Ticket #6644: prepared_queries3.diff
| File prepared_queries3.diff, 6.9 KB (added by , 18 years ago) |
|---|
-
wp-includes/comment.php
241 241 242 242 $where = ''; 243 243 if ( $post_id > 0 ) { 244 $where = "WHERE comment_post_ID = {$post_id}";244 $where = $wpdb->prepare("WHERE comment_post_ID = %d", $post_id); 245 245 } 246 246 247 247 $totals = (array) $wpdb->get_results(" … … 379 379 global $wpdb; 380 380 if ( current_user_can( 'manage_options' ) ) 381 381 return; // don't throttle admins 382 if ( $lasttime = $wpdb->get_var( "SELECT comment_date_gmt FROM $wpdb->comments WHERE comment_author_IP = '$ip' OR comment_author_email = '$email' ORDER BY comment_date DESC LIMIT 1") ) {382 if ( $lasttime = $wpdb->get_var( $wpdb->prepare("SELECT comment_date_gmt FROM $wpdb->comments WHERE comment_author_IP = %s OR comment_author_email = %s ORDER BY comment_date DESC LIMIT 1", $ip, $email) ) ) { 383 383 $time_lastcomment = mysql2date('U', $lasttime); 384 384 $time_newcomment = mysql2date('U', $date); 385 385 $flood_die = apply_filters('comment_flood_filter', false, $time_lastcomment, $time_newcomment); … … 487 487 488 488 $comment = get_comment($comment_id); 489 489 490 if ( ! $wpdb->query( "DELETE FROM $wpdb->comments WHERE comment_ID='$comment_id' LIMIT 1") )490 if ( ! $wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->comments WHERE comment_ID = %d LIMIT 1", $comment_id) ) ) 491 491 return false; 492 492 493 493 $post_id = $comment->comment_post_ID; … … 585 585 if ( ! isset($user_id) ) 586 586 $user_id = 0; 587 587 588 $result = $wpdb->query( "INSERT INTO $wpdb->comments588 $result = $wpdb->query( $wpdb->prepare("INSERT INTO $wpdb->comments 589 589 (comment_post_ID, comment_author, comment_author_email, comment_author_url, comment_author_IP, comment_date, comment_date_gmt, comment_content, comment_approved, comment_agent, comment_type, comment_parent, user_id) 590 VALUES 591 ('$comment_post_ID', '$comment_author', '$comment_author_email', '$comment_author_url', '$comment_author_IP', '$comment_date', '$comment_date_gmt', '$comment_content', '$comment_approved', '$comment_agent', '$comment_type', '$comment_parent', '$user_id') 592 "); 590 VALUES (%d, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %d, %d)", 591 $comment_post_ID, $comment_author, $comment_author_email, $comment_author_url, $comment_author_IP, $comment_date, $comment_date_gmt, $comment_content, $comment_approved, $comment_agent, $comment_type, $comment_parent, $user_id) ); 593 592 594 593 $id = (int) $wpdb->insert_id; 595 594 … … 714 713 715 714 switch ( $comment_status ) { 716 715 case 'hold': 717 $query = "UPDATE $wpdb->comments SET comment_approved='0' WHERE comment_ID='$comment_id' LIMIT 1";716 $query = $wpdb->prepare("UPDATE $wpdb->comments SET comment_approved='0' WHERE comment_ID = %d LIMIT 1", $comment_id); 718 717 break; 719 718 case 'approve': 720 $query = "UPDATE $wpdb->comments SET comment_approved='1' WHERE comment_ID='$comment_id' LIMIT 1";719 $query = $wpdb->prepare("UPDATE $wpdb->comments SET comment_approved='1' WHERE comment_ID = %d LIMIT 1", $comment_id); 721 720 break; 722 721 case 'spam': 723 $query = "UPDATE $wpdb->comments SET comment_approved='spam' WHERE comment_ID='$comment_id' LIMIT 1";722 $query = $wpdb->prepare("UPDATE $wpdb->comments SET comment_approved='spam' WHERE comment_ID = %d LIMIT 1", $comment_id); 724 723 break; 725 724 case 'delete': 726 725 return wp_delete_comment($comment_id); … … 774 773 775 774 $comment_date_gmt = get_gmt_from_date($comment_date); 776 775 777 $wpdb->query( 778 "UPDATE $wpdb->comments SET 779 comment_content = '$comment_content', 780 comment_author = '$comment_author', 781 comment_author_email = '$comment_author_email', 782 comment_approved = '$comment_approved', 783 comment_author_url = '$comment_author_url', 784 comment_date = '$comment_date', 785 comment_date_gmt = '$comment_date_gmt' 786 WHERE comment_ID = $comment_ID" ); 776 $wpdb->query( $wpdb->prepare("UPDATE $wpdb->comments SET 777 comment_content = %s, 778 comment_author = %s, 779 comment_author_email = %s, 780 comment_approved = %s, 781 comment_author_url = %s, 782 comment_date = %s, 783 comment_date_gmt = %s 784 WHERE comment_ID = %d", 785 $comment_content, 786 $comment_author, 787 $comment_author_email, 788 $comment_approved, 789 $comment_author_url, 790 $comment_date, 791 $comment_date_gmt 792 $comment_ID) ); 787 793 788 794 $rval = $wpdb->rows_affected; 789 795 … … 879 885 return false; 880 886 881 887 $old = (int) $post->comment_count; 882 $new = (int) $wpdb->get_var( "SELECT COUNT(*) FROM $wpdb->comments WHERE comment_post_ID = '$post_id' AND comment_approved = '1'");883 $wpdb->query( "UPDATE $wpdb->posts SET comment_count = '$new' WHERE ID = '$post_id'");888 $new = (int) $wpdb->get_var( $wpdb->prepare("SELECT COUNT(*) FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_approved = '1'", $post_id) ); 889 $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET comment_count = %d WHERE ID = %d", $new, $post_id) ); 884 890 885 891 if ( 'page' == $post->post_type ) 886 892 clean_page_cache( $post_id ); … … 1008 1014 1009 1015 // Do Enclosures 1010 1016 while ($enclosure = $wpdb->get_row("SELECT * FROM {$wpdb->posts}, {$wpdb->postmeta} WHERE {$wpdb->posts}.ID = {$wpdb->postmeta}.post_id AND {$wpdb->postmeta}.meta_key = '_encloseme' LIMIT 1")) { 1011 $wpdb->query( "DELETE FROM {$wpdb->postmeta} WHERE post_id = {$enclosure->ID} AND meta_key = '_encloseme';");1017 $wpdb->query( $wpdb->prepare("DELETE FROM {$wpdb->postmeta} WHERE post_id = %d AND meta_key = '_encloseme';", $enclosure->ID) ); 1012 1018 do_enclose($enclosure->post_content, $enclosure->ID); 1013 1019 } 1014 1020 … … 1035 1041 function do_trackbacks($post_id) { 1036 1042 global $wpdb; 1037 1043 1038 $post = $wpdb->get_row( "SELECT * FROM $wpdb->posts WHERE ID = $post_id");1044 $post = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->posts WHERE ID = %d", $post_id) ); 1039 1045 $to_ping = get_to_ping($post_id); 1040 1046 $pinged = get_pung($post_id); 1041 1047 if ( empty($to_ping) ) { 1042 $wpdb->query( "UPDATE $wpdb->posts SET to_ping = '' WHERE ID = '$post_id'");1048 $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = '' WHERE ID = %d", $post_id) ); 1043 1049 return; 1044 1050 } 1045 1051 … … 1060 1066 trackback($tb_ping, $post_title, $excerpt, $post_id); 1061 1067 $pinged[] = $tb_ping; 1062 1068 } else { 1063 $wpdb->query( "UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_ping', '')) WHERE ID = '$post_id'");1069 $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_ping', '')) WHERE ID = %d", $post_id) ); 1064 1070 } 1065 1071 } 1066 1072 } … … 1225 1231 @fclose($fs); 1226 1232 1227 1233 $tb_url = addslashes( $tb_url ); 1228 $wpdb->query( "UPDATE $wpdb->posts SET pinged = CONCAT(pinged, '\n', '$tb_url') WHERE ID = '$ID'");1229 return $wpdb->query( "UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_url', '')) WHERE ID = '$ID'");1234 $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET pinged = CONCAT(pinged, '\n', '$tb_url') WHERE ID = %d", $ID) ); 1235 return $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_url', '')) WHERE ID = %d", $ID) ); 1230 1236 } 1231 1237 1232 1238 /**