From 1603a9e067230faccad549ec8c0c62f7b1704a5e Mon Sep 17 00:00:00 2001
From: Gary Pendergast <gary@pento.net>
Date: Mon, 2 Oct 2017 02:11:47 +0000
Subject: [PATCH] Database: Throw a notice if `wpdb::prepare()` is called with
 an incorrect number of arguments

`wpdb::prepare()` currently gives no information if the number of arguments passed doesn't match the number of placeholders in the query. This change gives an explicit notice that the call was incorrect.

Also fixes an enrelated term meta test that was triggering this new notice.

Props thekt12 for the initial patch.
Fixes #42040.


Built from https://develop.svn.wordpress.org/trunk@41662


git-svn-id: http://core.svn.wordpress.org/trunk@41496 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/version.php |  2 +-
 wp-includes/wp-db.php   | 17 +++++++++++++++--
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/wp-includes/version.php b/wp-includes/version.php
index 35d0d5641a..7ad8ecb485 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.9-alpha-41661';
+$wp_version = '4.9-alpha-41662';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
diff --git a/wp-includes/wp-db.php b/wp-includes/wp-db.php
index 5ed0673bee..76b6574453 100644
--- a/wp-includes/wp-db.php
+++ b/wp-includes/wp-db.php
@@ -1251,7 +1251,20 @@ class wpdb {
 		$query = str_replace( '"%s"', '%s', $query ); // doublequote unquoting
 		$query = preg_replace( '|(?<!%)%f|' , '%F', $query ); // Force floats to be locale unaware
 		$query = preg_replace( '|(?<!%)%s|', "'%s'", $query ); // quote the strings, avoiding escaped strings like %%s
-		$query = preg_replace( '/%(?:%|$|([^dsF]))/', '%%\\1', $query ); // escape any unescaped percents 
+		$query = preg_replace( '/%(?:%|$|([^dsF]))/', '%%\\1', $query ); // escape any unescaped percents
+
+		// Count the number of valid placeholders in the query
+		$placeholders = preg_match_all( '/(^|[^%]|(%%)+)%[sdF]/', $query );
+
+		if ( count ( $args ) !== $placeholders ) {
+			_doing_it_wrong( 'wpdb::prepare',
+				sprintf( __( 'The query does not contain the correct number of placeholders (%d) for the number of arguments passed (%d).' ),
+					$placeholders,
+					count( $args ) ),
+				'4.9.0'
+			);
+		}
+
 		array_walk( $args, array( $this, 'escape_by_ref' ) );
 		return @vsprintf( $query, $args );
 	}
@@ -2046,7 +2059,7 @@ class wpdb {
 		$conditions = implode( ' AND ', $conditions );
 
 		$sql = "UPDATE `$table` SET $fields WHERE $conditions";
-
+		
 		$this->check_current_query = false;
 		return $this->query( $this->prepare( $sql, $values ) );
 	}