WordPress.org

Make WordPress Core

Changeset 10907


Ignore:
Timestamp:
04/10/2009 09:37:19 PM (9 years ago)
Author:
ryan
Message:

Backtick table and column names. Props mdawaffe. fixes #9505

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/wp-db.php

    r10810 r10907  
    698698     * @since 2.5.0
    699699     *
    700      * @param string $table WARNING: not sanitized!
     700     * @param string $table table name
    701701     * @param array $data Should not already be SQL-escaped
    702702     * @param array|string $format The format of the field values.
     
    718718            $formatted_fields[] = $form;
    719719        }
    720         $sql = "INSERT INTO $table (`" . implode( '`,`', $fields ) . "`) VALUES ('" . implode( "','", $formatted_fields ) . "')";
     720        $sql = "INSERT INTO `$table` (`" . implode( '`,`', $fields ) . "`) VALUES ('" . implode( "','", $formatted_fields ) . "')";
    721721        return $this->query( $this->prepare( $sql, $data) );
    722722    }
     
    727727     * @since 2.5.0
    728728     *
    729      * @param string $table WARNING: not sanitized!
     729     * @param string $table table name
    730730     * @param array $data Should not already be SQL-escaped
    731      * @param array $where A named array of WHERE column => value relationships.  Multiple member pairs will be joined with ANDs.  WARNING: the column names are not currently sanitized!
     731     * @param array $where A named array of WHERE column => value relationships.  Multiple member pairs will be joined with ANDs.
    732732     * @param array|string $format The format of the field values.
    733733     * @param array|string $where_format The format of the where field values.
     
    760760            else
    761761                $form = '%s';
    762             $wheres[] = "$field = {$form}";
    763         }
    764 
    765         $sql = "UPDATE $table SET " . implode( ', ', $bits ) . ' WHERE ' . implode( ' AND ', $wheres );
     762            $wheres[] = "`$field` = {$form}";
     763        }
     764
     765        $sql = "UPDATE `$table` SET " . implode( ', ', $bits ) . ' WHERE ' . implode( ' AND ', $wheres );
    766766        return $this->query( $this->prepare( $sql, array_merge(array_values($data), array_values($where))) );
    767767    }
Note: See TracChangeset for help on using the changeset viewer.