Le 22/06/2021 à 17:35, Mike Schinkel a écrit :
https://github.com/WordPress/WordPress/blob/master/wp-includes/wp-db.php#L2050
Sorry for the discussion pollution here but, but ouch, plugins are still
using this unsafe form ? Reminds when I was a student, I learnt to
parametrize queries there, it was 20 years ago. I never understood
people not doing that in the first place.
But also because of much legacy code exists in the form of plugins and themes
that do not support parameterized queries.
Yes I agree, legacy is legacy, you have to deal with it. But all legacy
code cannot be fixed, and doing a highly complex SQL parsing / escaping
/ vulnerability detection code that explicitly targets legacy code and
not modern code seems weird to me.
HOWEVER, whether mysqli supports parameterised queries or not is all a moot point because
parameterised queries do not allow for parameterizing field names or table names. And
the point of this thread was to discuss how to mark SQL that has been composed at
run-time to be "safe." Without being able to parameterize field names and
table names parameterised queries are not a sufficiently complete solution.
Not being able to parametrize table or field names is not only a problem
for mysqli, but it is for PDO and pgsql too. That's a place where
userland query-builders and others DBALs, even the most basic ones do
shine, and brings a real added-value.
But having anyone, writing SQL with user-given table names or column
names, and executing it using something like WP's _do_query() method
seems like they *WANT* to be hacked. I'm not sure how you will succeed
in plugging the is_trusted() / is_literal() / is_wathever() method
correctly in an SQL Model Parser & Sanitizer anyway, knowing that at
this point, all you'll receive is a huge string issued by some plugin
API which has already done crazy dark (and probably bugguy as well) magic.
I don't see how adding magic in PHP core will avoid the need to fix all
those legacy plugins, they probably would need themselves to use this
new shiny API to benefit from it ? In the opposite, if something alters
the behavior of mysqli implicitly for everyone in order to make it safe,
it sounds like there will be a lot of BC ? In both case, it seems that
it will not do any shiny magic to me.
But, I might be wrong, this thread becomes harder and harder to read,
and I may have missed a few points.
Regards,
--
Pierre