WordPress Release: 3.9.21

TL;DR

WordPress 3.9.21 restores support for numbered placeholders in wpdb::prepare() queries, which was previously removed in version 3.9.20 (commit #41496). This update addresses a significant compatibility issue that affected many plugins and themes relying on this undocumented but widely-used feature. The release also adds extra validation to ensure the correct number of arguments are passed to the function based on the number of placeholders used.

Highlight of the Release

• Restored support for numbered placeholders in wpdb::prepare() database queries
• Added validation to ensure correct argument count matches the number of placeholders
• Fixed compatibility issues with plugins and themes that relied on numbered placeholders
• Improved database query security with better parameter validation

Migration Guide

No specific migration steps are required for this update. This release restores functionality that was previously removed, making it a compatibility fix rather than a change requiring migration.

If you experienced issues with database queries after updating to WordPress 3.9.20 due to the removal of numbered placeholder support, updating to 3.9.21 should resolve these issues without requiring code changes.

Upgrade Recommendations

This update is highly recommended for all WordPress 3.9.x users, especially those who:

• Experienced database-related errors after updating to 3.9.20
• Use plugins or themes that might rely on numbered placeholders in database queries
• Develop custom code that uses wpdb::prepare() with numbered placeholders

The update restores important compatibility functionality while adding improved validation, making it beneficial for security and stability.

Bug Fixes

Database Query Handling Fix

• Fixed: Restored support for numbered placeholders in wpdb::prepare() that was removed in commit #41496
• Fixed: Compatibility issues with plugins and themes that relied on the undocumented but widely-used numbered placeholder functionality
• Issue Reference: See WordPress Trac ticket #41925

New Features

While this release doesn't introduce new features per se, it does restore functionality that was previously removed:

• Restored Numbered Placeholders: Support for numbered placeholders (like %1$s, %2$d) in wpdb::prepare() has been reinstated
• Added Placeholder Formatting Support: A subset of placeholder formatting options is now supported
• Enhanced Validation: New checks ensure that the number of arguments passed to wpdb::prepare() matches the number of placeholders in the query

Security Updates

While not explicitly a security fix, the added validation for ensuring the correct number of arguments match the placeholders in wpdb::prepare() helps prevent potential security issues that could arise from improperly prepared SQL queries. This validation makes database interactions more robust and less prone to errors that could potentially lead to security vulnerabilities.

Performance Improvements

This release does not contain any specific performance improvements. The changes are focused on restoring compatibility and improving validation for database queries.

Impact Summary

WordPress 3.9.21 addresses a significant compatibility issue introduced in 3.9.20 that affected many plugins and themes. By restoring support for numbered placeholders in wpdb::prepare(), this update prevents potential site breakage and ensures that existing code continues to function as expected.

The additional validation for ensuring correct argument counts improves the robustness of database queries, potentially preventing errors and security issues that could arise from improperly prepared SQL statements.

This release demonstrates WordPress's commitment to maintaining backward compatibility while still improving code quality and security. Although numbered placeholders were technically undocumented, their widespread use in the ecosystem made their removal problematic, and this update acknowledges the practical needs of the WordPress developer community.