Ticket #6836 (new defect)

Opened 2 months ago

Last modified 3 weeks ago

Prepare queries using INSERT/UPDATE should use wpdb::insert() or wpdb::update()

Reported by: DD32 Assigned to: ryan
Priority: normal Milestone: 2.6
Component: Administration Version: 2.6
Severity: normal Keywords: has-patch needs-testing
Cc:

Description

Recently some commits were made to introduce more prepared queries, eg: [7645](However theres probably more in the last 7 months). There are also areas where the insert/update raw SQL's have not been moved over yet.

See [6221] and [6238] for the renamed areas.

Attachments

6836.diff (3.3 kB) - added by DD32 on 04/25/08 08:29:07.
6836.2.diff (2.3 kB) - added by DD32 on 04/25/08 08:50:13.
changes tested.
6836.3.diff (21.7 kB) - added by DD32 on 04/25/08 10:02:52.
Tested with a New Install only; Upgrade functions not tested, Could do with an extra eye-over
6836.4.diff (2.5 kB) - added by DD32 on 04/25/08 11:36:57.
remains of wp-admin/
6836.5.diff (8.8 kB) - added by DD32 on 04/25/08 12:17:06.
/ and /wp-includes/ untested
6836.5-2.diff (9.2 kB) - added by DD32 on 04/25/08 12:28:58.
6836.full.diff (38.0 kB) - added by DD32 on 06/10/08 10:45:12.
also includes a logic inversion in the original patch for wp-includes/comment.php
insert.type.diff (1.1 kB) - added by DD32 on 06/11/08 09:14:17.

Change History

04/25/08 07:35:09 changed by markjaquith

Cheers! I think the best way to do it is one file at a time. That way a lot of people can participate without having to all share one big monster diff.

04/25/08 07:58:37 changed by DD32

I think the best way to do it is one file at a time.

Yep, I agree with that. I might make a start over the weekend on some of them.

04/25/08 08:29:07 changed by DD32

  • attachment 6836.diff added.

04/25/08 08:33:13 changed by DD32

attachment 6836.diff added.

Note: There was a escaping issue with adding meta/updating meta, ' and " were being double escaped. Patch as such removes the double escpaping.

Also renamed a few variables so as to use compact('meta_value') instead of array('meta_value' => $metavalue,..). Just makes it look a bit more clean and keeps fields named the same throughout.

All Meta changes were tested working, The last chunk(Change to _relocate_children()) hasnt been tested, But i see no reason it should fail.

04/25/08 08:50:13 changed by DD32

  • attachment 6836.2.diff added.

changes tested.

04/25/08 10:02:52 changed by DD32

  • attachment 6836.3.diff added.

Tested with a New Install only; Upgrade functions not tested, Could do with an extra eye-over

04/25/08 11:36:57 changed by DD32

  • attachment 6836.4.diff added.

remains of wp-admin/

04/25/08 12:17:06 changed by DD32

  • attachment 6836.5.diff added.

/ and /wp-includes/ untested

04/25/08 12:28:35 changed by DD32

Just noticed this: http://trac.wordpress.org/browser/trunk/wp-includes/functions.php#L527 

532: $type = $wpdb->escape( $headers['content-type'] );
}}

I assume it was probably left over from when the raw query was there.. removed it in 6836.5-2.diff

04/25/08 12:28:58 changed by DD32

  • attachment 6836.5-2.diff added.

05/17/08 06:45:50 changed by DD32

  • keywords set to has-patch needs-testing.

06/10/08 10:38:51 changed by DD32

About to add a full refreshed patch.

I've been running my local install patched like this for awhile, and not had any issues with escaped data.

06/10/08 10:45:12 changed by DD32

  • attachment 6836.full.diff added.

also includes a logic inversion in the original patch for wp-includes/comment.php

06/10/08 16:19:35 changed by ryan

  • owner changed from anonymous to ryan.

Assigning to me for review and commit.

(follow-up: ↓ 9 ) 06/10/08 17:05:28 changed by ryan

insert() and update() don't do prepare(). I would like to pass format specifiers to them somehow before moving everything over.

(in reply to: ↑ 8 ) 06/11/08 09:14:05 changed by DD32

Replying to ryan:

insert() and update() don't do prepare(). I would like to pass format specifiers to them somehow before moving everything over.

How about something similar to this: 

insert ('test_table', array('ID' => 's', 'post' => 'test'), array('ID' => '%d'));
creating:
INSERT INTO test_table (`ID`,`post`) VALUES ('0','test')

(See patch)

06/11/08 09:14:17 changed by DD32

  • attachment insert.type.diff added.

06/11/08 09:19:30 changed by DD32

that could be changed to this to make it more compact: 

foreach( (array)$types as $key => $type )
	if( isset($data[$key]) )
		$data[$key] = sprintf($type, $data[$key]);