WordPress.org

Make WordPress Core

Ticket #6644: prepared_queries6.diff

File prepared_queries6.diff, 3.1 KB (added by filosofo, 14 years ago)
  • wp-admin/update-links.php

     
    3636        $returns = explode("\n", $body);
    3737
    3838        foreach ($returns as $return) :
    39                 $time = $wpdb->escape( substr($return, 0, 19) );
    40                 $uri = $wpdb->escape( preg_replace('/(.*?) | (.*?)/', '$2', $return) );
    41                 $wpdb->query("UPDATE $wpdb->links SET link_updated = '$time' WHERE link_url = '$uri'");
     39                $time = substr($return, 0, 19);
     40                $uri = preg_replace('/(.*?) | (.*?)/', '$2', $return);
     41                $wpdb->query( $wpdb->prepare("UPDATE $wpdb->links SET link_updated = %s WHERE link_url = %s", $time, $uri) );
    4242        endforeach;
    4343}
    4444?>
  • wp-admin/edit-comments.php

     
    1212        $comments_deleted = $comments_approved = $comments_unapproved = $comments_spammed = 0;
    1313        foreach ($_REQUEST['delete_comments'] as $comment) : // Check the permissions on each
    1414                $comment = (int) $comment;
    15                 $post_id = (int) $wpdb->get_var("SELECT comment_post_ID FROM $wpdb->comments WHERE comment_ID = $comment");
    16                 // $authordata = get_userdata( $wpdb->get_var("SELECT post_author FROM $wpdb->posts WHERE ID = $post_id") );
     15                $post_id = (int) $wpdb->get_var( $wpdb->prepare( "SELECT comment_post_ID FROM $wpdb->comments WHERE comment_ID = %d", $comment) );
    1716                if ( !current_user_can('edit_post', $post_id) )
    1817                        continue;
    1918                if ( !empty( $_REQUEST['spamit'] ) ) {
  • wp-admin/admin-ajax.php

     
    1515
    1616        if ( strstr( $s, ',' ) )
    1717                die; // it's a multiple tag insert, we won't find anything
    18         $results = $wpdb->get_col( "SELECT name FROM $wpdb->terms WHERE name LIKE ('%$s%')" );
     18        $results = $wpdb->get_col( $wpdb->prepare("SELECT name FROM $wpdb->terms WHERE name LIKE (%s)", '%' . $s . '%') );
    1919        echo join( $results, "\n" );
    2020        die;
    2121}
  • wp-admin/includes/comment.php

     
    33function comment_exists($comment_author, $comment_date) {
    44        global $wpdb;
    55
    6         return $wpdb->get_var("SELECT comment_post_ID FROM $wpdb->comments
    7                         WHERE comment_author = '$comment_author' AND comment_date = '$comment_date'");
     6        return $wpdb->get_var( $wpdb->prepare("SELECT comment_post_ID FROM $wpdb->comments
     7                        WHERE comment_author = %s AND comment_date = %s", $comment_author, $comment_date) );
    88}
    99
    1010function edit_comment() {
     
    6767function get_pending_comments_num( $post_id ) {
    6868        global $wpdb;
    6969        $post_id = (int) $post_id;
    70         $pending = $wpdb->get_var( "SELECT COUNT(*) FROM $wpdb->comments WHERE comment_post_ID = $post_id AND comment_approved = '0'" );
     70        $pending = $wpdb->get_var( $wpdb->prepare("SELECT COUNT(*) FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_approved = '0'", $post_id) );
    7171        return $pending;
    7272}
    7373