今天把WordPress从3.5升级到3.6以后,已使用搜索功能就会出现如下错误:
Warning: Missing argument 2 for wpdb::prepare(), called in /home/web/sjyhome.com/wp-content/themes/sjyhome/functions.php on line 138 and defined in /home/web/sjyhome.com/wp-includes/wp-db.php on line 992
注意:这与你的更新及与你当前使用的主题完全没有关系!这是3.6版本中为了安全而做的一个改动,是为了避免SQL注入所引起的安全问题!
在你的主题functions.php文件中会有类似如下的代码:
$post_datetimes = $wpdb->get_row($wpdb->prepare(“SELECT YEAR(min(post_date_gmt)) AS firstyear, YEAR(max(post_date_gmt)) AS lastyear FROM $wpdb->posts WHERE post_date_gmt > 1970″));
在3.6版本之前,这样的写法是没有任何问题的,如:
prepare(“SELECT YEAR(min(post_date_gmt)) AS firstyear, YEAR(max(post_date_gmt)) AS lastyear FROM $wpdb->posts WHERE post_date_gmt > 1970″));
但是在3.6,上面的写法就是错的,正确的写法应当是:
prepare(“SELECT YEAR(min(post_date_gmt)) AS firstyear, YEAR(max(post_date_gmt)) AS lastyear FROM $wpdb->posts WHERE post_date_gmt > %d”,’1970′));
看到上面的区别了吗?在SQL语句中,where条件变为了动态参数绑定形式:
post_date_gmt > %d”,’1970′
这种写法在系统的安全性方面要更好!
再给个普遍点的例子,这样写法是正确的:
$wpdb->prepare(?"SELECT * FROM table WHERE id = %d",?$id?);
原理讲完了,我自己的博客是因为functions.php中的如下代码
$keyword = $wpdb->prepare($_REQUEST["s"]);
我把他替换成了
$keyword = $wpdb->prepare($_REQUEST["s"],"");