WordPress.org

Make WordPress Core

Ticket #6644: prepared_queries5.diff

File prepared_queries5.diff, 3.4 KB (added by filosofo, 6 years ago)
  • xmlrpc.php

     
    13521352                if( is_array( $attachments ) ) { 
    13531353                        foreach( $attachments as $file ) { 
    13541354                                if( strpos( $post_content, $file->guid ) !== false ) { 
    1355                                         $wpdb->query( "UPDATE {$wpdb->posts} SET post_parent = '$post_ID' WHERE ID = '{$file->ID}'" ); 
     1355                                        $wpdb->query( $wpdb->prepare("UPDATE {$wpdb->posts} SET post_parent = %d WHERE ID = %d", $post_ID, $file->ID) ); 
    13561356                                } 
    13571357                        } 
    13581358                } 
     
    20932093                        return new IXR_Error(404, __('Sorry, no such post.')); 
    20942094                } 
    20952095 
    2096                 $comments = $wpdb->get_results("SELECT comment_author_url, comment_content, comment_author_IP, comment_type FROM $wpdb->comments WHERE comment_post_ID = $post_ID"); 
     2096                $comments = $wpdb->get_results( $wpdb->prepare("SELECT comment_author_url, comment_content, comment_author_IP, comment_type FROM $wpdb->comments WHERE comment_post_ID = %d", $post_ID) ); 
    20972097 
    20982098                if (!$comments) { 
    20992099                        return array(); 
     
    22062206                        } elseif (is_string($urltest['fragment'])) { 
    22072207                                // ...or a string #title, a little more complicated 
    22082208                                $title = preg_replace('/[^a-z0-9]/i', '.', $urltest['fragment']); 
    2209                                 $sql = "SELECT ID FROM $wpdb->posts WHERE post_title RLIKE '$title'"; 
     2209                                $sql = $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title RLIKE %s", $title); 
    22102210                                if (! ($post_ID = $wpdb->get_var($sql)) ) { 
    22112211                                        // returning unknown error '0' is better than die()ing 
    22122212                                        return new IXR_Error(0, ''); 
     
    22352235                        return new IXR_Error(33, __('The specified target URL cannot be used as a target. It either doesn\'t exist, or it is not a pingback-enabled resource.')); 
    22362236 
    22372237                // Let's check that the remote site didn't already pingback this entry 
    2238                 $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post_ID' AND comment_author_url = '$pagelinkedfrom'"); 
     2238                $wpdb->get_results( $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_author_url = %s", $post_ID, $pagelinkedfrom) ); 
    22392239 
    22402240                if ( $wpdb->num_rows ) // We already have a Pingback from this URL 
    22412241                        return new IXR_Error(48, __('The pingback has already been registered.')); 
     
    23442344                        return new IXR_Error(32, __('The specified target URL does not exist.')); 
    23452345                } 
    23462346 
    2347                 $comments = $wpdb->get_results("SELECT comment_author_url, comment_content, comment_author_IP, comment_type FROM $wpdb->comments WHERE comment_post_ID = $post_ID"); 
     2347                $comments = $wpdb->get_results( $wpdb->prepare("SELECT comment_author_url, comment_content, comment_author_IP, comment_type FROM $wpdb->comments WHERE comment_post_ID = %d", $post_ID) ); 
    23482348 
    23492349                if (!$comments) { 
    23502350                        return array(); 
  • wp-trackback.php

     
    8686        $comment_content = "<strong>$title</strong>\n\n$excerpt"; 
    8787        $comment_type = 'trackback'; 
    8888 
    89         $dupe = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND comment_author_url = '$comment_author_url'"); 
     89        $dupe = $wpdb->get_results( $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_author_url = %s", $comment_post_ID, $comment_author_url) ); 
    9090        if ( $dupe ) 
    9191                trackback_response(1, 'We already have a ping from that URL for this post.'); 
    9292