| 1 | Index: wp-includes/meta.php |
|---|
| 2 | =================================================================== |
|---|
| 3 | --- wp-includes/meta.php (revision 14540) |
|---|
| 4 | +++ wp-includes/meta.php (working copy) |
|---|
| 5 | @@ -21,7 +21,7 @@ |
|---|
| 6 | * |
|---|
| 7 | * @param string $meta_type Type of object metadata is for (e.g., comment, post, or user) |
|---|
| 8 | * @param int $object_id ID of the object metadata is for |
|---|
| 9 | - * @param string $meta_key Metadata key |
|---|
| 10 | + * @param string $meta_key Metadata key. Expected unslashed. |
|---|
| 11 | * @param string $meta_value Metadata value |
|---|
| 12 | * @param bool $unique Optional, default is false. Whether the specified metadata key should be |
|---|
| 13 | * unique for the object. If true, and the object already has a value for the specified |
|---|
| 14 | @@ -42,9 +42,6 @@ |
|---|
| 15 | |
|---|
| 16 | $column = esc_sql($meta_type . '_id'); |
|---|
| 17 | |
|---|
| 18 | - // expected_slashed ($meta_key) |
|---|
| 19 | - $meta_key = stripslashes($meta_key); |
|---|
| 20 | - |
|---|
| 21 | if ( $unique && $wpdb->get_var( $wpdb->prepare( |
|---|
| 22 | "SELECT COUNT(*) FROM $table WHERE meta_key = %s AND $column = %d", |
|---|
| 23 | $meta_key, $object_id ) ) ) |
|---|
| 24 | @@ -82,7 +79,7 @@ |
|---|
| 25 | * |
|---|
| 26 | * @param string $meta_type Type of object metadata is for (e.g., comment, post, or user) |
|---|
| 27 | * @param int $object_id ID of the object metadata is for |
|---|
| 28 | - * @param string $meta_key Metadata key |
|---|
| 29 | + * @param string $meta_key Metadata key. Expected unslashed. |
|---|
| 30 | * @param string $meta_value Metadata value |
|---|
| 31 | * @param string $prev_value Optional. If specified, only update existing metadata entries with |
|---|
| 32 | * the specified value. Otherwise, update all entries. |
|---|
| 33 | @@ -103,9 +100,6 @@ |
|---|
| 34 | $column = esc_sql($meta_type . '_id'); |
|---|
| 35 | $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id'; |
|---|
| 36 | |
|---|
| 37 | - // expected_slashed ($meta_key) |
|---|
| 38 | - $meta_key = stripslashes($meta_key); |
|---|
| 39 | - |
|---|
| 40 | if ( ! $meta_id = $wpdb->get_var( $wpdb->prepare( "SELECT $id_column FROM $table WHERE meta_key = %s AND $column = %d", $meta_key, $object_id ) ) ) |
|---|
| 41 | return add_metadata($meta_type, $object_id, $meta_key, $meta_value); |
|---|
| 42 | |
|---|
| 43 | @@ -143,7 +137,7 @@ |
|---|
| 44 | * |
|---|
| 45 | * @param string $meta_type Type of object metadata is for (e.g., comment, post, or user) |
|---|
| 46 | * @param int $object_id ID of the object metadata is for |
|---|
| 47 | - * @param string $meta_key Metadata key |
|---|
| 48 | + * @param string $meta_key Metadata key. Expected unslashed. |
|---|
| 49 | * @param string $meta_value Optional. Metadata value. If specified, only delete metadata entries |
|---|
| 50 | * with this value. Otherwise, delete all entries with the specified meta_key. |
|---|
| 51 | * @param bool $delete_all Optional, default is false. If true, delete matching metadata entries |
|---|
| 52 | @@ -165,8 +159,7 @@ |
|---|
| 53 | |
|---|
| 54 | $type_column = esc_sql($meta_type . '_id'); |
|---|
| 55 | $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id'; |
|---|
| 56 | - // expected_slashed ($meta_key) |
|---|
| 57 | - $meta_key = stripslashes($meta_key); |
|---|
| 58 | + |
|---|
| 59 | $meta_value = maybe_serialize( stripslashes_deep($meta_value) ); |
|---|
| 60 | |
|---|
| 61 | $query = $wpdb->prepare( "SELECT $id_column FROM $table WHERE meta_key = %s", $meta_key ); |
|---|
