Ticket #4617: 4617b.diff
| File 4617b.diff, 1.2 KB (added by , 17 years ago) |
|---|
-
wp-includes/query.php
1123 1123 $q['orderby'] = 'post_date '.$q['order']; 1124 1124 } else { 1125 1125 // Used to filter values 1126 $allowed_keys = array('author', 'date', 'category', 'title', 'modified', 'menu_order', 'parent', 'ID' );1126 $allowed_keys = array('author', 'date', 'category', 'title', 'modified', 'menu_order', 'parent', 'ID', 'rand'); 1127 1127 $q['orderby'] = urldecode($q['orderby']); 1128 1128 $q['orderby'] = addslashes_gpc($q['orderby']); 1129 1129 $orderby_array = explode(' ',$q['orderby']); … … 1133 1133 for ($i = 0; $i < count($orderby_array); $i++) { 1134 1134 // Only allow certain values for safety 1135 1135 $orderby = $orderby_array[$i]; 1136 if ( !('menu_order' == $orderby || 'ID' == $orderby ))1136 if ( !('menu_order' == $orderby || 'ID' == $orderby || 'rand' == $orderby ) ) 1137 1137 $orderby = 'post_' . $orderby; 1138 if ( 'rand' == $orderby ) 1139 $orderby = 'RAND()'; 1138 1140 if ( in_array($orderby_array[$i], $allowed_keys) ) 1139 1141 $q['orderby'] .= (($i == 0) ? '' : ',') . $orderby; 1140 1142 }