| | 2203 | * If the passed orderby value is allowed, convert the alias to a properly-prefixed orderby value |
| | 2204 | * |
| | 2205 | * @since 4.0.0 |
| | 2206 | * |
| | 2207 | * @global wpdb $wpdb |
| | 2208 | * @param string $orderby Alias for the field to order by. |
| | 2209 | * @return string Table-prefixed value to used in the ORDER clause. |
| | 2210 | */ |
| | 2211 | protected function parse_orderby( $orderby ) { |
| | 2212 | global $wpdb; |
| | 2213 | |
| | 2214 | // Used to filter values |
| | 2215 | $allowed_keys = array( 'name', 'author', 'date', 'title', 'modified', 'menu_order', 'parent', 'ID', 'rand', 'comment_count', 'type' ); |
| | 2216 | $meta_key = $this->get( 'meta_key' ); |
| | 2217 | if ( ! empty( $meta_key ) ) { |
| | 2218 | $allowed_keys[] = $meta_key; |
| | 2219 | $allowed_keys[] = 'meta_value'; |
| | 2220 | $allowed_keys[] = 'meta_value_num'; |
| | 2221 | } |
| | 2222 | |
| | 2223 | if ( ! in_array( $orderby, $allowed_keys ) ) { |
| | 2224 | return; |
| | 2225 | } |
| | 2226 | |
| | 2227 | switch ( $orderby ) { |
| | 2228 | case 'menu_order': |
| | 2229 | $orderby = "$wpdb->posts.menu_order"; |
| | 2230 | break; |
| | 2231 | case 'ID': |
| | 2232 | $orderby = "$wpdb->posts.ID"; |
| | 2233 | break; |
| | 2234 | case 'rand': |
| | 2235 | $orderby = 'RAND()'; |
| | 2236 | break; |
| | 2237 | case $meta_key: |
| | 2238 | case 'meta_value': |
| | 2239 | $type = $this->get( 'meta_type' ); |
| | 2240 | if ( ! empty( $type ) ) { |
| | 2241 | $meta_type = $this->meta_query->get_cast_for_type( $type ); |
| | 2242 | $orderby = "CAST($wpdb->postmeta.meta_value AS {$meta_type})"; |
| | 2243 | } else { |
| | 2244 | $orderby = "$wpdb->postmeta.meta_value"; |
| | 2245 | } |
| | 2246 | break; |
| | 2247 | case 'meta_value_num': |
| | 2248 | $orderby = "$wpdb->postmeta.meta_value+0"; |
| | 2249 | break; |
| | 2250 | case 'comment_count': |
| | 2251 | $orderby = "$wpdb->posts.comment_count"; |
| | 2252 | break; |
| | 2253 | default: |
| | 2254 | $orderby = "$wpdb->posts.post_" . $orderby; |
| | 2255 | } |
| | 2256 | |
| | 2257 | return $orderby; |
| | 2258 | } |
| | 2259 | |
| | 2260 | /** |
| 2709 | | if ( empty($q['orderby']) ) { |
| 2710 | | $orderby = "$wpdb->posts.post_date " . $q['order']; |
| | 2767 | if ( empty( $q['orderby'] ) ) { |
| | 2768 | // A deliberate empty array blanks out ORDER BY, |
| | 2769 | // while leaving the value unset or otherwise empty sets the default. |
| | 2770 | if ( isset( $q['orderby'] ) |
| | 2771 | && '' !== trim( $q['orderby'] ) |
| | 2772 | && ( false === wp_validate_boolean( $q['orderby'] ) || is_array( $q['orderby'] ) ) |
| | 2773 | ) { |
| | 2774 | $orderby = ''; |
| | 2775 | } else { |
| | 2776 | $orderby = "$wpdb->posts.post_date " . $q['order']; |
| | 2777 | } |
| 2718 | | // Used to filter values |
| 2719 | | $allowed_keys = array( 'name', 'author', 'date', 'title', 'modified', 'menu_order', 'parent', 'ID', 'rand', 'comment_count', 'type' ); |
| 2720 | | if ( !empty($q['meta_key']) ) { |
| 2721 | | $allowed_keys[] = $q['meta_key']; |
| 2722 | | $allowed_keys[] = 'meta_value'; |
| 2723 | | $allowed_keys[] = 'meta_value_num'; |
| 2724 | | } |
| 2725 | | $q['orderby'] = urldecode($q['orderby']); |
| 2726 | | $q['orderby'] = addslashes_gpc($q['orderby']); |
| 2727 | | |
| 2729 | | foreach ( explode( ' ', $q['orderby'] ) as $i => $orderby ) { |
| 2730 | | // Only allow certain values for safety |
| 2731 | | if ( ! in_array($orderby, $allowed_keys) ) |
| 2732 | | continue; |
| | 2786 | if ( is_array( $q['orderby'] ) ) { |
| | 2787 | foreach ( $q['orderby'] as $_orderby => $order ) { |
| | 2788 | $orderby = addslashes_gpc( urldecode( $_orderby ) ); |
| | 2789 | $parsed = $this->parse_orderby( $orderby ); |
| | 2790 | if ( ! $parsed ) { |
| | 2791 | continue; |
| | 2792 | } |
| | 2793 | $orderby_array[] = implode( ' ', array( $parsed, $order ) ); |
| | 2794 | } |
| | 2795 | $orderby = implode( ', ', $orderby_array ); |
| | 2796 | } else { |
| | 2797 | $q['orderby'] = urldecode($q['orderby']); |
| | 2798 | $q['orderby'] = addslashes_gpc($q['orderby']); |
| 2734 | | switch ( $orderby ) { |
| 2735 | | case 'menu_order': |
| 2736 | | $orderby = "$wpdb->posts.menu_order"; |
| 2737 | | break; |
| 2738 | | case 'ID': |
| 2739 | | $orderby = "$wpdb->posts.ID"; |
| 2740 | | break; |
| 2741 | | case 'rand': |
| 2742 | | $orderby = 'RAND()'; |
| 2743 | | break; |
| 2744 | | case $q['meta_key']: |
| 2745 | | case 'meta_value': |
| 2746 | | if ( isset( $q['meta_type'] ) ) { |
| 2747 | | $meta_type = $this->meta_query->get_cast_for_type( $q['meta_type'] ); |
| 2748 | | $orderby = "CAST($wpdb->postmeta.meta_value AS {$meta_type})"; |
| 2749 | | } else { |
| 2750 | | $orderby = "$wpdb->postmeta.meta_value"; |
| 2751 | | } |
| 2752 | | break; |
| 2753 | | case 'meta_value_num': |
| 2754 | | $orderby = "$wpdb->postmeta.meta_value+0"; |
| 2755 | | break; |
| 2756 | | case 'comment_count': |
| 2757 | | $orderby = "$wpdb->posts.comment_count"; |
| 2758 | | break; |
| 2759 | | default: |
| 2760 | | $orderby = "$wpdb->posts.post_" . $orderby; |
| | 2800 | foreach ( explode( ' ', $q['orderby'] ) as $i => $orderby ) { |
| | 2801 | $parsed = $this->parse_orderby( $orderby ); |
| | 2802 | // Only allow certain values for safety |
| | 2803 | if ( ! $parsed ) { |
| | 2804 | continue; |
| | 2805 | } |
| | 2806 | |
| | 2807 | $orderby_array[] = $parsed; |