WordPress.org

Make WordPress Core

Ticket #6644: prepared_queries5.diff

File prepared_queries5.diff, 3.4 KB (added by filosofo, 10 years ago)
  • xmlrpc.php

     
    13521352                if( is_array( $attachments ) ) {
    13531353                        foreach( $attachments as $file ) {
    13541354                                if( strpos( $post_content, $file->guid ) !== false ) {
    1355                                         $wpdb->query( "UPDATE {$wpdb->posts} SET post_parent = '$post_ID' WHERE ID = '{$file->ID}'" );
     1355                                        $wpdb->query( $wpdb->prepare("UPDATE {$wpdb->posts} SET post_parent = %d WHERE ID = %d", $post_ID, $file->ID) );
    13561356                                }
    13571357                        }
    13581358                }
     
    20932093                        return new IXR_Error(404, __('Sorry, no such post.'));
    20942094                }
    20952095
    2096                 $comments = $wpdb->get_results("SELECT comment_author_url, comment_content, comment_author_IP, comment_type FROM $wpdb->comments WHERE comment_post_ID = $post_ID");
     2096                $comments = $wpdb->get_results( $wpdb->prepare("SELECT comment_author_url, comment_content, comment_author_IP, comment_type FROM $wpdb->comments WHERE comment_post_ID = %d", $post_ID) );
    20972097
    20982098                if (!$comments) {
    20992099                        return array();
     
    22062206                        } elseif (is_string($urltest['fragment'])) {
    22072207                                // ...or a string #title, a little more complicated
    22082208                                $title = preg_replace('/[^a-z0-9]/i', '.', $urltest['fragment']);
    2209                                 $sql = "SELECT ID FROM $wpdb->posts WHERE post_title RLIKE '$title'";
     2209                                $sql = $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title RLIKE %s", $title);
    22102210                                if (! ($post_ID = $wpdb->get_var($sql)) ) {
    22112211                                        // returning unknown error '0' is better than die()ing
    22122212                                        return new IXR_Error(0, '');
     
    22352235                        return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn\'t exist, or it is not a pingback-enabled resource.'));
    22362236
    22372237                // Let's check that the remote site didn't already pingback this entry
    2238                 $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post_ID' AND comment_author_url = '$pagelinkedfrom'");
     2238                $wpdb->get_results( $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_author_url = %s", $post_ID, $pagelinkedfrom) );
    22392239
    22402240                if ( $wpdb->num_rows ) // We already have a Pingback from this URL
    22412241                        return new IXR_Error(48, __('The pingback has already been registered.'));
     
    23442344                        return new IXR_Error(32, __('The specified target URL does not exist.'));
    23452345                }
    23462346
    2347                 $comments = $wpdb->get_results("SELECT comment_author_url, comment_content, comment_author_IP, comment_type FROM $wpdb->comments WHERE comment_post_ID = $post_ID");
     2347                $comments = $wpdb->get_results( $wpdb->prepare("SELECT comment_author_url, comment_content, comment_author_IP, comment_type FROM $wpdb->comments WHERE comment_post_ID = %d", $post_ID) );
    23482348
    23492349                if (!$comments) {
    23502350                        return array();
  • wp-trackback.php

     
    8686        $comment_content = "<strong>$title</strong>\n\n$excerpt";
    8787        $comment_type = 'trackback';
    8888
    89         $dupe = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND comment_author_url = '$comment_author_url'");
     89        $dupe = $wpdb->get_results( $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_author_url = %s", $comment_post_ID, $comment_author_url) );
    9090        if ( $dupe )
    9191                trackback_response(1, 'We already have a ping from that URL for this post.');
    9292