WordPress.org

Make WordPress Core

Ticket #6644: prepared_queries8.diff

File prepared_queries8.diff, 5.0 KB (added by filosofo, 14 years ago)
  • wp-admin/includes/user.php

     
    141141function get_author_user_ids() {
    142142        global $wpdb;
    143143        $level_key = $wpdb->prefix . 'user_level';
    144 
    145         $query = "SELECT user_id FROM $wpdb->usermeta WHERE meta_key = '$level_key' AND meta_value != '0'";
    146 
    147         return $wpdb->get_col( $query );
     144        return $wpdb->get_col( $wpdb->prepare("SELECT user_id FROM $wpdb->usermeta WHERE meta_key = %s AND meta_value != '0'", $level_key) );
    148145}
    149146
    150147function get_editable_authors( $user_id ) {
     
    176173
    177174        $level_key = $wpdb->prefix . 'user_level';
    178175
    179         $query = "SELECT user_id FROM $wpdb->usermeta WHERE meta_key = '$level_key'";
     176        $query = $wpdb->prepare("SELECT user_id FROM $wpdb->usermeta WHERE meta_key = %s", $level_key);
    180177        if ( $exclude_zeros )
    181178                $query .= " AND meta_value != '0'";
    182179
     
    187184        global $wpdb;
    188185        $level_key = $wpdb->prefix . 'user_level';
    189186
    190         $query = "SELECT user_id FROM $wpdb->usermeta WHERE meta_key = '$level_key' AND meta_value = '0'";
    191 
    192         return $wpdb->get_col( $query );
     187        return $wpdb->get_col( $wpdb->prepare("SELECT user_id FROM $wpdb->usermeta WHERE meta_key = %s AND meta_value = '0'", $level_key) );
    193188}
    194189
    195190function get_others_unpublished_posts($user_id, $type='any') {
     
    208203                $other_unpubs = '';
    209204        } else {
    210205                $editable = join(',', $editable);
    211                 $other_unpubs = $wpdb->get_results("SELECT ID, post_title, post_author FROM $wpdb->posts WHERE post_type = 'post' AND $type_sql AND post_author IN ($editable) AND post_author != '$user_id' ORDER BY post_modified $dir");
     206                $other_unpubs = $wpdb->get_results( $wpdb->prepare("SELECT ID, post_title, post_author FROM $wpdb->posts WHERE post_type = 'post' AND $type_sql AND post_author IN ($editable) AND post_author != %d ORDER BY post_modified $dir", $user_id) );
    212207        }
    213208
    214209        return apply_filters('get_others_drafts', $other_unpubs);
     
    241236
    242237function get_users_drafts( $user_id ) {
    243238        global $wpdb;
    244         $user_id = (int) $user_id;
    245         $query = "SELECT ID, post_title FROM $wpdb->posts WHERE post_type = 'post' AND post_status = 'draft' AND post_author = $user_id ORDER BY post_modified DESC";
     239        $query = $wpdb->prepare("SELECT ID, post_title FROM $wpdb->posts WHERE post_type = 'post' AND post_status = 'draft' AND post_author = %d ORDER BY post_modified DESC", $user_id);
    246240        $query = apply_filters('get_users_drafts', $query);
    247241        return $wpdb->get_results( $query );
    248242}
     
    253247        $id = (int) $id;
    254248
    255249        if ($reassign == 'novalue') {
    256                 $post_ids = $wpdb->get_col("SELECT ID FROM $wpdb->posts WHERE post_author = $id");
     250                $post_ids = $wpdb->get_col( $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_author = %d", $id) );
    257251
    258252                if ($post_ids) {
    259253                        foreach ($post_ids as $post_id)
     
    261255                }
    262256
    263257                // Clean links
    264                 $wpdb->query("DELETE FROM $wpdb->links WHERE link_owner = $id");
     258                $wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->links WHERE link_owner = %d", $id) );
    265259        } else {
    266260                $reassign = (int) $reassign;
    267                 $wpdb->query("UPDATE $wpdb->posts SET post_author = {$reassign} WHERE post_author = {$id}");
    268                 $wpdb->query("UPDATE $wpdb->links SET link_owner = {$reassign} WHERE link_owner = {$id}");
     261                $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET post_author = %d WHERE post_author = %d", $reassign, $id) );
     262                $wpdb->query( $wpdb->prepare("UPDATE $wpdb->links SET link_owner = %d WHERE link_owner = %d}", $reassign, $id) );
    269263        }
    270264
    271265        // FINALLY, delete user
    272266        do_action('delete_user', $id);
    273267
    274         $wpdb->query("DELETE FROM $wpdb->users WHERE ID = $id");
    275         $wpdb->query("DELETE FROM $wpdb->usermeta WHERE user_id = '$id'");
     268        $wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->users WHERE ID = %d", $id) );
     269        $wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->usermeta WHERE user_id = %d", $id) );
    276270
    277271        wp_cache_delete($id, 'users');
    278272        wp_cache_delete($user->user_login, 'userlogins');
     
    323317        function prepare_query() {
    324318                global $wpdb;
    325319                $this->first_user = ($this->page - 1) * $this->users_per_page;
    326                 $this->query_limit = ' LIMIT ' . $this->first_user . ',' . $this->users_per_page;
     320                $this->query_limit = $wpdb->prepare(" LIMIT %d, %d", $this->first_user, $this->users_per_page);
    327321                $this->query_sort = ' ORDER BY user_login';
    328322                $search_sql = '';
    329323                if ( $this->search_term ) {
     
    337331
    338332                $this->query_from_where = "FROM $wpdb->users";
    339333                if ( $this->role )
    340                         $this->query_from_where .= " INNER JOIN $wpdb->usermeta ON $wpdb->users.ID = $wpdb->usermeta.user_id WHERE $wpdb->usermeta.meta_key = '{$wpdb->prefix}capabilities' AND $wpdb->usermeta.meta_value LIKE '%$this->role%'";
     334                        $this->query_from_where .= $wpdb->prepare(" INNER JOIN $wpdb->usermeta ON $wpdb->users.ID = $wpdb->usermeta.user_id WHERE $wpdb->usermeta.meta_key = '{$wpdb->prefix}capabilities' AND $wpdb->usermeta.meta_value LIKE %s", '%' . $this->role . '%');
    341335                else
    342336                        $this->query_from_where .= " WHERE 1=1";
    343337                $this->query_from_where .= " $search_sql";