Changeset 8326

Timestamp:

02/22/2019 08:29:31 PM (7 years ago)

Author:

iandunn

Message:

WordCamp Budgets Dashboard: Remove inactive prepare() call to avoid notice.

It's not currently needed because there isn't any user input in the query, but it was added as a best practice, because if it's missing then it would be easy for a future developer to add untrusted input and not connect the dots that they also need to add a new prepare(). That's the equivalent of always escaping output, even if it's currently hardcoded to a safe string (​https://vip.wordpress.com/2014/06/20/the-importance-of-escaping-all-the-things/).

However, that leads to a PHP notice because Core thinks we might be passing unstrusted input directly in the query instead of using a placeholder (​https://make.wordpress.org/core/2012/12/12/php-warning-missing-argument-2-for-wpdb-prepare/).

As a compromise, a the inactive prepare() call was replaced with a comment warning future developers to consider whether or not their changes require preparing.

File:

• sites/trunk/wordcamp.org/public_html/wp-content/plugins/wordcamp-payments-network/includes/sponsor-invoices-dashboard.php (modified) (1 diff)

sites/trunk/wordcamp.org/public_html/wp-content/plugins/wordcamp-payments-network/includes/sponsor-invoices-dashboard.php

@@ -483 +483 @@
 
     $table_name    = get_index_table_name();
-    $sent_invoices = $wpdb->get_results(
-        $wpdb->prepare(
-            "
-                SELECT blog_id, invoice_id
-                FROM $table_name
-                WHERE status = 'wcbsi_approved'
-                LIMIT 1000
-            ",
-            array()
-        )
+    $sent_invoices = $wpdb->get_results( "
+        SELECT blog_id, invoice_id
+        FROM $table_name
+        WHERE status = 'wcbsi_approved'
+        LIMIT 1000"
+        // Don't forget to add a prepare() call here if you ever add user input.
     );