Create a gist now

Instantly share code, notes, and snippets.

Temporary hack-fix for Redirection plugin's improper use of $wpdb->prepare();
<?php
/*
original version's Line 70
*/
$rows = $wpdb->get_results( $wpdb->prepare( "SELECT {$wpdb->prefix}redirection_modules.name AS module_name,{$wpdb->prefix}redirection_groups.name AS group_name,{$wpdb->prefix}redirection_groups.id FROM {$wpdb->prefix}redirection_groups INNER JOIN {$wpdb->prefix}redirection_modules ON {$wpdb->prefix}redirection_modules.id={$wpdb->prefix}redirection_groups.module_id ORDER BY {$wpdb->prefix}redirection_modules.name,{$wpdb->prefix}redirection_groups.position" ) );
/*
Modified version - Line 70
*/
$rows = $wpdb->get_results( "SELECT {$wpdb->prefix}redirection_modules.name AS module_name,{$wpdb->prefix}redirection_groups.name AS group_name,{$wpdb->prefix}redirection_groups.id FROM {$wpdb->prefix}redirection_groups INNER JOIN {$wpdb->prefix}redirection_modules ON {$wpdb->prefix}redirection_modules.id={$wpdb->prefix}redirection_groups.module_id ORDER BY {$wpdb->prefix}redirection_modules.name,{$wpdb->prefix}redirection_groups.position" );
/*
Simply remove the call to $wpdb->prepare()
Because there are not inputs to this (short of a call to $wpdb->prefix),
there is no need to prepare any data.
Official reference: http://make.wordpress.org/core/2012/12/12/php-warning-missing-argument-2-for-wpdb-prepare/
There is possibility of $wpdb->prefix being compromised, but if
$wpdb->prefix is compromised any attacker would also have direct
access to your database. $wpdb->prepare() would be useless at that
point anyway.
*/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment