WordPress.org

Make WordPress Core

Ticket #6644: prepared_queries9.diff

File prepared_queries9.diff, 4.9 KB (added by filosofo, 10 years ago)
  • wp-admin/includes/export.php

     
    1717$where = '';
    1818if ( $author and $author != 'all' ) {
    1919        $author_id = (int) $author;
    20         $where = " WHERE post_author = '$author_id' ";
     20        $where = $wpdb->prepare(" WHERE post_author = %d ", $author_id);
    2121}
    2222
    2323// grab a snapshot of post IDs, just in case it changes during the export
     
    217217<wp:attachment_url><?php echo wp_get_attachment_url($post->ID); ?></wp:attachment_url>
    218218<?php } ?>
    219219<?php
    220 $postmeta = $wpdb->get_results("SELECT * FROM $wpdb->postmeta WHERE post_id = $post->ID");
     220$postmeta = $wpdb->get_results( $wpdb->prepare("SELECT * FROM $wpdb->postmeta WHERE post_id = %d", $post->ID) );
    221221if ( $postmeta ) {
    222222?>
    223223<?php foreach( $postmeta as $meta ) { ?>
     
    228228<?php } ?>
    229229<?php } ?>
    230230<?php
    231 $comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = $post->ID");
     231$comments = $wpdb->get_results( $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d", $post->ID) );
    232232if ( $comments ) { foreach ( $comments as $c ) { ?>
    233233<wp:comment>
    234234<wp:comment_id><?php echo $c->comment_ID; ?></wp:comment_id>
  • wp-admin/includes/post.php

     
    194194        global $wpdb;
    195195
    196196        if (!empty ($post_date))
    197                 $post_date = "AND post_date = '$post_date'";
     197                $post_date = $wpdb->prepare("AND post_date = %s", $post_date);
    198198
    199199        if (!empty ($title))
    200                 return $wpdb->get_var("SELECT ID FROM $wpdb->posts WHERE post_title = '$title' $post_date");
     200                return $wpdb->get_var( $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title = %s $post_date", $title) );
    201201        else
    202202                if (!empty ($content))
    203                         return $wpdb->get_var("SELECT ID FROM $wpdb->posts WHERE post_content = '$content' $post_date");
     203                        return $wpdb->get_var( $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_content = %s $post_date", $content) );
    204204
    205205        return 0;
    206206}
     
    380380
    381381                wp_cache_delete($post_ID, 'post_meta');
    382382
    383                 $wpdb->query( "
    384                                 INSERT INTO $wpdb->postmeta
    385                                 (post_id,meta_key,meta_value )
    386                                 VALUES ('$post_ID','$metakey','$metavalue' )
    387                         " );
     383                $wpdb->query( $wpdb->prepare("INSERT INTO $wpdb->postmeta
     384                        (post_id,meta_key,meta_value ) VALUES (%s, %s, %s)",
     385                        $post_ID, $metakey, $metavalue) );
    388386                return $wpdb->insert_id;
    389387        }
    390388        return false;
     
    394392        global $wpdb;
    395393        $mid = (int) $mid;
    396394
    397         $post_id = $wpdb->get_var("SELECT post_id FROM $wpdb->postmeta WHERE meta_id = '$mid'");
     395        $post_id = $wpdb->get_var( $wpdb->prepare("SELECT post_id FROM $wpdb->postmeta WHERE meta_id = %d", $mid) );
    398396        wp_cache_delete($post_id, 'post_meta');
    399397
    400         return $wpdb->query( "DELETE FROM $wpdb->postmeta WHERE meta_id = '$mid'" );
     398        return $wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->postmeta WHERE meta_id = %d", $mid) );
    401399}
    402400
    403401// Get a list of previously defined keys
     
    417415        global $wpdb;
    418416        $mid = (int) $mid;
    419417
    420         $meta = $wpdb->get_row( "SELECT * FROM $wpdb->postmeta WHERE meta_id = '$mid'" );
     418        $meta = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->postmeta WHERE meta_id = %d", $mid) );
    421419        if ( is_serialized_string( $meta->meta_value ) )
    422420                $meta->meta_value = maybe_unserialize( $meta->meta_value );
    423421        return $meta;
     
    427425function has_meta( $postid ) {
    428426        global $wpdb;
    429427
    430         return $wpdb->get_results( "
    431                         SELECT meta_key, meta_value, meta_id, post_id
    432                         FROM $wpdb->postmeta
    433                         WHERE post_id = '$postid'
    434                         ORDER BY meta_key,meta_id", ARRAY_A );
     428        return $wpdb->get_results( $wpdb->prepare("SELECT meta_key, meta_value, meta_id, post_id
     429                        FROM $wpdb->postmeta WHERE post_id = %d
     430                        ORDER BY meta_key,meta_id", $postid), ARRAY_A );
    435431
    436432}
    437433
     
    443439        if ( in_array($mkey, $protected) )
    444440                return false;
    445441
    446         $post_id = $wpdb->get_var("SELECT post_id FROM $wpdb->postmeta WHERE meta_id = '$mid'");
     442        $post_id = $wpdb->get_var( $wpdb->prepare("SELECT post_id FROM $wpdb->postmeta WHERE meta_id = %d", $mid) );
    447443        wp_cache_delete($post_id, 'post_meta');
    448444
    449445        $mvalue = maybe_serialize( stripslashes( $mvalue ));
    450446        $mvalue = $wpdb->escape( $mvalue );
    451447        $mid = (int) $mid;
    452         return $wpdb->query( "UPDATE $wpdb->postmeta SET meta_key = '$mkey', meta_value = '$mvalue' WHERE meta_id = '$mid'" );
     448        return $wpdb->query( $wpdb->prepare("UPDATE $wpdb->postmeta SET meta_key = %s, meta_value = %s WHERE meta_id = %d", $mkey, $mvalue, $mid) );
    453449}
    454450
    455451//
     
    502498        global $wpdb;
    503499        $old_ID = (int) $old_ID;
    504500        $new_ID = (int) $new_ID;
    505         return $wpdb->query( "UPDATE $wpdb->posts SET post_parent = $new_ID WHERE post_parent = $old_ID" );
     501        return $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET post_parent = %d WHERE post_parent = %d", $new_ID, $old_ID) );
    506502}
    507503