Escaping Table and Field names with wpdb::prepare() in WordPress

Welcome!

The WordPress coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. development team builds WordPress! Follow this site for general updates, status reports, and the occasional code debate. There’s lots of ways to contribute:

Found a bugbug A bug is an error or unexpected result. Performance improvements, code optimization, and are considered enhancements, not defects. After feature freeze, only bugs are dealt with, with regressions (adverse changes from the previous version) being the highest priority.? Create a ticket in the bug tracker.

Want to contribute? Get started quickly with tickets marked as good first bugs for new contributors or join a bug scrub. There’s more on the reports page, like patches needing testing, and on feature projects page.

Other questions? Here is a detailed handbook for contributors, complete with tutorials.

This has been postponed from WordPress 6.1. See also Postponed to WP 6.2: Escaping Table and Field names with wpdb::prepare()

As part of WordPress 6.2, wpdb::prepare() has been updated to escape Identifiers (such as Table and Field names) with the %i placeholder (#52506).

This ensures these values are escaped correctly and don’t lead to SQL Injection Vulnerabilities.

Example

$table = 'my_table';
$field = 'my_field';
$value = 'my_value';

$wpdb->prepare('SELECT * FROM %i WHERE %i = %s', $table, $field, $value);

// Output:
//   SELECT * FROM `my_table` WHERE `my_field` = 'my_value'

While this protects you against SQL Injection, where possible you should limit the values the user (attacker) can choose via an allow-list of trusted values; e.g.

$fields = array(
    'name'    => 'user_nicename',
    'url'     => 'user_url',
    'created' => 'DATE(created)',
  );

$sql .= ' ORDER BY ' . ($fields[$order_field] ?? 'user_login');

Performance Improvement

The change to add support for %i has a small performance improvement, as there is a little bit less Regular Expression work involved (generally the more parameters, the better the improvement).

In the Future

This was going to be released in WordPress 6.1, but a problem was identified in RC5 where the use of '%%%s%%' (which can often be seen in LIKE queries) stopped working. For reference, the documentation says “numbered or formatted string placeholders” will not have quotes added by this function (an old/unsafe feature), but this also happens when a placeholder immediately follows a “%”.

WordPress is looking to use %i in coreCore Core is the set of software required to run WordPress. The Core Development Team builds WordPress. (#56091).

This change will help developers use the literal-string type for the $query parameter (this is where the $query is written as a developer-defined string, and all user values are provided separately).

Props to @davidbaumwald for reviewing this dev notedev note Each important change in WordPress Core is documented in a developers note, (usually called dev note). Good dev notes generally include a description of the change, the decision that led to this change, and a description of how developers are supposed to work with that change. Dev notes are published on Make/Core blog during the beta phase of WordPress release cycle. Publishing dev notes is particularly important when plugin/theme authors and WordPress developers need to be aware of those changes.In general, all dev notes are compiled into a Field Guide at the beginning of the release candidate phase..

#6-1, #dev-notes, #dev-notes-6-1, #performance, #wpdb

Scott Kingsley Clark 6:59 pm on October 8, 2022

I’m getting really excited about using %i everywhere now for 6.1+ code 🙂

The only other area prepare() I can think of in my day-to-day use that has been an extra headache is when trying to prepare data for IN () and NOT IN () in queries. This has inspired me to go looking through tracTrac An open source project by Edgewall Software that serves as a bug tracker and project management tool for WordPress. to see if there’s anyone else talking about that and propose my own solution if not.
- Scott Kingsley Clark 7:27 pm on October 8, 2022
  
  I couldn’t find a ticketticket Created for both bug reports and feature development on the bug tracker. so I made one here: https://core.trac.wordpress.org/ticket/56764
  - craigfrancis 8:13 pm on October 8, 2022
    
    Thank you Scott, I really appreciate this.
    
    As to the support with IN(), I have made a start with #54042, where I’m hoping to support %...s or %...d (similar to the spread operator)… the patchpatch A special text file that describes changes to code, by identifying the files and lines which are added, removed, and altered. It may also be referred to as a diff. A patch can be applied to a codebase for testing. works, but @jrf has suggested supporting format operators, which I’ve started, but need to finish before 6.2 starts 🙂
    - Scott Kingsley Clark 9:52 pm on October 8, 2022
      
      That’s even better than I had hoped, putting my +1 on that and I marked my own as duplicate
BackuPs 8:30 am on November 1, 2022
am i understanding correctly that code like this is not allowed anymore?
```
$posts = $wpdb->get_results( $wpdb->prepare("SELECT * FROM " .$wpdb->postmeta." WHERE meta_key=%s AND meta_value LIKE %s", '_wp_attachment_metadata', '%%custom_sizes%%' ));
```
Thank you for your time.
- craigfrancis 10:41 am on November 1, 2022
  
  Hi @backups, that will be fine (the use of %i is optional, it’s there to make sure the Identifier is escaped correctly, but in this case you should be fairly confident $wpdb->postmeta is not under the control of an evil user).
  
  The only thing I’m not sure about is why you have the double % in '%%custom_sizes%%'… while you would double % in the SQL format string (to make a single literal %, a feature that should rarely be used)… it’s not needed in the value 🙂
  - BackuPs 12:02 pm on November 1, 2022
    
    Thank you for your reply.
    
    I think its a leftover to support earlier versions of wp or mysqlMySQL MySQL is a relational database management system. A database is a structured collection of data where content, configuration and other options are stored. https://www.mysql.com/.. I don’t recall anymore why this was added this way. It works with our without the double %% nowadays. %custom_sizes% or %%custom_sizes%%
    - craigfrancis 12:18 pm on November 1, 2022
      
      If I was to take a guess, someone read the wpdb::prepare() documentation, and noted the use of “%%”… maybe it was originally written in the SQL, and later moved to an argument?… and they were probably correct to move it (if it’s a variable, it should be provided separately, as an argument), but there was no need to keep the %%… it will still work though, as “%” will match an arbitrary number of characters (including zero characters).

Comments are closed.

Welcome!

Communication

Example

Performance Improvement

In the Future

Share this: