PHP Warning: Missing argument 2 for wpdb::prepare()
Hello plugin or theme author! You possibly found this post after searching the Internet for the error above: “PHP Warning: Missing argument 2 for wpdb::prepare().”
So, this is a new warning in 3.5. No sites are broken, everything is fine as before. But, this is indeed something you need to look at, because you may be exposing your users to a possible SQL injection vulnerability. Now that’s no fun!
There’s where the problem lies:
1
| $wpdb->prepare( "SELECT * FROM table WHERE id = $id" ); |
See the problem? That query isn’t secure! You may think you are “preparing” this query, but you’re not — you’re passing $id directly into the query, unprepared. And this, right here, is why $wpdb->prepare() now issues a warning if it isn’t called with more than one argument. Because you can’t prepare a query without more than one argument. Here’s a correct example:
1
| $wpdb->prepare( "SELECT * FROM table WHERE id = %d", $id ); |
沒有留言:
張貼留言
注意:只有此網誌的成員可以留言。