Ticket #10649: query.php.2.diff
| File query.php.2.diff, 1.5 KB (added by , 15 years ago) |
|---|
-
wp-includes/query.php
2021 2021 if ( !empty($q['meta_key']) ) { 2022 2022 $allowed_keys[] = $q['meta_key']; 2023 2023 $allowed_keys[] = 'meta_value'; 2024 $allowed_keys[] = 'meta_value_num'; 2024 2025 } 2025 2026 $q['orderby'] = urldecode($q['orderby']); 2026 2027 $q['orderby'] = addslashes_gpc($q['orderby']); … … 2028 2029 if ( empty($orderby_array) ) 2029 2030 $orderby_array[] = $q['orderby']; 2030 2031 $q['orderby'] = ''; 2032 2031 2033 for ($i = 0; $i < count($orderby_array); $i++) { 2034 $orderby = $orderby_array[$i]; 2035 2032 2036 // Only allow certain values for safety 2033 $orderby = $orderby_array[$i]; 2037 if ( ! in_array($orderby, $allowed_keys) ) 2038 continue; 2039 2034 2040 switch ($orderby) { 2035 2041 case 'menu_order': 2036 2042 break; … … 2044 2050 case 'meta_value': 2045 2051 $orderby = "$wpdb->postmeta.meta_value"; 2046 2052 break; 2053 case 'meta_value_num': 2054 $orderby = "$wpdb->postmeta.meta_value+0"; 2055 break; 2047 2056 case 'comment_count': 2048 2057 $orderby = "$wpdb->posts.comment_count"; 2049 2058 break; 2050 2059 default: 2051 2060 $orderby = "$wpdb->posts.post_" . $orderby; 2052 2061 } 2053 if ( in_array($orderby_array[$i], $allowed_keys) ) 2054 2062 2063 $q['orderby'] .= (($i == 0) ? '' : ',') . $orderby; 2055 2064 } 2065 2056 2066 // append ASC or DESC at the end 2057 2067 if ( !empty($q['orderby'])) 2058 2068 $q['orderby'] .= " {$q['order']}";