Redirection is a very popular WordPress plugin, so I imagine this will be patched and released soon to be compatible with the latest WordPress 3.5 release.
The Redirection plugin still functions correctly and does work. However you should definitely patch this right away because it could be a potential SQL injection vulnerability.
You will see this error at the top of the Redirection plugin admin page:
[php]
Warning: Missing argument 2 for wpdb::prepare(), called in /public_html/wp-content/plugins/redirection/models/group.php on line 70 and defined in /public_html/wp-includes/wp-db.php on line 990
[/php]
To fix the wpdb::prepare missing arguments error, simply:
Open /wp-content/plugins/redirection/models/group.php and find line 70.
Replace $wpdb->prepare
with $wpdb->query
and save your changes.
You’re all done. Easy as pie.
Andrew Nacin explains why the change is necessary, so if you would like to read more about it check out the PHP Warning: Missing argument 2 for wpdb::prepare() post.
UPDATE 1/18/13:
Andy Stratton explains in a comment why removing the entire prepare call is better than replacing with query.
Gist showing proposed changes is located HERE.
Shi says
Thanks for the patch. It works.
However, it took me some time to locate line 70 because OS X TextEdit cannot display line number and eventually figure how to use control-L to locate that line.
Line 70:
$rows = $wpdb->get_results( $wpdb->prepare( “SELECT {$wpdb->prefix}redirection_modules.name AS module_name,{$wpdb->prefix}redirection_groups.name AS group_name,{$wpdb->prefix}redirection_groups.id FROM {$wpdb->prefix}redirection_groups INNER JOIN {$wpdb->prefix}redirection_modules ON {$wpdb->prefix}redirection_modules.id={$wpdb->prefix}redirection_groups.module_id ORDER BY {$wpdb->prefix}redirection_modules.name,{$wpdb->prefix}redirection_groups.position” ) );
John Bates says
Drew,
Thank you SO much for this information. I was really scratching my head trying to figure out how to solve this problem.
Cheers,
JB
Rich says
Thanks. I applied this today.
LiewCF says
This solved the problem! Thanks!
Soren says
It works for me. thank you !
Calixus says
Thank you very much, problem solved!
Gal Baras says
This is like taking out the red light telling you the car is out of gas. Variables should now be passed in as arguments to $wpdb->prepare() for SECURITY reasons. Turning off the warning accomplishes nothing. This issue should be handled by the plugin developer(s) and I’ll bet this will be coming soon.
Andy says
@Gal You’re correct about
$wpdb->prepare()
being used for security reasons, the problem here is that there’s no security reason for which it is being used.Preparing a SQL statement is to ensure you’ve got clean input, while there are variables being used in the query on line 70, there is no user input.
$wpdb->prefix
is the only variable in the statement, used for ensuring proper table names in the query.Any concerns about SQL injection from
$wpdb
properties is a larger security concern, as someone having access to modifying$wpdb
‘s properties has access to directly attack the database.Using
$wpdb->prepare()
is pointless without%d
(integer),%f
(float) or%s
(string) replacements. Otherwise it’s just overhead code, which is probably core not requires at least one argument (see Nacin’s post on Make::Core): http://make.wordpress.org/core/2012/12/12/php-warning-missing-argument-2-for-wpdb-prepare/).@Drew I would update that to simply removing the
$wpdb->prepare()
call and NOT adding$wpdb->query()
because$wpdb->get_results()
already queries and returns an array of results.Here’s a gist of what I’d do: https://gist.github.com/4565222
Sorinu says
Thanks buddy!
Yerbouti says
Thanks! Short but efficient!
Pakar Online says
Hi Drew, thanks for this post, I had been looking to resolve the issue and I leave the message on this page, http://wordpress.org/support/topic/warning-missing-argument-2-for-wpdbprepare-14?replies=3#post-3740675
Hopefully John (the plugin creator) will fix it asap.
And lucky I landed on this page now.
Thanks again.
Mathieu Chartier says
Awesome!! You made my day :)
Camer says
It worked like magic !!!!!
Thank you. It saved me a lot my time
ink says
THANK YOU SO MUCH :)