| 1 | Index: wp-includes/query.php |
|---|
| 2 | =================================================================== |
|---|
| 3 | --- wp-includes/query.php (revision 17692) |
|---|
| 4 | +++ wp-includes/query.php (working copy) |
|---|
| 5 | @@ -2290,33 +2290,49 @@ |
|---|
| 6 | |
|---|
| 7 | $where .= $search . $whichauthor . $whichmimetype; |
|---|
| 8 | |
|---|
| 9 | - if ( empty($q['order']) || ((strtoupper($q['order']) != 'ASC') && (strtoupper($q['order']) != 'DESC')) ) |
|---|
| 10 | + if ( empty($q['order']) || !in_array( strtoupper($q['order']), array('ASC', 'DESC') ) ) |
|---|
| 11 | $q['order'] = 'DESC'; |
|---|
| 12 | |
|---|
| 13 | // Order by |
|---|
| 14 | - if ( empty($q['orderby']) ) { |
|---|
| 15 | - $orderby = "$wpdb->posts.post_date " . $q['order']; |
|---|
| 16 | - } elseif ( 'none' == $q['orderby'] ) { |
|---|
| 17 | + if ( empty($q['orderby']) ) |
|---|
| 18 | + $q_orderby = array(); |
|---|
| 19 | + elseif ( is_array( $q['orderby'] ) ) |
|---|
| 20 | + $q_orderby = $q['orderby']; |
|---|
| 21 | + else |
|---|
| 22 | + $q_orderby = explode(' ', $q['orderby']); |
|---|
| 23 | + |
|---|
| 24 | + // Used to filter values |
|---|
| 25 | + $allowed_keys = array('author', 'date', 'title', 'modified', 'menu_order', 'parent', 'ID', 'rand', 'comment_count'); |
|---|
| 26 | + $orderby_array = array(); |
|---|
| 27 | + |
|---|
| 28 | + foreach ( $q_orderby as $_order ) { |
|---|
| 29 | + if ( empty($_order) ) |
|---|
| 30 | + continue; |
|---|
| 31 | $orderby = ''; |
|---|
| 32 | - } else { |
|---|
| 33 | - // Used to filter values |
|---|
| 34 | - $allowed_keys = array('author', 'date', 'title', 'modified', 'menu_order', 'parent', 'ID', 'rand', 'comment_count'); |
|---|
| 35 | - if ( !empty($q['meta_key']) ) { |
|---|
| 36 | - $allowed_keys[] = $q['meta_key']; |
|---|
| 37 | - $allowed_keys[] = 'meta_value'; |
|---|
| 38 | - $allowed_keys[] = 'meta_value_num'; |
|---|
| 39 | - } |
|---|
| 40 | - $q['orderby'] = urldecode($q['orderby']); |
|---|
| 41 | - $q['orderby'] = addslashes_gpc($q['orderby']); |
|---|
| 42 | + $order = ''; |
|---|
| 43 | + $field = ''; |
|---|
| 44 | + $meta_key = ''; |
|---|
| 45 | + $value = null; |
|---|
| 46 | |
|---|
| 47 | - $orderby_array = array(); |
|---|
| 48 | - foreach ( explode( ' ', $q['orderby'] ) as $i => $orderby ) { |
|---|
| 49 | - // Only allow certain values for safety |
|---|
| 50 | - if ( ! in_array($orderby, $allowed_keys) ) |
|---|
| 51 | + if ( ! is_array( $_order ) ) |
|---|
| 52 | + $field = urldecode($_order); |
|---|
| 53 | + else |
|---|
| 54 | + extract($_order, EXTR_OVERWRITE); |
|---|
| 55 | + |
|---|
| 56 | + // Skip over empty data sets. |
|---|
| 57 | + if ( empty( $field ) ) { |
|---|
| 58 | + if ( '' === $meta_key ) |
|---|
| 59 | continue; |
|---|
| 60 | + $field = 'meta_value'; |
|---|
| 61 | + } |
|---|
| 62 | |
|---|
| 63 | - switch ( $orderby ) { |
|---|
| 64 | + if ( empty( $order ) || !in_array( strtoupper($order), array('ASC', 'DESC') ) ) |
|---|
| 65 | + $order = $q['order']; |
|---|
| 66 | + |
|---|
| 67 | + if ( in_array($field, $allowed_keys) ) { |
|---|
| 68 | + switch ( $field ) { |
|---|
| 69 | case 'menu_order': |
|---|
| 70 | + $orderby = "$wpdb->posts.menu_order"; |
|---|
| 71 | break; |
|---|
| 72 | case 'ID': |
|---|
| 73 | $orderby = "$wpdb->posts.ID"; |
|---|
| 74 | @@ -2324,29 +2340,43 @@ |
|---|
| 75 | case 'rand': |
|---|
| 76 | $orderby = 'RAND()'; |
|---|
| 77 | break; |
|---|
| 78 | - case $q['meta_key']: |
|---|
| 79 | - case 'meta_value': |
|---|
| 80 | - $orderby = "$wpdb->postmeta.meta_value"; |
|---|
| 81 | - break; |
|---|
| 82 | - case 'meta_value_num': |
|---|
| 83 | - $orderby = "$wpdb->postmeta.meta_value+0"; |
|---|
| 84 | - break; |
|---|
| 85 | case 'comment_count': |
|---|
| 86 | $orderby = "$wpdb->posts.comment_count"; |
|---|
| 87 | break; |
|---|
| 88 | - default: |
|---|
| 89 | - $orderby = "$wpdb->posts.post_" . $orderby; |
|---|
| 90 | + default: // author, date, title, modified, parent |
|---|
| 91 | + $orderby = "$wpdb->posts.post_" . $wpdb->escape( $field ); |
|---|
| 92 | } |
|---|
| 93 | + } elseif ( ! empty( $q['meta_query'] ) ) { |
|---|
| 94 | + $i = 0; |
|---|
| 95 | + foreach ( (array) $q['meta_query'] as $mq ) { |
|---|
| 96 | + if ( empty($mq['key']) ) |
|---|
| 97 | + continue; |
|---|
| 98 | |
|---|
| 99 | + // Fieldnames *may* be a queried meta_key |
|---|
| 100 | + if ( '' === $meta_key && $field == $mq['key'] ) |
|---|
| 101 | + $meta_key = $field; |
|---|
| 102 | + |
|---|
| 103 | + if ( $meta_key == $mq['key'] ) { |
|---|
| 104 | + $alias = $i ? 'mt' . $i : $wpdb->postmeta; // See wp-includes/meta.php _get_meta_sql() for alias names |
|---|
| 105 | + if ( 'meta_value' == $field ) |
|---|
| 106 | + $orderby = "$alias.meta_value"; |
|---|
| 107 | + elseif ( 'meta_value_num' == $field ) |
|---|
| 108 | + $orderby = "$alias.meta_value+0"; |
|---|
| 109 | + break; // out of the foreach |
|---|
| 110 | + } |
|---|
| 111 | + $i++; |
|---|
| 112 | + } |
|---|
| 113 | + } |
|---|
| 114 | + if ( !empty($orderby) ) { |
|---|
| 115 | + if ( null !== $value ) |
|---|
| 116 | + $orderby = $wpdb->prepare("($orderby = %s)", $value); |
|---|
| 117 | + $orderby .= ' ' . $order; |
|---|
| 118 | $orderby_array[] = $orderby; |
|---|
| 119 | } |
|---|
| 120 | - $orderby = implode( ',', $orderby_array ); |
|---|
| 121 | - |
|---|
| 122 | - if ( empty( $orderby ) ) |
|---|
| 123 | - $orderby = "$wpdb->posts.post_date ".$q['order']; |
|---|
| 124 | - else |
|---|
| 125 | - $orderby .= " {$q['order']}"; |
|---|
| 126 | } |
|---|
| 127 | + $orderby = implode( ', ', $orderby_array ); |
|---|
| 128 | + if ( empty( $orderby ) ) |
|---|
| 129 | + $orderby = "$wpdb->posts.post_date " . $q['order']; |
|---|
| 130 | |
|---|
| 131 | if ( is_array( $post_type ) ) { |
|---|
| 132 | $post_type_cap = 'multiple_post_type'; |
|---|
