Redirection Plugin wpdb::prepare() Error Fix

Redirection is a very popular WordPress plugin, so I imagine this will be patched and released soon to be compatible with the latest WordPress 3.5 release.

The Redirection plugin still functions correctly and does work. However you should definitely patch this right away because it could be a potential SQL injection vulnerability.

You will see this error at the top of the Redirection plugin admin page:

[php]
Warning: Missing argument 2 for wpdb::prepare(), called in /public_html/wp-content/plugins/redirection/models/group.php on line 70 and defined in /public_html/wp-includes/wp-db.php on line 990
[/php]

To fix the wpdb::prepare missing arguments error, simply:

Open /wp-content/plugins/redirection/models/group.php and find line 70.

Replace $wpdb->prepare with $wpdb->query and save your changes.

You’re all done. Easy as pie.

Andrew Nacin explains why the change is necessary, so if you would like to read more about it check out the PHP Warning: Missing argument 2 for wpdb::prepare() post.

UPDATE 1/18/13:

Andy Stratton explains in a comment why removing the entire prepare call is better than replacing with query.

Gist showing proposed changes is located HERE.

Comments

  1. says

    Thanks for the patch. It works.

    However, it took me some time to locate line 70 because OS X TextEdit cannot display line number and eventually figure how to use control-L to locate that line.

    Line 70:
    $rows = $wpdb->get_results( $wpdb->prepare( “SELECT {$wpdb->prefix}redirection_modules.name AS module_name,{$wpdb->prefix}redirection_groups.name AS group_name,{$wpdb->prefix}redirection_groups.id FROM {$wpdb->prefix}redirection_groups INNER JOIN {$wpdb->prefix}redirection_modules ON {$wpdb->prefix}redirection_modules.id={$wpdb->prefix}redirection_groups.module_id ORDER BY {$wpdb->prefix}redirection_modules.name,{$wpdb->prefix}redirection_groups.position” ) );

  2. says

    This is like taking out the red light telling you the car is out of gas. Variables should now be passed in as arguments to $wpdb->prepare() for SECURITY reasons. Turning off the warning accomplishes nothing. This issue should be handled by the plugin developer(s) and I’ll bet this will be coming soon.

    • says

      @Gal You’re correct about $wpdb->prepare() being used for security reasons, the problem here is that there’s no security reason for which it is being used.

      Preparing a SQL statement is to ensure you’ve got clean input, while there are variables being used in the query on line 70, there is no user input. $wpdb->prefix is the only variable in the statement, used for ensuring proper table names in the query.

      Any concerns about SQL injection from $wpdb properties is a larger security concern, as someone having access to modifying $wpdb‘s properties has access to directly attack the database.

      Using $wpdb->prepare() is pointless without %d (integer), %f (float) or %s (string) replacements. Otherwise it’s just overhead code, which is probably core not requires at least one argument (see Nacin’s post on Make::Core): http://make.wordpress.org/core/2012/12/12/php-warning-missing-argument-2-for-wpdb-prepare/).

      @Drew I would update that to simply removing the $wpdb->prepare() call and NOT adding $wpdb->query() because $wpdb->get_results() already queries and returns an array of results.

      Here’s a gist of what I’d do: https://gist.github.com/4565222

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>