Get WordPress

Making WordPress.org

Changeset 6823

Timestamp:
03/02/2018 08:48:38 PM (6 years ago)
Author:
iandunn
Message:

Official WordPress Events: Remove sprintf() from query.

This was only used to avoid ugly string concatenation, making the query more readible. It's too easy to confuse it with $wpdb->prepare(), though; a future developer could accidentally pass untrusted user input to it, expecting it to be prepared, when in reality it would be passed directly to MySQL, allowing SQL injection.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • sites/trunk/wordpress.org/public_html/wp-content/plugins/official-wordpress-events/official-wordpress-events.php

    r6822 r6823  
    144144
    145145        // Include yesterday's events because server timezone may be ahead of user's timezone
    146         $raw_events = $wpdb->get_results( sprintf( "
     146        $raw_events = $wpdb->get_results( "
    147147            SELECT *
    148             FROM `%s`
     148            FROM ``
    149149            WHERE
    150150                date_utc >= SUBDATE( CURRENT_DATE(), 1 ) AND
    151151                status    = 'scheduled'
    152152            ORDER BY date_utc ASC
    153             LIMIT 300",
    154             self::EVENTS_TABLE
    155         ) );
     153            LIMIT 300"
     154        );
    156155
    157156        foreach ( $raw_events as $event ) {
Note: See TracChangeset for help on using the changeset viewer.