undefined | Better HN

0 pointsstephenr7y ago0 comments

Writing your own userland implementation of prameterised queries is what you consider “very secure”?

I’d hate to see what you think is terrible then.

0 comments

What exactly is your criticism here? Do you know of some issue with prepare()? The quality of the core Wordpress code is quite high. You could argue that the plugin system is a footgun, but it’s kinda an essential element if you want extensibility.

stephenrOP7y ago

Parameterised queries done properly are sent to the database server specifically as a query with placeholders and values - the values are never evaluated as sql, there is no chance for a userland bug/attack to perform sql injection using them.

What wordpress does is basically glorified printf, substituting values into a string.

If you can’t see how this is a danger, you’re in no position to comment on the quality of the code.

AmericanChopper7y ago

Right, so you actually have absolutely nothing to say about the quality of wpdb.

My point stands. The worst problems in Wordpress are the plugin ecosystem and poorly maintained instances.

1 more reply

j / k navigate · click thread line to collapse

0 comments

AmericanChopper7y ago

stephenrOP7y ago

What wordpress does is basically glorified printf, substituting values into a string.

If you can’t see how this is a danger, you’re in no position to comment on the quality of the code.

AmericanChopper7y ago

Right, so you actually have absolutely nothing to say about the quality of wpdb.

My point stands. The worst problems in Wordpress are the plugin ecosystem and poorly maintained instances.

1 more reply

j / k navigate · click thread line to collapse