Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow prepared queries to be passed in via a variable #1331

Open
johnbillion opened this issue Mar 29, 2018 · 7 comments
Open

Allow prepared queries to be passed in via a variable #1331

johnbillion opened this issue Mar 29, 2018 · 7 comments
Labels
Component: Core Focus: DB Focus: Security

Comments

@johnbillion
Copy link
Member

Given the following code, a WordPress.WP.PreparedSQL.NotPrepared error is raised:

$query = $wpdb->prepare( "
	SELECT ID
	FROM {$wpdb->posts}
	WHERE post_type = %s
", $post_type );
$all_post_ids = $wpdb->get_col( $query );

The error is raised because the prepared query is passed in via a variable instead of prepare() being called directly inside get_col().

Is there a way that this format can be supported in WPCS?
@JDGrimes
Copy link
Contributor

Duplicate of #469?

@Sephster
Copy link

I would like to see this rectified as well. The code being written is valid and conforms to the standard. This is a false detection and it would be preferable to fix this in the rules instead of peppering source code with exceptions for PHPCS.

@jrfnl jrfnl mentioned this issue Aug 23, 2018
Open
@pento
Copy link
Member

pento commented Jul 9, 2019

Looks like this is a problem for Core, too: I'm finding a lot of instances of this (perfectly valid) pattern.

@dingo-d
Copy link
Member

dingo-d commented Jul 9, 2019

Just thinking out loud here, in case code like above is found, the sniff should look what are the previous tokens (up to some point which can be right above the found issue, or even passed from another file in which case it's impossible to determine if the query is prepared or not) in the file, and if one of them matches prepare then this would be ok (just thinking out loud about it doesn't sound ok to me xD)? We should also see if the same variable passed to unprepared query contains the prepare statement...

Is this even possible (sounds highly unlikely)? Wouldn't it be easier to just refactor the offending code to include prepared statement?

@pento what is the number of such occurrences in the core?

@pento
Copy link
Member

pento commented Jul 10, 2019

There are currently 116 WordPress.DB.PreparedSQL.NotPrepared errors in Core: I haven't manually checked each of them yet, but all the ones I've spot checked have been valid.

It's possible to refactor the simple examples to be $wpdb->query( $wpdb->prepare( ... ) ), but there are a lot of instances where the query is built up through a bunch of different conditions (eg, the various WP_Query classes).

@Inwerpsel Inwerpsel mentioned this issue Feb 13, 2020
Merged
@3ynm
Copy link

3ynm commented Oct 7, 2020

Same problem here. A prepared statement should not be required on get_var, get_results nor get_col, instead detected only when directly interpolating variables on a string.

@eddr
Copy link

eddr commented Oct 26, 2024

Hi
Any news?
Important for basic coding..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Component: Core Focus: DB Focus: Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@johnbillion @pento @eddr @jrfnl @Sephster @JDGrimes @3ynm @dingo-d