Redirection Plugin wpdb::prepare() Error Fix

Redirection is a very popular WordPress plugin, so I imagine this will be patched and released soon to be compatible with the latest WordPress 3.5 release.

The Redirection plugin still functions correctly and does work. However you should definitely patch this right away because it could be a potential SQL injection vulnerability.

You will see this error at the top of the Redirection plugin admin page:

[php]
Warning: Missing argument 2 for wpdb::prepare(), called in /public_html/wp-content/plugins/redirection/models/group.php on line 70 and defined in /public_html/wp-includes/wp-db.php on line 990
[/php]

To fix the wpdb::prepare missing arguments error, simply:

Open /wp-content/plugins/redirection/models/group.php and find line 70.

Replace $wpdb->prepare with $wpdb->query and save your changes.

You’re all done. Easy as pie.

Andrew Nacin explains why the change is necessary, so if you would like to read more about it check out the PHP Warning: Missing argument 2 for wpdb::prepare() post.

UPDATE 1/18/13:

Andy Stratton explains in a comment why removing the entire prepare call is better than replacing with query.

Gist showing proposed changes is located HERE.



14 Comments

  1. Shi

    Thanks for the patch. It works.

    However, it took me some time to locate line 70 because OS X TextEdit cannot display line number and eventually figure how to use control-L to locate that line.

    Line 70:
    $rows = $wpdb->get_results( $wpdb->prepare( “SELECT {$wpdb->prefix}redirection_modules.name AS module_name,{$wpdb->prefix}redirection_groups.name AS group_name,{$wpdb->prefix}redirection_groups.id FROM {$wpdb->prefix}redirection_groups INNER JOIN {$wpdb->prefix}redirection_modules ON {$wpdb->prefix}redirection_modules.id={$wpdb->prefix}redirection_groups.module_id ORDER BY {$wpdb->prefix}redirection_modules.name,{$wpdb->prefix}redirection_groups.position” ) );

  2. John Bates

    Drew,
    Thank you SO much for this information. I was really scratching my head trying to figure out how to solve this problem.
    Cheers,
    JB

  3. Rich

    Thanks. I applied this today.

  4. LiewCF

    This solved the problem! Thanks!

  5. Soren

    It works for me. thank you !

  6. Calixus

    Thank you very much, problem solved!

  7. Gal Baras

    This is like taking out the red light telling you the car is out of gas. Variables should now be passed in as arguments to $wpdb->prepare() for SECURITY reasons. Turning off the warning accomplishes nothing. This issue should be handled by the plugin developer(s) and I’ll bet this will be coming soon.

    • Andy

      @Gal You’re correct about $wpdb->prepare() being used for security reasons, the problem here is that there’s no security reason for which it is being used.

      Preparing a SQL statement is to ensure you’ve got clean input, while there are variables being used in the query on line 70, there is no user input. $wpdb->prefix is the only variable in the statement, used for ensuring proper table names in the query.

      Any concerns about SQL injection from $wpdb properties is a larger security concern, as someone having access to modifying $wpdb‘s properties has access to directly attack the database.

      Using $wpdb->prepare() is pointless without %d (integer), %f (float) or %s (string) replacements. Otherwise it’s just overhead code, which is probably core not requires at least one argument (see Nacin’s post on Make::Core): http://make.wordpress.org/core/2012/12/12/php-warning-missing-argument-2-for-wpdb-prepare/).

      @Drew I would update that to simply removing the $wpdb->prepare() call and NOT adding $wpdb->query() because $wpdb->get_results() already queries and returns an array of results.

      Here’s a gist of what I’d do: https://gist.github.com/4565222

  8. Sorinu

    Thanks buddy!

  9. Yerbouti

    Thanks! Short but efficient!

  10. Camer

    It worked like magic !!!!!

    Thank you. It saved me a lot my time

  11. ink

    THANK YOU SO MUCH :)


Leave a reply