Ticket #10041: 10041.4.diff
File 10041.4.diff, 2.2 KB (added by , 15 years ago) |
---|
-
wp-includes/taxonomy.php
866 866 } 867 867 868 868 if ( !empty($search) ) { 869 $search = like_escape($search);869 $search = esc_sql(like_escape(stripslashes($search))); 870 870 $where .= " AND (t.name LIKE '%$search%')"; 871 871 } 872 872 -
wp-includes/bookmark.php
181 181 } 182 182 183 183 if ( ! empty($search) ) { 184 $search = like_escape($search);184 $search = esc_sql(like_escape(stripslashes($search))); 185 185 $search = " AND ( (link_url LIKE '%$search%') OR (link_name LIKE '%$search%') OR (link_description LIKE '%$search%') ) "; 186 186 } 187 187 -
wp-includes/formatting.php
2325 2325 * 2326 2326 * @since 2.5.0 2327 2327 * 2328 * @param string $text The text to be escaped .2329 * @return string text, safe for inclusion in LIKE query.2328 * @param string $text The text to be escaped (expected unslashed). 2329 * @return string text, NOT safe for inclusion in LIKE query (needs an additional esc_sql()). 2330 2330 */ 2331 2331 function like_escape($text) { 2332 return str_replace(array("%", "_"), array("\\%", "\\_"), $text);2332 return addcslashes($text, '_%\\'); 2333 2333 } 2334 2334 2335 2335 /** -
wp-admin/ms-sites.php
328 328 default: 329 329 $apage = ( isset($_GET['apage'] ) && intval( $_GET['apage'] ) ) ? absint( $_GET['apage'] ) : 1; 330 330 $num = ( isset($_GET['num'] ) && intval( $_GET['num'] ) ) ? absint( $_GET['num'] ) : 15; 331 $s = isset($_GET['s']) ? esc_attr( trim( $_GET[ 's' ] ) ) : ''; 332 $like_s = like_escape($s); 331 $s = isset($_GET['s']) ? stripslashes(trim( $_GET[ 's' ])) : ''; 332 $like_s = esc_sql(like_escape($s)); 333 $s = esc_attr($s); 333 334 334 335 $query = "SELECT * FROM {$wpdb->blogs} WHERE site_id = '{$wpdb->siteid}' "; 335 336