Index: wp-includes/wp-db.php =================================================================== --- wp-includes/wp-db.php (revision 9492) +++ wp-includes/wp-db.php (working copy) @@ -106,6 +106,15 @@ var $col_info; /** + * Saved info on the table columns + * + * @since 2.7.0 + * @access private + * @var array + */ + var $column_types = array(); + + /** * Saved queries that were executed * * @since 1.5.0 @@ -629,6 +638,7 @@ $i = 0; while ($i < @mysql_num_fields($this->result)) { $this->col_info[$i] = @mysql_fetch_field($this->result); + $this->column_types[ $this->col_info[$i]->table ][ $this->col_info[$i]->name ] = $this->col_info[$i]->type; $i++; } $num_rows = 0; @@ -659,9 +669,25 @@ * @return mixed Results of $this->query() */ function insert($table, $data) { - $data = add_magic_quotes($data); $fields = array_keys($data); - return $this->query("INSERT INTO $table (`" . implode('`,`',$fields) . "`) VALUES ('".implode("','",$data)."')"); + + $insertfields = $insertfieldtypes = $prepbits = array(); + + $types = $this->prepare_columns($table, $keys = array_keys($data)); + + foreach( (array)$data as $field => $piece ) { + $insertfields[] = $field; + $insertfieldtypes[] = $types[$field]; + $prepbits[] = $piece; + } + + $sql = 'INSERT INTO ' . $table; + $sql .= ' (`' . implode('`,`', $insertfields) . '`)'; + $sql .= ' VALUES (' . implode(',', $insertfieldtypes) . ')'; + + $sql = call_user_func_array(array(&$this, 'prepare'), array_merge(array($sql), $prepbits)); + + return $this->query( $sql ); } /** @@ -675,21 +701,79 @@ * @return mixed Results of $this->query() */ function update($table, $data, $where){ - $data = add_magic_quotes($data); - $bits = $wheres = array(); - foreach ( (array) array_keys($data) as $k ) - $bits[] = "`$k` = '$data[$k]'"; + if ( empty($table) || empty($where) ) + return; - if ( is_array( $where ) ) - foreach ( $where as $c => $v ) - $wheres[] = "$c = '" . $this->escape( $v ) . "'"; - else - return false; + $bits = $wheres = $prepbits = array(); - return $this->query( "UPDATE $table SET " . implode( ', ', $bits ) . ' WHERE ' . implode( ' AND ', $wheres ) ); + $sql = "UPDATE $table SET "; + + $types = $this->prepare_columns($table, array_merge(array_keys($data), array_keys($where)) ); + + foreach ( array_keys($data) as $k ) { + $bits[] = "`$k` = " . $types[$k]; + $prepbits[] = $data[$k]; + } + + $sql .= implode( ', ', $bits ); + + $sql .= ' WHERE '; + + foreach ( array_keys($where) as $k ) { + $wheres[] = "`$k` = " . $types[$k]; + $prepbits[] = $where[$k]; + } + $sql .= implode( ' AND ', $wheres ); + + $sql = call_user_func_array(array(&$this, 'prepare'), array_merge(array($sql), $prepbits)); + + return $this->query( $sql ); } /** + * Determines a table column type sprintf()-style token + * + * Uses values cached from the previous queries, + * Loads any column types with a simple SELECT .. LIMIT 1 of any fields which are not allready loaded. + * + * @param string $table WARNING: not sanitized! + * @param array $cols array of columns to prepare. WARNING: not sanitized! + * @return array of key => value pairs of field => token + */ + function prepare_columns($table, $cols) { + //Load any columns which are not allready cached. + $load_cols = array(); + foreach ( (array) $cols as $col ) + if ( ! isset($this->column_types[$table][$col]) ) + $load_cols[] = $col; + + if ( !empty($load_cols) ) { + $load_cols = implode('`,`', $load_cols); + $this->query("SELECT `$load_cols` FROM $table LIMIT 1"); + } + + $return = array(); + foreach ( (array) $cols as $col ) { + switch ( $this->column_types[$table][$col] ) { + case 'int': + $return[$col] = '%d'; + break; + case 'real': + $return[$col] = '%f'; + break; + case 'date': + case 'datetime': + case 'string': + case 'blob': + default: + $return[$col] = '%s'; + break; + } + } + return $return; + } + + /** * Retrieve one variable from the database. * * This combines the functionality of wpdb::get_row() and wpdb::get_col(), @@ -900,8 +984,7 @@ * * @return WP_Error */ - function check_database_version() - { + function check_database_version() { global $wp_version; // Make sure the server has MySQL 4.0 if ( version_compare($this->db_version(), '4.0.0', '<') ) @@ -917,8 +1000,7 @@ * * @return bool True if collation is supported, false if version does not */ - function supports_collation() - { + function supports_collation() { return $this->has_cap( 'collation' ); }