WordPress提示Warning: Missing argument 2 for wpdb::prepare()

WordPress提示Warning: Missing argument 2 for wpdb::prepare()

今天把WordPress从3.5升级到3.6以后,已使用搜索功能就会出现如下错误:

Warning: Missing argument 2 for wpdb::prepare(), called in /home/web/sjyhome.com/wp-content/themes/sjyhome/functions.php on line 138 and defined in /home/web/sjyhome.com/wp-includes/wp-db.php on line 992

注意:这与你的更新及与你当前使用的主题完全没有关系!这是3.6版本中为了安全而做的一个改动,是为了避免SQL注入所引起的安全问题!

在你的主题functions.php文件中会有类似如下的代码:

$post_datetimes = $wpdb->get_row($wpdb->prepare(“SELECT YEAR(min(post_date_gmt)) AS firstyear, YEAR(max(post_date_gmt)) AS lastyear FROM $wpdb->posts WHERE post_date_gmt > 1970″));

在3.6版本之前,这样的写法是没有任何问题的,如:

prepare(“SELECT YEAR(min(post_date_gmt)) AS firstyear, YEAR(max(post_date_gmt)) AS lastyear FROM $wpdb->posts WHERE post_date_gmt > 1970″));

但是在3.6,上面的写法就是错的,正确的写法应当是:

prepare(“SELECT YEAR(min(post_date_gmt)) AS firstyear, YEAR(max(post_date_gmt)) AS lastyear FROM $wpdb->posts WHERE post_date_gmt > %d”,’1970′));

看到上面的区别了吗?在SQL语句中,where条件变为了动态参数绑定形式:

post_date_gmt > %d”,’1970′

这种写法在系统的安全性方面要更好!

再给个普遍点的例子,这样写法是正确的:

$wpdb->prepare(?"SELECT * FROM table WHERE id = %d",?$id?);

原理讲完了,我自己的博客是因为functions.php中的如下代码

$keyword = $wpdb->prepare($_REQUEST["s"]);

我把他替换成了

$keyword = $wpdb->prepare($_REQUEST["s"],"");


WordPress

分享到 :
相关推荐