WordPress.org

Make WordPress Core

Ticket #6644: prepared_queries3.diff

File prepared_queries3.diff, 6.9 KB (added by filosofo, 6 years ago)
  • wp-includes/comment.php

     
    241241 
    242242        $where = ''; 
    243243        if ( $post_id > 0 ) { 
    244                 $where = "WHERE comment_post_ID = {$post_id}"; 
     244                $where = $wpdb->prepare("WHERE comment_post_ID = %d", $post_id); 
    245245        } 
    246246 
    247247        $totals = (array) $wpdb->get_results(" 
     
    379379        global $wpdb; 
    380380        if ( current_user_can( 'manage_options' ) ) 
    381381                return; // don't throttle admins 
    382         if ( $lasttime = $wpdb->get_var("SELECT comment_date_gmt FROM $wpdb->comments WHERE comment_author_IP = '$ip' OR comment_author_email = '$email' ORDER BY comment_date DESC LIMIT 1") ) { 
     382        if ( $lasttime = $wpdb->get_var( $wpdb->prepare("SELECT comment_date_gmt FROM $wpdb->comments WHERE comment_author_IP = %s OR comment_author_email = %s ORDER BY comment_date DESC LIMIT 1", $ip, $email) ) ) { 
    383383                $time_lastcomment = mysql2date('U', $lasttime); 
    384384                $time_newcomment  = mysql2date('U', $date); 
    385385                $flood_die = apply_filters('comment_flood_filter', false, $time_lastcomment, $time_newcomment); 
     
    487487 
    488488        $comment = get_comment($comment_id); 
    489489 
    490         if ( ! $wpdb->query("DELETE FROM $wpdb->comments WHERE comment_ID='$comment_id' LIMIT 1") ) 
     490        if ( ! $wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->comments WHERE comment_ID = %d LIMIT 1", $comment_id) ) ) 
    491491                return false; 
    492492 
    493493        $post_id = $comment->comment_post_ID; 
     
    585585        if ( ! isset($user_id) ) 
    586586                $user_id = 0; 
    587587 
    588         $result = $wpdb->query("INSERT INTO $wpdb->comments 
     588        $result = $wpdb->query( $wpdb->prepare("INSERT INTO $wpdb->comments 
    589589        (comment_post_ID, comment_author, comment_author_email, comment_author_url, comment_author_IP, comment_date, comment_date_gmt, comment_content, comment_approved, comment_agent, comment_type, comment_parent, user_id) 
    590         VALUES 
    591         ('$comment_post_ID', '$comment_author', '$comment_author_email', '$comment_author_url', '$comment_author_IP', '$comment_date', '$comment_date_gmt', '$comment_content', '$comment_approved', '$comment_agent', '$comment_type', '$comment_parent', '$user_id') 
    592         "); 
     590        VALUES (%d, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %d, %d)", 
     591        $comment_post_ID, $comment_author, $comment_author_email, $comment_author_url, $comment_author_IP, $comment_date, $comment_date_gmt, $comment_content, $comment_approved, $comment_agent, $comment_type, $comment_parent, $user_id) ); 
    593592 
    594593        $id = (int) $wpdb->insert_id; 
    595594 
     
    714713 
    715714        switch ( $comment_status ) { 
    716715                case 'hold': 
    717                         $query = "UPDATE $wpdb->comments SET comment_approved='0' WHERE comment_ID='$comment_id' LIMIT 1"; 
     716                        $query = $wpdb->prepare("UPDATE $wpdb->comments SET comment_approved='0' WHERE comment_ID = %d LIMIT 1", $comment_id); 
    718717                        break; 
    719718                case 'approve': 
    720                         $query = "UPDATE $wpdb->comments SET comment_approved='1' WHERE comment_ID='$comment_id' LIMIT 1"; 
     719                        $query = $wpdb->prepare("UPDATE $wpdb->comments SET comment_approved='1' WHERE comment_ID = %d LIMIT 1", $comment_id); 
    721720                        break; 
    722721                case 'spam': 
    723                         $query = "UPDATE $wpdb->comments SET comment_approved='spam' WHERE comment_ID='$comment_id' LIMIT 1"; 
     722                        $query = $wpdb->prepare("UPDATE $wpdb->comments SET comment_approved='spam' WHERE comment_ID = %d LIMIT 1", $comment_id); 
    724723                        break; 
    725724                case 'delete': 
    726725                        return wp_delete_comment($comment_id); 
     
    774773 
    775774        $comment_date_gmt = get_gmt_from_date($comment_date); 
    776775 
    777         $wpdb->query( 
    778                 "UPDATE $wpdb->comments SET 
    779                         comment_content      = '$comment_content', 
    780                         comment_author       = '$comment_author', 
    781                         comment_author_email = '$comment_author_email', 
    782                         comment_approved     = '$comment_approved', 
    783                         comment_author_url   = '$comment_author_url', 
    784                         comment_date         = '$comment_date', 
    785                         comment_date_gmt     = '$comment_date_gmt' 
    786                 WHERE comment_ID = $comment_ID" ); 
     776        $wpdb->query( $wpdb->prepare("UPDATE $wpdb->comments SET 
     777                        comment_content      = %s, 
     778                        comment_author       = %s, 
     779                        comment_author_email = %s, 
     780                        comment_approved     = %s, 
     781                        comment_author_url   = %s, 
     782                        comment_date         = %s, 
     783                        comment_date_gmt     = %s 
     784                WHERE comment_ID = %d", 
     785                        $comment_content, 
     786                        $comment_author, 
     787                        $comment_author_email, 
     788                        $comment_approved, 
     789                        $comment_author_url, 
     790                        $comment_date, 
     791                        $comment_date_gmt 
     792                        $comment_ID) ); 
    787793 
    788794        $rval = $wpdb->rows_affected; 
    789795 
     
    879885                return false; 
    880886 
    881887        $old = (int) $post->comment_count; 
    882         $new = (int) $wpdb->get_var("SELECT COUNT(*) FROM $wpdb->comments WHERE comment_post_ID = '$post_id' AND comment_approved = '1'"); 
    883         $wpdb->query("UPDATE $wpdb->posts SET comment_count = '$new' WHERE ID = '$post_id'"); 
     888        $new = (int) $wpdb->get_var( $wpdb->prepare("SELECT COUNT(*) FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_approved = '1'", $post_id) ); 
     889        $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET comment_count = %d WHERE ID = %d", $new, $post_id) ); 
    884890 
    885891        if ( 'page' == $post->post_type ) 
    886892                clean_page_cache( $post_id ); 
     
    10081014 
    10091015        // Do Enclosures 
    10101016        while ($enclosure = $wpdb->get_row("SELECT * FROM {$wpdb->posts}, {$wpdb->postmeta} WHERE {$wpdb->posts}.ID = {$wpdb->postmeta}.post_id AND {$wpdb->postmeta}.meta_key = '_encloseme' LIMIT 1")) { 
    1011                 $wpdb->query("DELETE FROM {$wpdb->postmeta} WHERE post_id = {$enclosure->ID} AND meta_key = '_encloseme';"); 
     1017                $wpdb->query( $wpdb->prepare("DELETE FROM {$wpdb->postmeta} WHERE post_id = %d AND meta_key = '_encloseme';", $enclosure->ID) ); 
    10121018                do_enclose($enclosure->post_content, $enclosure->ID); 
    10131019        } 
    10141020 
     
    10351041function do_trackbacks($post_id) { 
    10361042        global $wpdb; 
    10371043 
    1038         $post = $wpdb->get_row("SELECT * FROM $wpdb->posts WHERE ID = $post_id"); 
     1044        $post = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->posts WHERE ID = %d", $post_id) ); 
    10391045        $to_ping = get_to_ping($post_id); 
    10401046        $pinged  = get_pung($post_id); 
    10411047        if ( empty($to_ping) ) { 
    1042                 $wpdb->query("UPDATE $wpdb->posts SET to_ping = '' WHERE ID = '$post_id'"); 
     1048                $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = '' WHERE ID = %d", $post_id) ); 
    10431049                return; 
    10441050        } 
    10451051 
     
    10601066                                trackback($tb_ping, $post_title, $excerpt, $post_id); 
    10611067                                $pinged[] = $tb_ping; 
    10621068                        } else { 
    1063                                 $wpdb->query("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_ping', '')) WHERE ID = '$post_id'"); 
     1069                                $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_ping', '')) WHERE ID = %d", $post_id) ); 
    10641070                        } 
    10651071                } 
    10661072        } 
     
    12251231        @fclose($fs); 
    12261232 
    12271233        $tb_url = addslashes( $tb_url ); 
    1228         $wpdb->query("UPDATE $wpdb->posts SET pinged = CONCAT(pinged, '\n', '$tb_url') WHERE ID = '$ID'"); 
    1229         return $wpdb->query("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_url', '')) WHERE ID = '$ID'"); 
     1234        $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET pinged = CONCAT(pinged, '\n', '$tb_url') WHERE ID = %d", $ID) ); 
     1235        return $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_url', '')) WHERE ID = %d", $ID) ); 
    12301236} 
    12311237 
    12321238/**