Redirection is a very popular WordPress plugin, so I imagine this will be patched and released soon to be compatible with the latest WordPress 3.5 release.
The Redirection plugin still functions correctly and does work. However you should definitely patch this right away because it could be a potential SQL injection vulnerability.
You will see this error at the top of the Redirection plugin admin page:
[php]
Warning: Missing argument 2 for wpdb::prepare(), called in /public_html/wp-content/plugins/redirection/models/group.php on line 70 and defined in /public_html/wp-includes/wp-db.php on line 990
[/php]
To fix the wpdb::prepare missing arguments error, simply:
Open /wp-content/plugins/redirection/models/group.php and find line 70.
Replace $wpdb->prepare with $wpdb->query and save your changes.
You’re all done. Easy as pie.
Andrew Nacin explains why the change is necessary, so if you would like to read more about it check out the PHP Warning: Missing argument 2 for wpdb::prepare() post.
UPDATE 1/18/13:
Andy Stratton explains in a comment why removing the entire prepare call is better than replacing with query.
Gist showing proposed changes is located HERE.
Thanks for the patch. It works.
However, it took me some time to locate line 70 because OS X TextEdit cannot display line number and eventually figure how to use control-L to locate that line.
Line 70:
$rows = $wpdb->get_results( $wpdb->prepare( “SELECT {$wpdb->prefix}redirection_modules.name AS module_name,{$wpdb->prefix}redirection_groups.name AS group_name,{$wpdb->prefix}redirection_groups.id FROM {$wpdb->prefix}redirection_groups INNER JOIN {$wpdb->prefix}redirection_modules ON {$wpdb->prefix}redirection_modules.id={$wpdb->prefix}redirection_groups.module_id ORDER BY {$wpdb->prefix}redirection_modules.name,{$wpdb->prefix}redirection_groups.position” ) );
Drew,
Thank you SO much for this information. I was really scratching my head trying to figure out how to solve this problem.
Cheers,
JB
Thanks. I applied this today.
This solved the problem! Thanks!
It works for me. thank you !
Thank you very much, problem solved!
This is like taking out the red light telling you the car is out of gas. Variables should now be passed in as arguments to $wpdb->prepare() for SECURITY reasons. Turning off the warning accomplishes nothing. This issue should be handled by the plugin developer(s) and I’ll bet this will be coming soon.
@Gal You’re correct about
$wpdb->prepare()being used for security reasons, the problem here is that there’s no security reason for which it is being used.Preparing a SQL statement is to ensure you’ve got clean input, while there are variables being used in the query on line 70, there is no user input.
$wpdb->prefixis the only variable in the statement, used for ensuring proper table names in the query.Any concerns about SQL injection from
$wpdbproperties is a larger security concern, as someone having access to modifying$wpdb‘s properties has access to directly attack the database.Using
$wpdb->prepare()is pointless without%d(integer),%f(float) or%s(string) replacements. Otherwise it’s just overhead code, which is probably core not requires at least one argument (see Nacin’s post on Make::Core): http://make.wordpress.org/core/2012/12/12/php-warning-missing-argument-2-for-wpdb-prepare/).@Drew I would update that to simply removing the
$wpdb->prepare()call and NOT adding$wpdb->query()because$wpdb->get_results()already queries and returns an array of results.Here’s a gist of what I’d do: https://gist.github.com/4565222
Thanks buddy!
Thanks! Short but efficient!
Hi Drew, thanks for this post, I had been looking to resolve the issue and I leave the message on this page, http://wordpress.org/support/topic/warning-missing-argument-2-for-wpdbprepare-14?replies=3#post-3740675
Hopefully John (the plugin creator) will fix it asap.
And lucky I landed on this page now.
Thanks again.
Awesome!! You made my day :)
It worked like magic !!!!!
Thank you. It saved me a lot my time
THANK YOU SO MUCH :)