/src/wp-includes/wp-db.php
@@ -1254,9 +1254,18 @@ public function prepare( $query, $args ) {
 
 		$args = func_get_args();
 		array_shift( $args );
+
 		// If args were passed as an array (as in vsprintf), move them up
-		if ( isset( $args[0] ) && is_array($args[0]) )
+		if ( is_array( $args[0] ) && count( $args ) == 1 ) {
 			$args = $args[0];
+		}
+
+		foreach ( $args as $arg ) {
+			if ( ! is_scalar( $arg ) ) {
+				_doing_it_wrong( 'wpdb::prepare', sprintf( 'Unsupported value type (%s).', gettype( $arg ) ), '4.4.11' );
+			}
+		}
+
 		$query = str_replace( "'%s'", '%s', $query ); // in case someone mistakenly already singlequoted it
 		$query = str_replace( '"%s"', '%s', $query ); // doublequote unquoting
 		$query = preg_replace( '|(?<!%)%f|' , '%F', $query ); // Force floats to be locale unaware
diff --git a/tests/phpunit/tests/db.php b/tests/phpunit/tests/db.php
@@ -353,6 +353,46 @@ function test_prepare_without_arguments() {
 		$this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 0", $prepared );
 	}
 
+	function test_prepare_sprintf() {
+		global $wpdb;
+
+		$prepared = $wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", 1, "admin" );
+		$this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = 'admin'", $prepared );
+	}
+
+	/**
+	 * @expectedIncorrectUsage wpdb::prepare
+	 */
+	function test_prepare_sprintf_invalid_args() {
+		global $wpdb;
+
+		$prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", 1, array( "admin" ) );
+		$this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = ''", $prepared );
+
+		$prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( 1 ), "admin" );
+		$this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 0 AND user_login = 'admin'", $prepared );
+	}
+
+        function test_prepare_vsprintf() {
+                global $wpdb;
+
+		$prepared = $wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( 1, "admin" ) );
+		$this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = 'admin'", $prepared );
+	}
+
+	/**
+	 * @expectedIncorrectUsage wpdb::prepare
+	 */
+	function test_prepare_vsprintf_invalid_args() {
+		global $wpdb;
+
+		$prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( 1, array( "admin" ) ) );
+		$this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 1 AND user_login = ''", $prepared );
+
+		$prepared = @$wpdb->prepare( "SELECT * FROM $wpdb->users WHERE id = %d AND user_login = %s", array( array( 1 ), "admin" ) );
+		$this->assertEquals( "SELECT * FROM $wpdb->users WHERE id = 0 AND user_login = 'admin'", $prepared );
+        }
+
 	function test_db_version() {
 		global $wpdb;
 
