Ticket #6644: prepared_queries4.diff
| File prepared_queries4.diff, 3.1 KB (added by , 18 years ago) |
|---|
-
wp-includes/user.php
57 57 global $wpdb; 58 58 if ( !$user ) 59 59 $user = $wpdb->escape($_COOKIE[USER_COOKIE]); 60 return $wpdb->get_var( "SELECT $field FROM $wpdb->users WHERE user_login = '$user'");60 return $wpdb->get_var( $wpdb->prepare("SELECT $field FROM $wpdb->users WHERE user_login = %s", $user) ); 61 61 } 62 62 63 63 function get_usernumposts($userid) { 64 64 global $wpdb; 65 65 $userid = (int) $userid; 66 return $wpdb->get_var( "SELECT COUNT(*) FROM $wpdb->posts WHERE post_author = '$userid' AND post_type = 'post' AND ". get_private_posts_cap_sql('post'));66 return $wpdb->get_var( $wpdb->prepare("SELECT COUNT(*) FROM $wpdb->posts WHERE post_author = %d AND post_type = 'post' AND ", $userid) . get_private_posts_cap_sql('post')); 67 67 } 68 68 69 69 // TODO: xmlrpc only. Maybe move to xmlrpc.php. … … 130 130 $meta_value = trim( $meta_value ); 131 131 132 132 if ( ! empty($meta_value) ) 133 $wpdb->query( "DELETE FROM $wpdb->usermeta WHERE user_id = '$user_id' AND meta_key = '$meta_key' AND meta_value = '$meta_value'");133 $wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->usermeta WHERE user_id = %d AND meta_key = %s AND meta_value = %s", $userid, $meta_key, $meta_value) ); 134 134 else 135 $wpdb->query( "DELETE FROM $wpdb->usermeta WHERE user_id = '$user_id' AND meta_key = '$meta_key'");135 $wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->usermeta WHERE user_id = %d AND meta_key = %s", $user_id, $meta_key) ); 136 136 137 137 wp_cache_delete($user_id, 'users'); 138 138 … … 148 148 149 149 if ( !empty($meta_key) ) { 150 150 $meta_key = preg_replace('|[^a-z0-9_]|i', '', $meta_key); 151 $metas = $wpdb->get_results( "SELECT meta_key, meta_value FROM $wpdb->usermeta WHERE user_id = '$user_id' AND meta_key = '$meta_key'");151 $metas = $wpdb->get_results( $wpdb->prepare("SELECT meta_key, meta_value FROM $wpdb->usermeta WHERE user_id = %d AND meta_key = %s", $user_id, $meta_key) ); 152 152 } else { 153 $metas = $wpdb->get_results( "SELECT meta_key, meta_value FROM $wpdb->usermeta WHERE user_id = '$user_id'");153 $metas = $wpdb->get_results( $wpdb->prepare("SELECT meta_key, meta_value FROM $wpdb->usermeta WHERE user_id = %d", $user_id) ); 154 154 } 155 155 156 156 if ( empty($metas) ) { … … 185 185 return delete_usermeta($user_id, $meta_key); 186 186 } 187 187 188 $cur = $wpdb->get_row( "SELECT * FROM $wpdb->usermeta WHERE user_id = '$user_id' AND meta_key = '$meta_key'");188 $cur = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->usermeta WHERE user_id = %d AND meta_key = %d", $user_id, $meta_key) ); 189 189 if ( !$cur ) { 190 190 $wpdb->query("INSERT INTO $wpdb->usermeta ( user_id, meta_key, meta_value ) 191 191 VALUES 192 192 ( '$user_id', '$meta_key', '$meta_value' )"); 193 193 } else if ( $cur->meta_value != $meta_value ) { 194 $wpdb->query( "UPDATE $wpdb->usermeta SET meta_value = '$meta_value' WHERE user_id = '$user_id' AND meta_key = '$meta_key'");194 $wpdb->query( $wpdb->prepare("UPDATE $wpdb->usermeta SET meta_value = %s WHERE user_id = %d AND meta_key = %s", $meta_value, $user_id, $meta_key) ); 195 195 } else { 196 196 return false; 197 197 }