WordPress.org

Make WordPress Core

Ticket #12416: 12416.diff

File 12416.diff, 13.5 KB (added by Denis-de-Bernardy, 11 years ago)

untested

  • wp-includes/theme.php

     
    12001200function get_theme_mod($name, $default = false) {
    12011201        $theme = get_current_theme();
    12021202
    1203         $mods = get_option( esc_sql( "mods_$theme" ) );
     1203        $mods = get_option( "mods_$theme" );
    12041204
    12051205        if ( isset($mods[$name]) )
    12061206                return apply_filters( "theme_mod_$name", $mods[$name] );
  • wp-includes/functions.php

     
    307307 * @uses apply_filters() Calls 'option_$option', after checking the option, with
    308308 *      the option value.
    309309 *
    310  * @param string $option Name of option to retrieve. Should already be SQL-escaped
     310 * @param string $option Name of option to retrieve. Expected to not be SQL-escaped.
    311311 * @return mixed Value set for the option.
    312312 */
    313313function get_option( $option, $default = false ) {
     
    339339                if ( false === $value ) {
    340340                        if ( defined( 'WP_INSTALLING' ) )
    341341                                $suppress = $wpdb->suppress_errors();
    342                         // expected_slashed ($option)
    343                         $row = $wpdb->get_row( "SELECT option_value FROM $wpdb->options WHERE option_name = '$option' LIMIT 1" );
     342                        $row = $wpdb->get_row( $wpdb->prepare( "SELECT option_value FROM $wpdb->options WHERE option_name = '%s' LIMIT 1", $option ) );
    344343                        if ( defined( 'WP_INSTALLING' ) )
    345344                                $wpdb->suppress_errors( $suppress );
    346345
     
    482481 * @uses do_action() Calls 'update_option' hook before updating the option.
    483482 * @uses do_action() Calls 'update_option_$option' and 'updated_option' hooks on success.
    484483 *
    485  * @param string $option Option name. Expected to not be SQL-escaped
    486  * @param mixed $newvalue Option value.
     484 * @param string $option Option name. Expected to not be SQL-escaped.
     485 * @param mixed $newvalue Option value. Expected to not be SQL-escaped.
    487486 * @return bool False if value was not updated and true if value was updated.
    488487 */
    489488function update_option( $option, $newvalue ) {
     
    491490
    492491        wp_protect_special_option( $option );
    493492
    494         $safe_option = esc_sql( $option );
    495493        $newvalue = sanitize_option( $option, $newvalue );
    496         $oldvalue = get_option( $safe_option );
     494        $oldvalue = get_option( $option );
    497495        $newvalue = apply_filters( 'pre_update_option_' . $option, $newvalue, $oldvalue );
    498496
    499497        // If the new and old values are the same, no need to update.
     
    516514        if ( ! defined( 'WP_INSTALLING' ) ) {
    517515                $alloptions = wp_load_alloptions();
    518516                if ( isset( $alloptions[$option] ) ) {
    519                         $alloptions[$option] = $newvalue;
    520                         wp_cache_set( 'alloptions', $alloptions, 'options' );
     517                        $alloptions[$option] = $_newvalue;
     518                        wp_cache_set( 'alloptions', $_alloptions, 'options' );
    521519                } else {
    522                         wp_cache_set( $option, $newvalue, 'options' );
     520                        wp_cache_set( $option, $_newvalue, 'options' );
    523521                }
    524522        }
    525523
     
    554552 * @uses do_action() Calls 'add_option' hook before adding the option.
    555553 * @uses do_action() Calls 'add_option_$option' and 'added_option' hooks on success.
    556554 *
    557  * @param string $option Name of option to add. Expects to NOT be SQL escaped.
    558  * @param mixed $value Optional. Option value, can be anything.
     555 * @param string $option Name of option to add. Expected to not be SQL-escaped.
     556 * @param mixed $value Optional. Option value, can be anything. Expected to not be SQL-escaped.
    559557 * @param mixed $deprecated Optional. Description. Not used anymore.
    560558 * @param bool $autoload Optional. Default is enabled. Whether to load the option when WordPress starts up.
    561559 * @return null returns when finished.
     
    567565        global $wpdb;
    568566
    569567        wp_protect_special_option( $option );
    570         $safe_option = esc_sql( $option );
    571568        $value = sanitize_option( $option, $value );
    572569
    573570        // Make sure the option doesn't already exist. We can check the 'notoptions' cache before we ask for a db query
    574571        $notoptions = wp_cache_get( 'notoptions', 'options' );
    575572        if ( !is_array( $notoptions ) || !isset( $notoptions[$option] ) )
    576                 if ( false !== get_option( $safe_option ) )
     573                if ( false !== get_option( $option ) )
    577574                        return;
    578575
    579576        $_value = $value;
    580577        $value = maybe_serialize( $value );
    581578        $autoload = ( 'no' === $autoload ) ? 'no' : 'yes';
    582         do_action( 'add_option', $option, $value );
     579        do_action( 'add_option', $option, $value ); // potentially serialized
    583580        if ( ! defined( 'WP_INSTALLING' ) ) {
    584581                if ( 'yes' == $autoload ) {
    585582                        $alloptions = wp_load_alloptions();
     
    617614 * @uses do_action() Calls 'delete_option' hook before option is deleted.
    618615 * @uses do_action() Calls 'deleted_option' and 'delete_option_$option' hooks on success.
    619616 *
    620  * @param string $option Name of option to remove.
     617 * @param string $option Name of option to remove. Expected to not be SQL-escaped.
    621618 * @return bool True, if option is successfully deleted. False on failure.
    622619 */
    623620function delete_option( $option ) {
     
    626623        wp_protect_special_option( $option );
    627624
    628625        // Get the ID, if no ID then return
    629         // expected_slashed ($option)
    630         $row = $wpdb->get_row( "SELECT autoload FROM $wpdb->options WHERE option_name = '$option'" );
     626        $row = $wpdb->get_row( $wpdb->prepare( "SELECT autoload FROM $wpdb->options WHERE option_name = '%s'", $option ) );
    631627        if ( is_null( $row ) )
    632628                return false;
    633629        do_action( 'delete_option', $option );
    634         // expected_slashed ($option)
    635         $result = $wpdb->query( "DELETE FROM $wpdb->options WHERE option_name = '$option'" );
     630        $result = $wpdb->query( $wpdb->prepare( "DELETE FROM $wpdb->options WHERE option_name = '%s'", $option) );
    636631        if ( ! defined( 'WP_INSTALLING' ) ) {
    637632                if ( 'yes' == $row->autoload ) {
    638633                        $alloptions = wp_load_alloptions();
     
    662657 * @uses do_action() Calls 'delete_transient_$transient' hook before transient is deleted.
    663658 * @uses do_action() Calls 'deleted_transient' hook on success.
    664659 *
    665  * @param string $transient Transient name. Expected to not be SQL-escaped
     660 * @param string $transient Transient name. Expected to not be SQL-escaped.
    666661 * @return bool true if successful, false otherwise
    667662 */
    668663function delete_transient( $transient ) {
     
    673668        if ( $_wp_using_ext_object_cache ) {
    674669                $result = wp_cache_delete( $transient, 'transient' );
    675670        } else {
    676                 $option = '_transient_' . esc_sql( $transient );
     671                $option = '_transient_' . $transient;
    677672                $result = delete_option( $option );
    678673        }
    679674
     
    711706        if ( $_wp_using_ext_object_cache ) {
    712707                $value = wp_cache_get( $transient, 'transient' );
    713708        } else {
    714                 $safe_transient   = esc_sql( $transient );
    715                 $transient_option = '_transient_' . $safe_transient;
     709                $transient_option = '_transient_' . $transient;
    716710                if ( ! defined( 'WP_INSTALLING' ) ) {
    717711                        // If option is not in alloptions, it is not autoloaded and thus has a timeout
    718712                        $alloptions = wp_load_alloptions();
    719713                        if ( !isset( $alloptions[$transient_option] ) ) {
    720                                 $transient_timeout = '_transient_timeout_' . $safe_transient;
     714                                $transient_timeout = '_transient_timeout_' . $transient;
    721715                                if ( get_option( $transient_timeout ) < time() ) {
    722716                                        delete_option( $transient_option  );
    723717                                        delete_option( $transient_timeout );
     
    746740 *      transient value to be stored.
    747741 * @uses do_action() Calls 'set_transient_$transient' and 'setted_transient' hooks on success.
    748742 *
    749  * @param string $transient Transient name. Expected to not be SQL-escaped
    750  * @param mixed $value Transient value.
     743 * @param string $transient Transient name. Expected to not be SQL-escaped.
     744 * @param mixed $value Transient value. Expected to not be SQL-escaped.
    751745 * @param int $expiration Time until expiration in seconds, default 0
    752746 * @return bool False if value was not set and true if value was set.
    753747 */
     
    761755        } else {
    762756                $transient_timeout = '_transient_timeout_' . $transient;
    763757                $transient = '_transient_' . $transient;
    764                 $safe_transient = esc_sql( $transient );
    765                 if ( false === get_option( $safe_transient ) ) {
     758                if ( false === get_option( $transient ) ) {
    766759                        $autoload = 'yes';
    767760                        if ( $expiration ) {
    768761                                $autoload = 'no';
     
    1000993 * @return mixed A scalar data
    1001994 */
    1002995function maybe_serialize( $data ) {
    1003         if ( is_array( $data ) || is_object( $data ) )
     996        if ( !is_scalar( $data ) )
    1004997                return serialize( $data );
    1005998
    1006         if ( is_serialized( $data ) )
    1007                 return serialize( $data );
    1008 
    1009999        return $data;
    10101000}
    10111001
     
    33783368 * @uses apply_filters() Calls 'site_option_$option', after checking the  option, with
    33793369 *      the option value.
    33803370 *
    3381  * @param string $option Name of option to retrieve. Should already be SQL-escaped
     3371 * @param string $option Name of option to retrieve. Expected to not be SQL-escaped.
    33823372 * @param mixed $default Optional value to return if option doesn't exist. Default false.
    33833373 * @param bool $use_cache Whether to use cache. Multisite only. Default true.
    33843374 * @return mixed Value set for the option.
     
    34253415 *      option value to be stored.
    34263416 * @uses do_action() Calls 'add_site_option_$option' and 'add_site_option' hooks on success.
    34273417 *
    3428  * @param string $option Name of option to add. Expects to not be SQL escaped.
    3429  * @param mixed $value Optional. Option value, can be anything.
     3418 * @param string $option Name of option to add. Expected to not be SQL-escaped.
     3419 * @param mixed $value Optional. Option value, can be anything. Expected to not be SQL-escaped.
    34303420 * @return bool False if option was not added and true if option was added.
    34313421 */
    34323422function add_site_option( $option, $value ) {
     
    34693459 * @uses do_action() Calls 'delete_site_option' and 'delete_site_option_$option'
    34703460 *      hooks on success.
    34713461 *
    3472  * @param string $option Name of option to remove. Expected to be SQL-escaped.
     3462 * @param string $option Name of option to remove. Expected to not be SQL-escaped.
    34733463 * @return bool True, if succeed. False, if failure.
    34743464 */
    34753465function delete_site_option( $option ) {
     
    35113501 *      option value to be stored.
    35123502 * @uses do_action() Calls 'update_site_option_$option' and 'update_site_option' hooks on success.
    35133503 *
    3514  * @param string $option Name of option. Expected to not be SQL-escaped
    3515  * @param mixed $value Option value.
     3504 * @param string $option Name of option. Expected to not be SQL-escaped.
     3505 * @param mixed $value Option value. Expected to not be SQL-escaped.
    35163506 * @return bool False if value was not updated and true if value was updated.
    35173507 */
    35183508function update_site_option( $option, $value ) {
     
    35583548 * @uses do_action() Calls 'delete_site_transient_$transient' hook before transient is deleted.
    35593549 * @uses do_action() Calls 'deleted_site_transient' hook on success.
    35603550 *
    3561  * @param string $transient Transient name. Expected to not be SQL-escaped
     3551 * @param string $transient Transient name. Expected to not be SQL-escaped.
    35623552 * @return bool True if successful, false otherwise
    35633553 */
    35643554function delete_site_transient( $transient ) {
     
    35683558        if ( $_wp_using_ext_object_cache ) {
    35693559                $result = wp_cache_delete( $transient, 'site-transient' );
    35703560        } else {
    3571                 $option = '_site_transient_' . esc_sql( $transient );
     3561                $option = '_site_transient_' . $transient;
    35723562                $result = delete_site_option( $option );
    35733563        }
    35743564        if ( $result )
     
    35933583 * @uses apply_filters() Calls 'site_transient_$option' hook, after checking the transient, with
    35943584 *      the transient value.
    35953585 *
    3596  * @param string $transient Transient name. Expected to not be SQL-escaped
     3586 * @param string $transient Transient name. Expected to not be SQL-escaped.
    35973587 * @return mixed Value of transient
    35983588 */
    35993589function get_site_transient( $transient ) {
     
    36083598        } else {
    36093599                // Core transients that do not have a timeout. Listed here so querying timeouts can be avoided.
    36103600                $no_timeout = array('update_core', 'update_plugins', 'update_themes');
    3611                 $transient_option = '_site_transient_' . esc_sql( $transient );
     3601                $transient_option = '_site_transient_' . $transient;
    36123602                if ( ! in_array( $transient, $no_timeout ) ) {
    3613                         $transient_timeout = '_site_transient_timeout_' . esc_sql( $transient );
     3603                        $transient_timeout = '_site_transient_timeout_' . $transient;
    36143604                        $timeout = get_site_option( $transient_timeout );
    36153605                        if ( false !== $timeout && $timeout < time() ) {
    36163606                                delete_site_option( $transient_option  );
     
    36403630 *      transient value to be stored.
    36413631 * @uses do_action() Calls 'set_site_transient_$transient' and 'setted_site_transient' hooks on success.
    36423632 *
    3643  * @param string $transient Transient name. Expected to not be SQL-escaped
    3644  * @param mixed $value Transient value.
     3633 * @param string $transient Transient name. Expected to not be SQL-escaped.
     3634 * @param mixed $value Transient value. Expected to not be SQL-escaped.
    36453635 * @param int $expiration Time until expiration in seconds, default 0
    36463636 * @return bool False if value was not set and true if value was set.
    36473637 */
     
    36553645        } else {
    36563646                $transient_timeout = '_site_transient_timeout_' . $transient;
    36573647                $transient = '_site_transient_' . $transient;
    3658                 $safe_transient = esc_sql( $transient );
    3659                 if ( false === get_site_option( $safe_transient ) ) {
     3648                if ( false === get_site_option( $transient ) ) {
    36603649                        if ( $expiration )
    36613650                                add_site_option( $transient_timeout, time() + $expiration );
    36623651                        $result = add_site_option( $transient, $value );
  • wp-includes/formatting.php

     
    24412441
    24422442                case 'siteurl':
    24432443                case 'home':
    2444                         $value = stripslashes($value);
    2445                         $value = esc_url($value);
     2444                        $value = esc_url_raw($value);
    24462445                        break;
    24472446                default :
    24482447                        $value = apply_filters("sanitize_option_{$option}", $value, $option);