WordPress.org

Make WordPress Core

Ticket #6644: prepared_queries3.diff

File prepared_queries3.diff, 6.9 KB (added by filosofo, 10 years ago)
  • wp-includes/comment.php

     
    241241
    242242        $where = '';
    243243        if ( $post_id > 0 ) {
    244                 $where = "WHERE comment_post_ID = {$post_id}";
     244                $where = $wpdb->prepare("WHERE comment_post_ID = %d", $post_id);
    245245        }
    246246
    247247        $totals = (array) $wpdb->get_results("
     
    379379        global $wpdb;
    380380        if ( current_user_can( 'manage_options' ) )
    381381                return; // don't throttle admins
    382         if ( $lasttime = $wpdb->get_var("SELECT comment_date_gmt FROM $wpdb->comments WHERE comment_author_IP = '$ip' OR comment_author_email = '$email' ORDER BY comment_date DESC LIMIT 1") ) {
     382        if ( $lasttime = $wpdb->get_var( $wpdb->prepare("SELECT comment_date_gmt FROM $wpdb->comments WHERE comment_author_IP = %s OR comment_author_email = %s ORDER BY comment_date DESC LIMIT 1", $ip, $email) ) ) {
    383383                $time_lastcomment = mysql2date('U', $lasttime);
    384384                $time_newcomment  = mysql2date('U', $date);
    385385                $flood_die = apply_filters('comment_flood_filter', false, $time_lastcomment, $time_newcomment);
     
    487487
    488488        $comment = get_comment($comment_id);
    489489
    490         if ( ! $wpdb->query("DELETE FROM $wpdb->comments WHERE comment_ID='$comment_id' LIMIT 1") )
     490        if ( ! $wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->comments WHERE comment_ID = %d LIMIT 1", $comment_id) ) )
    491491                return false;
    492492
    493493        $post_id = $comment->comment_post_ID;
     
    585585        if ( ! isset($user_id) )
    586586                $user_id = 0;
    587587
    588         $result = $wpdb->query("INSERT INTO $wpdb->comments
     588        $result = $wpdb->query( $wpdb->prepare("INSERT INTO $wpdb->comments
    589589        (comment_post_ID, comment_author, comment_author_email, comment_author_url, comment_author_IP, comment_date, comment_date_gmt, comment_content, comment_approved, comment_agent, comment_type, comment_parent, user_id)
    590         VALUES
    591         ('$comment_post_ID', '$comment_author', '$comment_author_email', '$comment_author_url', '$comment_author_IP', '$comment_date', '$comment_date_gmt', '$comment_content', '$comment_approved', '$comment_agent', '$comment_type', '$comment_parent', '$user_id')
    592         ");
     590        VALUES (%d, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %d, %d)",
     591        $comment_post_ID, $comment_author, $comment_author_email, $comment_author_url, $comment_author_IP, $comment_date, $comment_date_gmt, $comment_content, $comment_approved, $comment_agent, $comment_type, $comment_parent, $user_id) );
    593592
    594593        $id = (int) $wpdb->insert_id;
    595594
     
    714713
    715714        switch ( $comment_status ) {
    716715                case 'hold':
    717                         $query = "UPDATE $wpdb->comments SET comment_approved='0' WHERE comment_ID='$comment_id' LIMIT 1";
     716                        $query = $wpdb->prepare("UPDATE $wpdb->comments SET comment_approved='0' WHERE comment_ID = %d LIMIT 1", $comment_id);
    718717                        break;
    719718                case 'approve':
    720                         $query = "UPDATE $wpdb->comments SET comment_approved='1' WHERE comment_ID='$comment_id' LIMIT 1";
     719                        $query = $wpdb->prepare("UPDATE $wpdb->comments SET comment_approved='1' WHERE comment_ID = %d LIMIT 1", $comment_id);
    721720                        break;
    722721                case 'spam':
    723                         $query = "UPDATE $wpdb->comments SET comment_approved='spam' WHERE comment_ID='$comment_id' LIMIT 1";
     722                        $query = $wpdb->prepare("UPDATE $wpdb->comments SET comment_approved='spam' WHERE comment_ID = %d LIMIT 1", $comment_id);
    724723                        break;
    725724                case 'delete':
    726725                        return wp_delete_comment($comment_id);
     
    774773
    775774        $comment_date_gmt = get_gmt_from_date($comment_date);
    776775
    777         $wpdb->query(
    778                 "UPDATE $wpdb->comments SET
    779                         comment_content      = '$comment_content',
    780                         comment_author       = '$comment_author',
    781                         comment_author_email = '$comment_author_email',
    782                         comment_approved     = '$comment_approved',
    783                         comment_author_url   = '$comment_author_url',
    784                         comment_date         = '$comment_date',
    785                         comment_date_gmt     = '$comment_date_gmt'
    786                 WHERE comment_ID = $comment_ID" );
     776        $wpdb->query( $wpdb->prepare("UPDATE $wpdb->comments SET
     777                        comment_content      = %s,
     778                        comment_author       = %s,
     779                        comment_author_email = %s,
     780                        comment_approved     = %s,
     781                        comment_author_url   = %s,
     782                        comment_date         = %s,
     783                        comment_date_gmt     = %s
     784                WHERE comment_ID = %d",
     785                        $comment_content,
     786                        $comment_author,
     787                        $comment_author_email,
     788                        $comment_approved,
     789                        $comment_author_url,
     790                        $comment_date,
     791                        $comment_date_gmt
     792                        $comment_ID) );
    787793
    788794        $rval = $wpdb->rows_affected;
    789795
     
    879885                return false;
    880886
    881887        $old = (int) $post->comment_count;
    882         $new = (int) $wpdb->get_var("SELECT COUNT(*) FROM $wpdb->comments WHERE comment_post_ID = '$post_id' AND comment_approved = '1'");
    883         $wpdb->query("UPDATE $wpdb->posts SET comment_count = '$new' WHERE ID = '$post_id'");
     888        $new = (int) $wpdb->get_var( $wpdb->prepare("SELECT COUNT(*) FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_approved = '1'", $post_id) );
     889        $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET comment_count = %d WHERE ID = %d", $new, $post_id) );
    884890
    885891        if ( 'page' == $post->post_type )
    886892                clean_page_cache( $post_id );
     
    10081014
    10091015        // Do Enclosures
    10101016        while ($enclosure = $wpdb->get_row("SELECT * FROM {$wpdb->posts}, {$wpdb->postmeta} WHERE {$wpdb->posts}.ID = {$wpdb->postmeta}.post_id AND {$wpdb->postmeta}.meta_key = '_encloseme' LIMIT 1")) {
    1011                 $wpdb->query("DELETE FROM {$wpdb->postmeta} WHERE post_id = {$enclosure->ID} AND meta_key = '_encloseme';");
     1017                $wpdb->query( $wpdb->prepare("DELETE FROM {$wpdb->postmeta} WHERE post_id = %d AND meta_key = '_encloseme';", $enclosure->ID) );
    10121018                do_enclose($enclosure->post_content, $enclosure->ID);
    10131019        }
    10141020
     
    10351041function do_trackbacks($post_id) {
    10361042        global $wpdb;
    10371043
    1038         $post = $wpdb->get_row("SELECT * FROM $wpdb->posts WHERE ID = $post_id");
     1044        $post = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->posts WHERE ID = %d", $post_id) );
    10391045        $to_ping = get_to_ping($post_id);
    10401046        $pinged  = get_pung($post_id);
    10411047        if ( empty($to_ping) ) {
    1042                 $wpdb->query("UPDATE $wpdb->posts SET to_ping = '' WHERE ID = '$post_id'");
     1048                $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = '' WHERE ID = %d", $post_id) );
    10431049                return;
    10441050        }
    10451051
     
    10601066                                trackback($tb_ping, $post_title, $excerpt, $post_id);
    10611067                                $pinged[] = $tb_ping;
    10621068                        } else {
    1063                                 $wpdb->query("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_ping', '')) WHERE ID = '$post_id'");
     1069                                $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_ping', '')) WHERE ID = %d", $post_id) );
    10641070                        }
    10651071                }
    10661072        }
     
    12251231        @fclose($fs);
    12261232
    12271233        $tb_url = addslashes( $tb_url );
    1228         $wpdb->query("UPDATE $wpdb->posts SET pinged = CONCAT(pinged, '\n', '$tb_url') WHERE ID = '$ID'");
    1229         return $wpdb->query("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_url', '')) WHERE ID = '$ID'");
     1234        $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET pinged = CONCAT(pinged, '\n', '$tb_url') WHERE ID = %d", $ID) );
     1235        return $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_url', '')) WHERE ID = %d", $ID) );
    12301236}
    12311237
    12321238/**