WordPress.org

Make WordPress Core

Ticket #12416: 12416.2.diff

File 12416.2.diff, 13.2 KB (added by ryan, 8 years ago)

Refreshed patch

  • wp-includes/theme.php

     
    12001200function get_theme_mod($name, $default = false) {
    12011201        $theme = get_current_theme();
    12021202
    1203         $mods = get_option( esc_sql( "mods_$theme" ) );
     1203        $mods = get_option( "mods_$theme" );
    12041204
    12051205        if ( isset($mods[$name]) )
    12061206                return apply_filters( "theme_mod_$name", $mods[$name] );
  • wp-includes/functions.php

     
    307307 * @uses apply_filters() Calls 'option_$option', after checking the option, with
    308308 *      the option value.
    309309 *
    310  * @param string $option Name of option to retrieve. Should already be SQL-escaped
     310 * @param string $option Name of option to retrieve. Expected to not be SQL-escaped.
    311311 * @return mixed Value set for the option.
    312312 */
    313313function get_option( $option, $default = false ) {
     
    339339                if ( false === $value ) {
    340340                        if ( defined( 'WP_INSTALLING' ) )
    341341                                $suppress = $wpdb->suppress_errors();
    342                         // expected_slashed ($option)
    343                         $row = $wpdb->get_row( "SELECT option_value FROM $wpdb->options WHERE option_name = '$option' LIMIT 1" );
     342                        $row = $wpdb->get_row( $wpdb->prepare( "SELECT option_value FROM $wpdb->options WHERE option_name = '%s' LIMIT 1", $option ) );
    344343                        if ( defined( 'WP_INSTALLING' ) )
    345344                                $wpdb->suppress_errors( $suppress );
    346345
     
    482481 * @uses do_action() Calls 'update_option' hook before updating the option.
    483482 * @uses do_action() Calls 'update_option_$option' and 'updated_option' hooks on success.
    484483 *
    485  * @param string $option Option name. Expected to not be SQL-escaped
    486  * @param mixed $newvalue Option value.
     484 * @param string $option Option name. Expected to not be SQL-escaped.
     485 * @param mixed $newvalue Option value. Expected to not be SQL-escaped.
    487486 * @return bool False if value was not updated and true if value was updated.
    488487 */
    489488function update_option( $option, $newvalue ) {
     
    491490
    492491        wp_protect_special_option( $option );
    493492
    494         $safe_option = esc_sql( $option );
    495493        $newvalue = sanitize_option( $option, $newvalue );
    496         $oldvalue = get_option( $safe_option );
     494        $oldvalue = get_option( $option );
    497495        $newvalue = apply_filters( 'pre_update_option_' . $option, $newvalue, $oldvalue );
    498496
    499497        // If the new and old values are the same, no need to update.
     
    516514        if ( ! defined( 'WP_INSTALLING' ) ) {
    517515                $alloptions = wp_load_alloptions();
    518516                if ( isset( $alloptions[$option] ) ) {
    519                         $alloptions[$option] = $newvalue;
    520                         wp_cache_set( 'alloptions', $alloptions, 'options' );
     517                        $alloptions[$option] = $_newvalue;
     518                        wp_cache_set( 'alloptions', $_alloptions, 'options' );
    521519                } else {
    522                         wp_cache_set( $option, $newvalue, 'options' );
     520                        wp_cache_set( $option, $_newvalue, 'options' );
    523521                }
    524522        }
    525523
     
    554552 * @uses do_action() Calls 'add_option' hook before adding the option.
    555553 * @uses do_action() Calls 'add_option_$option' and 'added_option' hooks on success.
    556554 *
    557  * @param string $option Name of option to add. Expects to NOT be SQL escaped.
    558  * @param mixed $value Optional. Option value, can be anything.
     555 * @param string $option Name of option to add. Expected to not be SQL-escaped.
     556 * @param mixed $value Optional. Option value, can be anything. Expected to not be SQL-escaped.
    559557 * @param mixed $deprecated Optional. Description. Not used anymore.
    560558 * @param bool $autoload Optional. Default is enabled. Whether to load the option when WordPress starts up.
    561559 * @return null returns when finished.
     
    567565        global $wpdb;
    568566
    569567        wp_protect_special_option( $option );
    570         $safe_option = esc_sql( $option );
    571568        $value = sanitize_option( $option, $value );
    572569
    573570        // Make sure the option doesn't already exist. We can check the 'notoptions' cache before we ask for a db query
    574571        $notoptions = wp_cache_get( 'notoptions', 'options' );
    575572        if ( !is_array( $notoptions ) || !isset( $notoptions[$option] ) )
    576                 if ( false !== get_option( $safe_option ) )
     573                if ( false !== get_option( $option ) )
    577574                        return;
    578575
    579576        $_value = $value;
     
    617614 * @uses do_action() Calls 'delete_option' hook before option is deleted.
    618615 * @uses do_action() Calls 'deleted_option' and 'delete_option_$option' hooks on success.
    619616 *
    620  * @param string $option Name of option to remove.
     617 * @param string $option Name of option to remove. Expected to not be SQL-escaped.
    621618 * @return bool True, if option is successfully deleted. False on failure.
    622619 */
    623620function delete_option( $option ) {
     
    626623        wp_protect_special_option( $option );
    627624
    628625        // Get the ID, if no ID then return
    629         // expected_slashed ($option)
    630         $row = $wpdb->get_row( "SELECT autoload FROM $wpdb->options WHERE option_name = '$option'" );
     626        $row = $wpdb->get_row( $wpdb->prepare( "SELECT autoload FROM $wpdb->options WHERE option_name = '%s'", $option ) );
    631627        if ( is_null( $row ) )
    632628                return false;
    633629        do_action( 'delete_option', $option );
    634         // expected_slashed ($option)
    635         $result = $wpdb->query( "DELETE FROM $wpdb->options WHERE option_name = '$option'" );
     630        $result = $wpdb->query( $wpdb->prepare( "DELETE FROM $wpdb->options WHERE option_name = '%s'", $option) );
    636631        if ( ! defined( 'WP_INSTALLING' ) ) {
    637632                if ( 'yes' == $row->autoload ) {
    638633                        $alloptions = wp_load_alloptions();
     
    662657 * @uses do_action() Calls 'delete_transient_$transient' hook before transient is deleted.
    663658 * @uses do_action() Calls 'deleted_transient' hook on success.
    664659 *
    665  * @param string $transient Transient name. Expected to not be SQL-escaped
     660 * @param string $transient Transient name. Expected to not be SQL-escaped.
    666661 * @return bool true if successful, false otherwise
    667662 */
    668663function delete_transient( $transient ) {
     
    673668        if ( $_wp_using_ext_object_cache ) {
    674669                $result = wp_cache_delete( $transient, 'transient' );
    675670        } else {
    676                 $option = '_transient_' . esc_sql( $transient );
     671                $option = '_transient_' . $transient;
    677672                $result = delete_option( $option );
    678673        }
    679674
     
    711706        if ( $_wp_using_ext_object_cache ) {
    712707                $value = wp_cache_get( $transient, 'transient' );
    713708        } else {
    714                 $safe_transient   = esc_sql( $transient );
    715                 $transient_option = '_transient_' . $safe_transient;
     709                $transient_option = '_transient_' . $transient;
    716710                if ( ! defined( 'WP_INSTALLING' ) ) {
    717711                        // If option is not in alloptions, it is not autoloaded and thus has a timeout
    718712                        $alloptions = wp_load_alloptions();
    719713                        if ( !isset( $alloptions[$transient_option] ) ) {
    720                                 $transient_timeout = '_transient_timeout_' . $safe_transient;
     714                                $transient_timeout = '_transient_timeout_' . $transient;
    721715                                if ( get_option( $transient_timeout ) < time() ) {
    722716                                        delete_option( $transient_option  );
    723717                                        delete_option( $transient_timeout );
     
    746740 *      transient value to be stored.
    747741 * @uses do_action() Calls 'set_transient_$transient' and 'setted_transient' hooks on success.
    748742 *
    749  * @param string $transient Transient name. Expected to not be SQL-escaped
    750  * @param mixed $value Transient value.
     743 * @param string $transient Transient name. Expected to not be SQL-escaped.
     744 * @param mixed $value Transient value. Expected to not be SQL-escaped.
    751745 * @param int $expiration Time until expiration in seconds, default 0
    752746 * @return bool False if value was not set and true if value was set.
    753747 */
     
    761755        } else {
    762756                $transient_timeout = '_transient_timeout_' . $transient;
    763757                $transient = '_transient_' . $transient;
    764                 $safe_transient = esc_sql( $transient );
    765                 if ( false === get_option( $safe_transient ) ) {
     758                if ( false === get_option( $transient ) ) {
    766759                        $autoload = 'yes';
    767760                        if ( $expiration ) {
    768761                                $autoload = 'no';
     
    1000993 * @return mixed A scalar data
    1001994 */
    1002995function maybe_serialize( $data ) {
    1003         if ( is_array( $data ) || is_object( $data ) )
     996        if ( !is_scalar( $data ) )
    1004997                return serialize( $data );
    1005998
    1006         if ( is_serialized( $data ) )
    1007                 return serialize( $data );
    1008 
    1009999        return $data;
    10101000}
    10111001
     
    33843374 * @uses apply_filters() Calls 'site_option_$option', after checking the  option, with
    33853375 *      the option value.
    33863376 *
    3387  * @param string $option Name of option to retrieve. Should already be SQL-escaped
     3377 * @param string $option Name of option to retrieve. Expected to not be SQL-escaped.
    33883378 * @param mixed $default Optional value to return if option doesn't exist. Default false.
    33893379 * @param bool $use_cache Whether to use cache. Multisite only. Default true.
    33903380 * @return mixed Value set for the option.
     
    34313421 *      option value to be stored.
    34323422 * @uses do_action() Calls 'add_site_option_$option' and 'add_site_option' hooks on success.
    34333423 *
    3434  * @param string $option Name of option to add. Expects to not be SQL escaped.
    3435  * @param mixed $value Optional. Option value, can be anything.
     3424 * @param string $option Name of option to add. Expected to not be SQL-escaped.
     3425 * @param mixed $value Optional. Option value, can be anything. Expected to not be SQL-escaped.
    34363426 * @return bool False if option was not added and true if option was added.
    34373427 */
    34383428function add_site_option( $option, $value ) {
     
    34753465 * @uses do_action() Calls 'delete_site_option' and 'delete_site_option_$option'
    34763466 *      hooks on success.
    34773467 *
    3478  * @param string $option Name of option to remove. Expected to be SQL-escaped.
     3468 * @param string $option Name of option to remove. Expected to not be SQL-escaped.
    34793469 * @return bool True, if succeed. False, if failure.
    34803470 */
    34813471function delete_site_option( $option ) {
     
    35173507 *      option value to be stored.
    35183508 * @uses do_action() Calls 'update_site_option_$option' and 'update_site_option' hooks on success.
    35193509 *
    3520  * @param string $option Name of option. Expected to not be SQL-escaped
    3521  * @param mixed $value Option value.
     3510 * @param string $option Name of option. Expected to not be SQL-escaped.
     3511 * @param mixed $value Option value. Expected to not be SQL-escaped.
    35223512 * @return bool False if value was not updated and true if value was updated.
    35233513 */
    35243514function update_site_option( $option, $value ) {
     
    35643554 * @uses do_action() Calls 'delete_site_transient_$transient' hook before transient is deleted.
    35653555 * @uses do_action() Calls 'deleted_site_transient' hook on success.
    35663556 *
    3567  * @param string $transient Transient name. Expected to not be SQL-escaped
     3557 * @param string $transient Transient name. Expected to not be SQL-escaped.
    35683558 * @return bool True if successful, false otherwise
    35693559 */
    35703560function delete_site_transient( $transient ) {
     
    35743564        if ( $_wp_using_ext_object_cache ) {
    35753565                $result = wp_cache_delete( $transient, 'site-transient' );
    35763566        } else {
    3577                 $option = '_site_transient_' . esc_sql( $transient );
     3567                $option = '_site_transient_' . $transient;
    35783568                $result = delete_site_option( $option );
    35793569        }
    35803570        if ( $result )
     
    35993589 * @uses apply_filters() Calls 'site_transient_$option' hook, after checking the transient, with
    36003590 *      the transient value.
    36013591 *
    3602  * @param string $transient Transient name. Expected to not be SQL-escaped
     3592 * @param string $transient Transient name. Expected to not be SQL-escaped.
    36033593 * @return mixed Value of transient
    36043594 */
    36053595function get_site_transient( $transient ) {
     
    36143604        } else {
    36153605                // Core transients that do not have a timeout. Listed here so querying timeouts can be avoided.
    36163606                $no_timeout = array('update_core', 'update_plugins', 'update_themes');
    3617                 $transient_option = '_site_transient_' . esc_sql( $transient );
     3607                $transient_option = '_site_transient_' . $transient;
    36183608                if ( ! in_array( $transient, $no_timeout ) ) {
    3619                         $transient_timeout = '_site_transient_timeout_' . esc_sql( $transient );
     3609                        $transient_timeout = '_site_transient_timeout_' . $transient;
    36203610                        $timeout = get_site_option( $transient_timeout );
    36213611                        if ( false !== $timeout && $timeout < time() ) {
    36223612                                delete_site_option( $transient_option  );
     
    36463636 *      transient value to be stored.
    36473637 * @uses do_action() Calls 'set_site_transient_$transient' and 'setted_site_transient' hooks on success.
    36483638 *
    3649  * @param string $transient Transient name. Expected to not be SQL-escaped
    3650  * @param mixed $value Transient value.
     3639 * @param string $transient Transient name. Expected to not be SQL-escaped.
     3640 * @param mixed $value Transient value. Expected to not be SQL-escaped.
    36513641 * @param int $expiration Time until expiration in seconds, default 0
    36523642 * @return bool False if value was not set and true if value was set.
    36533643 */
     
    36613651        } else {
    36623652                $transient_timeout = '_site_transient_timeout_' . $transient;
    36633653                $transient = '_site_transient_' . $transient;
    3664                 $safe_transient = esc_sql( $transient );
    3665                 if ( false === get_site_option( $safe_transient ) ) {
     3654                if ( false === get_site_option( $transient ) ) {
    36663655                        if ( $expiration )
    36673656                                add_site_option( $transient_timeout, time() + $expiration );
    36683657                        $result = add_site_option( $transient, $value );
  • wp-includes/formatting.php

     
    24412441
    24422442                case 'siteurl':
    24432443                case 'home':
    2444                         $value = stripslashes($value);
    2445                         $value = esc_url($value);
     2444                        $value = esc_url_raw($value);
    24462445                        break;
    24472446                default :
    24482447                        $value = apply_filters("sanitize_option_{$option}", $value, $option);