WordPress.org

Make WordPress Core

Ticket #6644: prepared_queries9.diff

File prepared_queries9.diff, 4.9 KB (added by filosofo, 7 years ago)
  • wp-admin/includes/export.php

     
    1717$where = ''; 
    1818if ( $author and $author != 'all' ) { 
    1919        $author_id = (int) $author; 
    20         $where = " WHERE post_author = '$author_id' "; 
     20        $where = $wpdb->prepare(" WHERE post_author = %d ", $author_id); 
    2121} 
    2222 
    2323// grab a snapshot of post IDs, just in case it changes during the export 
     
    217217<wp:attachment_url><?php echo wp_get_attachment_url($post->ID); ?></wp:attachment_url> 
    218218<?php } ?> 
    219219<?php 
    220 $postmeta = $wpdb->get_results("SELECT * FROM $wpdb->postmeta WHERE post_id = $post->ID"); 
     220$postmeta = $wpdb->get_results( $wpdb->prepare("SELECT * FROM $wpdb->postmeta WHERE post_id = %d", $post->ID) ); 
    221221if ( $postmeta ) { 
    222222?> 
    223223<?php foreach( $postmeta as $meta ) { ?> 
     
    228228<?php } ?> 
    229229<?php } ?> 
    230230<?php 
    231 $comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = $post->ID"); 
     231$comments = $wpdb->get_results( $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d", $post->ID) ); 
    232232if ( $comments ) { foreach ( $comments as $c ) { ?> 
    233233<wp:comment> 
    234234<wp:comment_id><?php echo $c->comment_ID; ?></wp:comment_id> 
  • wp-admin/includes/post.php

     
    194194        global $wpdb; 
    195195 
    196196        if (!empty ($post_date)) 
    197                 $post_date = "AND post_date = '$post_date'"; 
     197                $post_date = $wpdb->prepare("AND post_date = %s", $post_date); 
    198198 
    199199        if (!empty ($title)) 
    200                 return $wpdb->get_var("SELECT ID FROM $wpdb->posts WHERE post_title = '$title' $post_date"); 
     200                return $wpdb->get_var( $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title = %s $post_date", $title) ); 
    201201        else 
    202202                if (!empty ($content)) 
    203                         return $wpdb->get_var("SELECT ID FROM $wpdb->posts WHERE post_content = '$content' $post_date"); 
     203                        return $wpdb->get_var( $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_content = %s $post_date", $content) ); 
    204204 
    205205        return 0; 
    206206} 
     
    380380 
    381381                wp_cache_delete($post_ID, 'post_meta'); 
    382382 
    383                 $wpdb->query( " 
    384                                 INSERT INTO $wpdb->postmeta 
    385                                 (post_id,meta_key,meta_value ) 
    386                                 VALUES ('$post_ID','$metakey','$metavalue' ) 
    387                         " ); 
     383                $wpdb->query( $wpdb->prepare("INSERT INTO $wpdb->postmeta  
     384                        (post_id,meta_key,meta_value ) VALUES (%s, %s, %s)", 
     385                        $post_ID, $metakey, $metavalue) ); 
    388386                return $wpdb->insert_id; 
    389387        } 
    390388        return false; 
     
    394392        global $wpdb; 
    395393        $mid = (int) $mid; 
    396394 
    397         $post_id = $wpdb->get_var("SELECT post_id FROM $wpdb->postmeta WHERE meta_id = '$mid'"); 
     395        $post_id = $wpdb->get_var( $wpdb->prepare("SELECT post_id FROM $wpdb->postmeta WHERE meta_id = %d", $mid) ); 
    398396        wp_cache_delete($post_id, 'post_meta'); 
    399397 
    400         return $wpdb->query( "DELETE FROM $wpdb->postmeta WHERE meta_id = '$mid'" ); 
     398        return $wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->postmeta WHERE meta_id = %d", $mid) ); 
    401399} 
    402400 
    403401// Get a list of previously defined keys 
     
    417415        global $wpdb; 
    418416        $mid = (int) $mid; 
    419417 
    420         $meta = $wpdb->get_row( "SELECT * FROM $wpdb->postmeta WHERE meta_id = '$mid'" ); 
     418        $meta = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->postmeta WHERE meta_id = %d", $mid) ); 
    421419        if ( is_serialized_string( $meta->meta_value ) ) 
    422420                $meta->meta_value = maybe_unserialize( $meta->meta_value ); 
    423421        return $meta; 
     
    427425function has_meta( $postid ) { 
    428426        global $wpdb; 
    429427 
    430         return $wpdb->get_results( " 
    431                         SELECT meta_key, meta_value, meta_id, post_id 
    432                         FROM $wpdb->postmeta 
    433                         WHERE post_id = '$postid' 
    434                         ORDER BY meta_key,meta_id", ARRAY_A ); 
     428        return $wpdb->get_results( $wpdb->prepare("SELECT meta_key, meta_value, meta_id, post_id 
     429                        FROM $wpdb->postmeta WHERE post_id = %d 
     430                        ORDER BY meta_key,meta_id", $postid), ARRAY_A ); 
    435431 
    436432} 
    437433 
     
    443439        if ( in_array($mkey, $protected) ) 
    444440                return false; 
    445441 
    446         $post_id = $wpdb->get_var("SELECT post_id FROM $wpdb->postmeta WHERE meta_id = '$mid'"); 
     442        $post_id = $wpdb->get_var( $wpdb->prepare("SELECT post_id FROM $wpdb->postmeta WHERE meta_id = %d", $mid) ); 
    447443        wp_cache_delete($post_id, 'post_meta'); 
    448444 
    449445        $mvalue = maybe_serialize( stripslashes( $mvalue )); 
    450446        $mvalue = $wpdb->escape( $mvalue ); 
    451447        $mid = (int) $mid; 
    452         return $wpdb->query( "UPDATE $wpdb->postmeta SET meta_key = '$mkey', meta_value = '$mvalue' WHERE meta_id = '$mid'" ); 
     448        return $wpdb->query( $wpdb->prepare("UPDATE $wpdb->postmeta SET meta_key = %s, meta_value = %s WHERE meta_id = %d", $mkey, $mvalue, $mid) ); 
    453449} 
    454450 
    455451// 
     
    502498        global $wpdb; 
    503499        $old_ID = (int) $old_ID; 
    504500        $new_ID = (int) $new_ID; 
    505         return $wpdb->query( "UPDATE $wpdb->posts SET post_parent = $new_ID WHERE post_parent = $old_ID" ); 
     501        return $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET post_parent = %d WHERE post_parent = %d", $new_ID, $old_ID) ); 
    506502} 
    507503