Support » Plugin: WP Voting » Missing argument 2 for wpdb::prepare(), called in /home/fail/public_html/wp-cont

Viewing 6 replies - 1 through 6 (of 6 total)
  • WPyogi

    (@wpyogi)

    Forum Moderator

    That plugin hasn’t been updated for more than a year and a half – looks like the developer isn’t updating it.

    Here’s more info on what that warning means:

    PHP Warning: Missing argument 2 for wpdb::prepare()

    evilcrusher

    (@evilcrusher)

    Thankyou. If I get this working, I will post directions on this fix to other users who have asked. If that is ok.

    Edit, yeah I couldn’t figure out what code is actually needed in the wpdb or what needed to be in the line for the voting function php file.

    The voting function php file states:

    $items = $wpdb->query($wpdb->prepare("SELECT * FROM ".$wpdb->prefix."wpv_voting_meta"));

    and the wpdp file code that it is trying to access states :

    function prepare( $query, $args ) {
    		if ( is_null( $query ) )
    			return;
    
    		$args = func_get_args();
    		array_shift( $args );
    		// If args were passed as an array (as in vsprintf), move them up
    		if ( isset( $args[0] ) && is_array($args[0]) )
    			$args = $args[0];
    		$query = str_replace( "'%s'", '%s', $query ); // in case someone mistakenly already singlequoted it
    		$query = str_replace( '"%s"', '%s', $query ); // doublequote unquoting
    		$query = preg_replace( '|(?<!%)%f|' , '%F', $query ); // Force floats to be locale unaware
    		$query = preg_replace( '|(?<!%)%s|', "'%s'", $query ); // quote the strings, avoiding escaped strings like %%s
    		array_walk( $args, array( $this, 'escape_by_ref' ) );
    		return @vsprintf( $query, $args );
    	}
    WPyogi

    (@wpyogi)

    Forum Moderator

    Certainly. I’m sure they’d appreciate that :)!

    I got this to work though I’m not sure I did it “correctly”, but the error does go away.

    if you add a , null inside of the prepare() as the 2nd argument, the error goes away. Again I’m not sure if this is safe or correct, but as a quick and dirty fix it does work. I will only be using the plugin temporarily so security isn’t my biggest concern really, just that it works for a short period of time.

    So in the wpv-voting-func.php on line 169 it would be:
    $items = $wpdb->query($wpdb->prepare("SELECT * FROM ".$wpdb->prefix."wpv_voting_meta"));

    changed to:
    $items = $wpdb->query($wpdb->prepare("SELECT * FROM ".$wpdb->prefix."wpv_voting_meta" , null));

    Note that once you have a vote, you will have to repeat this again on line 217 as it will trigger the same error again in calling up voting logs.

    Hope this helps!

    OK. I just took a look at this.

    The fix will work, but that’s because the author is not using prepare() correctly.

    I use PDB in my own work, so I’m used to prepared statements.

    The way they work, is that you break out the values into a separate array, and replace them with placeholders in the SQL. You then send the SQL and the array into the prepare() statement, and the prepare() statement will take care of scrubbing the values and inserting them into the SQL before sending it to the SQL engine.

    If the SQL statement has no placeholders (‘?’ in PDB. I don’t know enough about wpdb to see if it’s the same, but I’ll bet yeah), then you can just give the prepare() statement the entire SQL query in the first argument. It will run it, just like a standard SQL query.

    However, that also neuters the cleaning and security goodness of a prepare() statement.

    It looks like the author used standard WP DB calls, then modified them to work pretty much “as is” with wpdb. They should have broken up the queries, and fed them in two parts, like I do PDB.

    Looks like older versions of wpdb were relaxed about the second parameter (the array), but now require it. If you have no data array, then null will do fine.

    I’d have to spend some time examining the plugin to see if it’s a security risk. I’d say yeah. If it has been abandoned, and doesn’t use prepare() correctly, then it may be ripe for an SQL injection attack.

    I won’t be using it, which is a shame, because it really seems to have what I need. However, I may give it a once-over, and see if I can tweak it for my needs.

    Just looked a bit further.

    Actually, I wasn’t being entirely fair. The author is using it correctly in several places. It looks like these statements just don’t have any data that needs cleaning, so he just sent in pure SQL.

    For the record, you’ll need to do the same for lines 150, 151 and 332.

    It looks like wpdb prepare() uses an sprintf format syntax, which is nicer than the PDB one.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Missing argument 2 for wpdb::prepare(), called in /home/fail/public_html/wp-cont’ is closed to new replies.