[CentOS] C5 MySQL injection attack ("Union Select")

Thu Mar 24 14:15:07 UTC 2016
Alice Wonder <alice at domblogger.net>

On 03/24/2016 04:53 AM, Александр Кириллов wrote:
>> Be careful with WordPress - it's database handler doesn't actually use
>> parameterized statements, it emulates them with printf - one (of many)
>> reasons I do not like the product.
>
> This is a rather controversial statement. There's nothing wrong with
> using sprintf when building sql queries. Besides
>
> "Using a prepared statement is not always the most efficient way of
> executing a statement. A prepared statement executed only once causes
> more client-server round-trips than a non-prepared statement."
>

The only time database has ever been a bottleneck for me is when I am 
not using something like apcu to cache query results. Use of prepared 
statements is slower for single queries never repeated but not the 
bottleneck in any application I've dealt with.

WordPress lack of genuine prepared statements has however caused me 
issues when I would like to make a query that is used more than once 
with different parameters.