Ticket #3948: sanitized_query.php.diff
| File sanitized_query.php.diff, 10.9 KB (added by g30rg3x, 5 years ago) |
|---|
-
wp-includes/query.php
377 377 if ( !empty($query) || !isset($this->query) ) { 378 378 $this->init(); 379 379 if ( is_array($query) ) 380 $ qv = &$query;380 $this->query_vars = $query; 381 381 else 382 parse_str($query, $ qv);382 parse_str($query, $this->query_vars); 383 383 $this->query = $query; 384 $this->query_vars = $qv; 385 } 384 } 385 386 $this->query_vars = $this->fill_query_vars($this->query_vars); 387 $qv = &$this->query_vars; 386 388 387 $qv = $this->fill_query_vars($qv);388 389 389 if ( ! empty($qv['robots']) ) { 390 390 $this->is_robots = true; 391 391 return; … … 398 398 } 399 399 return; 400 400 } 401 401 402 $qv['p'] = (int) $qv['p']; 403 $qv['page_id'] = (int) $qv['page_id']; 404 $qv['year'] = (int) $qv['year']; 405 $qv['monthnum'] = (int) $qv['monthnum']; 406 $qv['day'] = (int) $qv['day']; 407 $qv['w'] = (int) $qv['w']; 402 408 $qv['m'] = (int) $qv['m']; 403 $qv['p'] = (int) $qv['p']; 409 if ( '' != $qv['hour'] ) $qv['hour'] = (int) $qv['hour']; 410 if ( '' != $qv['minute'] ) $qv['minute'] = (int) $qv['minute']; 411 if ( '' != $qv['second'] ) $qv['second'] = (int) $qv['second']; 404 412 405 413 // Compat. Map subpost to attachment. 406 414 if ( '' != $qv['subpost'] ) … … 408 416 if ( '' != $qv['subpost_id'] ) 409 417 $qv['attachment_id'] = $qv['subpost_id']; 410 418 411 if ( ('' != $qv['attachment']) || (int) $qv['attachment_id'] ) { 419 $qv['attachment_id'] = (int) $qv['attachment_id']; 420 421 if ( ('' != $qv['attachment']) || !empty($qv['attachment_id']) ) { 412 422 $this->is_single = true; 413 423 $this->is_attachment = true; 414 } elseif ( '' != $qv['name']) {424 } elseif ( '' != $qv['name'] ) { 415 425 $this->is_single = true; 416 426 } elseif ( $qv['p'] ) { 417 427 $this->is_single = true; 418 } elseif (('' != $qv['hour']) && ('' != $qv['minute']) &&('' != $qv['second']) && ('' != $qv['year']) && ('' != $qv['monthnum']) && ('' != $qv['day'])) { 428 } elseif ( ('' != $qv['hour']) && ('' != $qv['minute']) &&('' != $qv['second']) && ('' != $qv['year']) && ('' != $qv['monthnum']) && ('' != $qv['day']) ) 429 { 419 430 // If year, month, day, hour, minute, and second are set, a single 420 431 // post is being queried. 421 432 $this->is_single = true; 422 } elseif ( '' != $qv['static'] || '' != $qv['pagename'] || (int) $qv['page_id']) {433 } elseif ( '' != $qv['static'] || '' != $qv['pagename'] || !empty($qv['page_id']) ) { 423 434 $this->is_page = true; 424 435 $this->is_single = false; 425 } elseif ( !empty($qv['s'])) {436 } elseif ( !empty($qv['s']) ) { 426 437 $this->is_search = true; 427 438 } else { 428 439 // Look for archive queries. Dates, categories, authors. 429 440 430 if ( (int) $qv['second']) {441 if ( '' != $qv['second'] ) { 431 442 $this->is_time = true; 432 443 $this->is_date = true; 433 444 } 434 445 435 if ( (int) $qv['minute']) {446 if ( '' != $qv['minute'] ) { 436 447 $this->is_time = true; 437 448 $this->is_date = true; 438 449 } 439 450 440 if ( (int) $qv['hour']) {451 if ( '' != $qv['hour'] ) { 441 452 $this->is_time = true; 442 453 $this->is_date = true; 443 454 } 444 455 445 if ( (int) $qv['day']) {456 if ( $qv['day'] ) { 446 457 if (! $this->is_date) { 447 458 $this->is_day = true; 448 459 $this->is_date = true; 449 460 } 450 461 } 451 462 452 if ( (int) $qv['monthnum']) {463 if ( $qv['monthnum'] ) { 453 464 if (! $this->is_date) { 454 465 $this->is_month = true; 455 466 $this->is_date = true; 456 467 } 457 468 } 458 469 459 if ( (int) $qv['year']) {470 if ( $qv['year'] ) { 460 471 if (! $this->is_date) { 461 472 $this->is_year = true; 462 473 $this->is_date = true; 463 474 } 464 475 } 465 476 466 if ( (int) $qv['m']) {477 if ( $qv['m'] ) { 467 478 $this->is_date = true; 468 479 if (strlen($qv['m']) > 9) { 469 480 $this->is_time = true; … … 480 491 $this->is_date = true; 481 492 } 482 493 483 if ( empty($qv['cat']) || ($qv['cat'] == '0')) {494 if ( empty($qv['cat']) || ($qv['cat'] == '0') ) { 484 495 $this->is_category = false; 485 496 } else { 486 497 if (stristr($qv['cat'],'-')) { … … 490 501 } 491 502 } 492 503 493 if ( '' != $qv['category_name']) {504 if ( '' != $qv['category_name'] ) { 494 505 $this->is_category = true; 495 506 } 496 507 497 if ( (empty($qv['author'])) || ($qv['author'] == '0')) {508 if ( empty($qv['author']) || ($qv['author'] == '0') ) { 498 509 $this->is_author = false; 499 510 } else { 500 511 $this->is_author = true; 501 512 } 502 513 503 if ( '' != $qv['author_name']) {514 if ( '' != $qv['author_name'] ) { 504 515 $this->is_author = true; 505 516 } 506 517 507 if ( ($this->is_date || $this->is_author || $this->is_category) ) {518 if ( ($this->is_date || $this->is_author || $this->is_category) ) 508 519 $this->is_archive = true; 509 520 } 510 } 511 512 if ('' != $qv['feed']) { 521 522 if ( '' != $qv['feed'] ) 513 523 $this->is_feed = true; 514 } 515 516 if ('' != $qv['tb']) { 524 525 if ( '' != $qv['tb'] ) 517 526 $this->is_trackback = true; 518 } 519 520 if ('' != $qv['paged']) { 527 528 if ( '' != $qv['paged'] ) 521 529 $this->is_paged = true; 522 }523 530 524 if ( '' != $qv['comments_popup']) {531 if ( '' != $qv['comments_popup'] ) 525 532 $this->is_comments_popup = true; 526 }527 533 528 534 //if we're previewing inside the write screen 529 if ('' != $qv['preview']) {535 if ('' != $qv['preview']) 530 536 $this->is_preview = true; 531 }532 537 533 if ( strstr($_SERVER['PHP_SELF'], 'wp-admin/')) {538 if ( strpos($_SERVER['PHP_SELF'], 'wp-admin/') !== false ) 534 539 $this->is_admin = true; 535 }536 540 537 541 if ( $this->is_single || $this->is_page || $this->is_attachment ) 538 542 $this->is_singular = true; 539 543 540 if ( ! ($this->is_singular || $this->is_archive || $this->is_search || $this->is_feed || $this->is_trackback || $this->is_404 || $this->is_admin || $this->is_comments_popup)) {544 if ( ! ($this->is_singular || $this->is_archive || $this->is_search || $this->is_feed || $this->is_trackback || $this->is_404 || $this->is_admin || $this->is_comments_popup)) 541 545 $this->is_home = true; 542 }543 546 544 if ( !empty($query) ) {547 if ( !empty($query) ) 545 548 do_action_ref_array('parse_query', array(&$this)); 546 }547 549 } 548 550 549 551 function set_404() { … … 634 636 $wp_posts_post_date_field = "post_date"; // "DATE_ADD(post_date, INTERVAL '$add_hours:$add_minutes' HOUR_MINUTE)"; 635 637 636 638 // If a month is specified in the querystring, load that month 637 if ( (int) $q['m'] ) {639 if ( $q['m'] ) { 638 640 $q['m'] = '' . preg_replace('|[^0-9]|', '', $q['m']); 639 641 $where .= ' AND YEAR(post_date)=' . substr($q['m'], 0, 4); 640 642 if (strlen($q['m'])>5) … … 649 651 $where .= ' AND SECOND(post_date)=' . substr($q['m'], 12, 2); 650 652 } 651 653 652 if ( (int) $q['hour'] ) { 653 $q['hour'] = '' . intval($q['hour']); 654 if ( '' != $q['hour'] ) 654 655 $where .= " AND HOUR(post_date)='" . $q['hour'] . "'"; 655 }656 656 657 if ( (int) $q['minute'] ) { 658 $q['minute'] = '' . intval($q['minute']); 657 if ( '' != $q['minute'] ) 659 658 $where .= " AND MINUTE(post_date)='" . $q['minute'] . "'"; 660 }661 659 662 if ( (int) $q['second'] ) { 663 $q['second'] = '' . intval($q['second']); 660 if ( '' != $q['second'] ) 664 661 $where .= " AND SECOND(post_date)='" . $q['second'] . "'"; 665 }666 662 667 if ( (int) $q['year'] ) { 668 $q['year'] = '' . intval($q['year']); 663 if ( $q['year'] ) 669 664 $where .= " AND YEAR(post_date)='" . $q['year'] . "'"; 670 }671 665 672 if ( (int) $q['monthnum'] ) { 673 $q['monthnum'] = '' . intval($q['monthnum']); 666 if ( $q['monthnum'] ) 674 667 $where .= " AND MONTH(post_date)='" . $q['monthnum'] . "'"; 675 }676 668 677 if ( (int) $q['day'] ) { 678 $q['day'] = '' . intval($q['day']); 669 if ( $q['day'] ) 679 670 $where .= " AND DAYOFMONTH(post_date)='" . $q['day'] . "'"; 680 }681 671 682 // Compat. Map subpost to attachment.683 if ( '' != $q['subpost'] )684 $q['attachment'] = $q['subpost'];685 if ( '' != $q['subpost_id'] )686 $q['attachment_id'] = $q['subpost_id'];687 672 688 673 if ('' != $q['name']) { 689 674 $q['name'] = sanitize_title($q['name']); … … 715 700 $where .= " AND post_name = '" . $q['attachment'] . "'"; 716 701 } 717 702 718 if ( (int) $q['w'] ) { 719 $q['w'] = ''.intval($q['w']); 703 if ( $q['w'] ) 720 704 $where .= " AND WEEK(post_date, 1)='" . $q['w'] . "'"; 721 }722 705 723 706 if ( intval($q['comments_popup']) ) 724 707 $q['p'] = intval($q['comments_popup']); 725 708 726 // If a attachment is requested by number, let it supercede any post number.727 if ( ($q['attachment_id'] != '') && (intval($q['attachment_id']) != 0) )728 $q['p'] = (int)$q['attachment_id'];709 // If an attachment is requested by number, let it supercede any post number. 710 if ( $q['attachment_id'] ) 711 $q['p'] = $q['attachment_id']; 729 712 730 713 // If a post number is specified, load that post 731 if (($q['p'] != '') && intval($q['p']) != 0) { 732 $q['p'] = (int) $q['p']; 714 if ( $q['p'] ) 733 715 $where = ' AND ID = ' . $q['p']; 734 }735 716 736 if (($q['page_id'] != '') && (intval($q['page_id']) != 0)) { 737 $q['page_id'] = intval($q['page_id']); 717 if ( $q['page_id'] ) { 738 718 if ( ('page' == get_option('show_on_front') ) && ( $q['page_id'] == get_option('page_for_posts') ) ) { 739 719 $this->is_singular = false; 740 720 $this->is_page = false; … … 742 722 $this->is_posts_page = true; 743 723 } else { 744 724 $q['p'] = $q['page_id']; 745 $where = ' AND ID = ' .$q['page_id'];725 $where = ' AND ID = ' . $q['page_id']; 746 726 } 747 727 } 748 728 749 729 // If a search pattern is specified, load the posts that match 750 if ( !empty($q['s'])) {730 if ( !empty($q['s']) ) { 751 731 // added slashes screw with quote grouping when done early, so done later 752 732 $q['s'] = stripslashes($q['s']); 753 733 if ($q['sentence']) { … … 774 754 775 755 // Category stuff 776 756 777 if ( (empty($q['cat'])) || ($q['cat'] == '0') ||757 if ( empty($q['cat']) || ($q['cat'] == '0') || 778 758 // Bypass cat checks if fetching specific posts 779 ( $this->is_single || $this->is_page )) {780 $whichcat='';759 $this->is_singular ) { 760 $whichcat = ''; 781 761 } else { 782 762 $q['cat'] = ''.urldecode($q['cat']).''; 783 763 $q['cat'] = addslashes_gpc($q['cat']); … … 814 794 } 815 795 816 796 // Category stuff for nice URLs 817 if ( '' != $q['category_name']) {797 if ( '' != $q['category_name'] ) { 818 798 $reqcat = get_category_by_path($q['category_name']); 819 799 $q['category_name'] = str_replace('%2F', '/', urlencode(urldecode($q['category_name']))); 820 800 $cat_paths = '/' . trim($q['category_name'], '/'); … … 849 829 850 830 // Author/user stuff 851 831 852 if ( (empty($q['author'])) || ($q['author'] == '0')) {832 if ( empty($q['author']) || ($q['author'] == '0') ) { 853 833 $whichauthor=''; 854 834 } else { 855 835 $q['author'] = ''.urldecode($q['author']).''; … … 889 869 890 870 $where .= $search.$whichcat.$whichauthor; 891 871 892 if ( (empty($q['order'])) || ((strtoupper($q['order']) != 'ASC') && (strtoupper($q['order']) != 'DESC'))) {872 if ( empty($q['order']) || ((strtoupper($q['order']) != 'ASC') && (strtoupper($q['order']) != 'DESC')) ) 893 873 $q['order']='DESC'; 894 }895 874 896 875 // Order by 897 if ( empty($q['orderby'])) {876 if ( empty($q['orderby']) ) { 898 877 $q['orderby'] = 'post_date '.$q['order']; 899 878 } else { 900 879 // Used to filter values … … 950 929 $join = apply_filters('posts_join', $join); 951 930 952 931 // Paging 953 if ( empty($q['nopaging']) && !$this->is_singular) {932 if ( empty($q['nopaging']) && !$this->is_singular ) { 954 933 $page = abs(intval($q['paged'])); 955 934 if (empty($page)) { 956 935 $page = 1;
