WordPress.org

Make WordPress Core

Changeset 13673


Ignore:
Timestamp:
03/11/10 21:49:56 (4 years ago)
Author:
ryan
Message:

make *_option(), *_transient() functions consistently expect unslashed data. Props Denis-de-Bernardy. see #12416

Location:
trunk/wp-includes
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/formatting.php

    r13468 r13673  
    24422442        case 'siteurl': 
    24432443        case 'home': 
    2444             $value = stripslashes($value); 
    2445             $value = esc_url($value); 
     2444            $value = esc_url_raw($value); 
    24462445            break; 
    24472446        default : 
  • trunk/wp-includes/functions.php

    r13631 r13673  
    308308 *  the option value. 
    309309 * 
    310  * @param string $option Name of option to retrieve. Should already be SQL-escaped 
     310 * @param string $option Name of option to retrieve. Expected to not be SQL-escaped. 
    311311 * @return mixed Value set for the option. 
    312312 */ 
     
    340340            if ( defined( 'WP_INSTALLING' ) ) 
    341341                $suppress = $wpdb->suppress_errors(); 
    342             // expected_slashed ($option) 
    343             $row = $wpdb->get_row( "SELECT option_value FROM $wpdb->options WHERE option_name = '$option' LIMIT 1" ); 
     342            $row = $wpdb->get_row( $wpdb->prepare( "SELECT option_value FROM $wpdb->options WHERE option_name = '%s' LIMIT 1", $option ) ); 
    344343            if ( defined( 'WP_INSTALLING' ) ) 
    345344                $wpdb->suppress_errors( $suppress ); 
     
    483482 * @uses do_action() Calls 'update_option_$option' and 'updated_option' hooks on success. 
    484483 * 
    485  * @param string $option Option name. Expected to not be SQL-escaped 
    486  * @param mixed $newvalue Option value. 
     484 * @param string $option Option name. Expected to not be SQL-escaped. 
     485 * @param mixed $newvalue Option value. Expected to not be SQL-escaped. 
    487486 * @return bool False if value was not updated and true if value was updated. 
    488487 */ 
     
    492491    wp_protect_special_option( $option ); 
    493492 
    494     $safe_option = esc_sql( $option ); 
    495493    $newvalue = sanitize_option( $option, $newvalue ); 
    496     $oldvalue = get_option( $safe_option ); 
     494    $oldvalue = get_option( $option ); 
    497495    $newvalue = apply_filters( 'pre_update_option_' . $option, $newvalue, $oldvalue ); 
    498496 
     
    517515        $alloptions = wp_load_alloptions(); 
    518516        if ( isset( $alloptions[$option] ) ) { 
    519             $alloptions[$option] = $newvalue; 
    520             wp_cache_set( 'alloptions', $alloptions, 'options' ); 
     517            $alloptions[$option] = $_newvalue; 
     518            wp_cache_set( 'alloptions', $_alloptions, 'options' ); 
    521519        } else { 
    522             wp_cache_set( $option, $newvalue, 'options' ); 
     520            wp_cache_set( $option, $_newvalue, 'options' ); 
    523521        } 
    524522    } 
     
    555553 * @uses do_action() Calls 'add_option_$option' and 'added_option' hooks on success. 
    556554 * 
    557  * @param string $option Name of option to add. Expects to NOT be SQL escaped. 
    558  * @param mixed $value Optional. Option value, can be anything. 
     555 * @param string $option Name of option to add. Expected to not be SQL-escaped. 
     556 * @param mixed $value Optional. Option value, can be anything. Expected to not be SQL-escaped. 
    559557 * @param mixed $deprecated Optional. Description. Not used anymore. 
    560558 * @param bool $autoload Optional. Default is enabled. Whether to load the option when WordPress starts up. 
     
    568566 
    569567    wp_protect_special_option( $option ); 
    570     $safe_option = esc_sql( $option ); 
    571568    $value = sanitize_option( $option, $value ); 
    572569 
     
    574571    $notoptions = wp_cache_get( 'notoptions', 'options' ); 
    575572    if ( !is_array( $notoptions ) || !isset( $notoptions[$option] ) ) 
    576         if ( false !== get_option( $safe_option ) ) 
     573        if ( false !== get_option( $option ) ) 
    577574            return; 
    578575 
     
    618615 * @uses do_action() Calls 'deleted_option' and 'delete_option_$option' hooks on success. 
    619616 * 
    620  * @param string $option Name of option to remove. 
     617 * @param string $option Name of option to remove. Expected to not be SQL-escaped. 
    621618 * @return bool True, if option is successfully deleted. False on failure. 
    622619 */ 
     
    627624 
    628625    // Get the ID, if no ID then return 
    629     // expected_slashed ($option) 
    630     $row = $wpdb->get_row( "SELECT autoload FROM $wpdb->options WHERE option_name = '$option'" ); 
     626    $row = $wpdb->get_row( $wpdb->prepare( "SELECT autoload FROM $wpdb->options WHERE option_name = '%s'", $option ) ); 
    631627    if ( is_null( $row ) ) 
    632628        return false; 
    633629    do_action( 'delete_option', $option ); 
    634     // expected_slashed ($option) 
    635     $result = $wpdb->query( "DELETE FROM $wpdb->options WHERE option_name = '$option'" ); 
     630    $result = $wpdb->query( $wpdb->prepare( "DELETE FROM $wpdb->options WHERE option_name = '%s'", $option) ); 
    636631    if ( ! defined( 'WP_INSTALLING' ) ) { 
    637632        if ( 'yes' == $row->autoload ) { 
     
    663658 * @uses do_action() Calls 'deleted_transient' hook on success. 
    664659 * 
    665  * @param string $transient Transient name. Expected to not be SQL-escaped 
     660 * @param string $transient Transient name. Expected to not be SQL-escaped. 
    666661 * @return bool true if successful, false otherwise 
    667662 */ 
     
    674669        $result = wp_cache_delete( $transient, 'transient' ); 
    675670    } else { 
    676         $option = '_transient_' . esc_sql( $transient ); 
     671        $option = '_transient_' . $transient; 
    677672        $result = delete_option( $option ); 
    678673    } 
     
    712707        $value = wp_cache_get( $transient, 'transient' ); 
    713708    } else { 
    714         $safe_transient   = esc_sql( $transient ); 
    715         $transient_option = '_transient_' . $safe_transient; 
     709        $transient_option = '_transient_' . $transient; 
    716710        if ( ! defined( 'WP_INSTALLING' ) ) { 
    717711            // If option is not in alloptions, it is not autoloaded and thus has a timeout 
    718712            $alloptions = wp_load_alloptions(); 
    719713            if ( !isset( $alloptions[$transient_option] ) ) { 
    720                 $transient_timeout = '_transient_timeout_' . $safe_transient; 
     714                $transient_timeout = '_transient_timeout_' . $transient; 
    721715                if ( get_option( $transient_timeout ) < time() ) { 
    722716                    delete_option( $transient_option  ); 
     
    747741 * @uses do_action() Calls 'set_transient_$transient' and 'setted_transient' hooks on success. 
    748742 * 
    749  * @param string $transient Transient name. Expected to not be SQL-escaped 
    750  * @param mixed $value Transient value. 
     743 * @param string $transient Transient name. Expected to not be SQL-escaped. 
     744 * @param mixed $value Transient value. Expected to not be SQL-escaped. 
    751745 * @param int $expiration Time until expiration in seconds, default 0 
    752746 * @return bool False if value was not set and true if value was set. 
     
    762756        $transient_timeout = '_transient_timeout_' . $transient; 
    763757        $transient = '_transient_' . $transient; 
    764         $safe_transient = esc_sql( $transient ); 
    765         if ( false === get_option( $safe_transient ) ) { 
     758        if ( false === get_option( $transient ) ) { 
    766759            $autoload = 'yes'; 
    767760            if ( $expiration ) { 
     
    1001994 */ 
    1002995function maybe_serialize( $data ) { 
    1003     if ( is_array( $data ) || is_object( $data ) ) 
    1004         return serialize( $data ); 
    1005  
    1006     if ( is_serialized( $data ) ) 
     996    if ( !is_scalar( $data ) ) 
    1007997        return serialize( $data ); 
    1008998 
     
    33853375 *  the option value. 
    33863376 * 
    3387  * @param string $option Name of option to retrieve. Should already be SQL-escaped 
     3377 * @param string $option Name of option to retrieve. Expected to not be SQL-escaped. 
    33883378 * @param mixed $default Optional value to return if option doesn't exist. Default false. 
    33893379 * @param bool $use_cache Whether to use cache. Multisite only. Default true. 
     
    34323422 * @uses do_action() Calls 'add_site_option_$option' and 'add_site_option' hooks on success. 
    34333423 * 
    3434  * @param string $option Name of option to add. Expects to not be SQL escaped. 
    3435  * @param mixed $value Optional. Option value, can be anything. 
     3424 * @param string $option Name of option to add. Expected to not be SQL-escaped. 
     3425 * @param mixed $value Optional. Option value, can be anything. Expected to not be SQL-escaped. 
    34363426 * @return bool False if option was not added and true if option was added. 
    34373427 */ 
     
    34763466 *  hooks on success. 
    34773467 * 
    3478  * @param string $option Name of option to remove. Expected to be SQL-escaped. 
     3468 * @param string $option Name of option to remove. Expected to not be SQL-escaped. 
    34793469 * @return bool True, if succeed. False, if failure. 
    34803470 */ 
     
    35183508 * @uses do_action() Calls 'update_site_option_$option' and 'update_site_option' hooks on success. 
    35193509 * 
    3520  * @param string $option Name of option. Expected to not be SQL-escaped 
    3521  * @param mixed $value Option value. 
     3510 * @param string $option Name of option. Expected to not be SQL-escaped. 
     3511 * @param mixed $value Option value. Expected to not be SQL-escaped. 
    35223512 * @return bool False if value was not updated and true if value was updated. 
    35233513 */ 
     
    35653555 * @uses do_action() Calls 'deleted_site_transient' hook on success. 
    35663556 * 
    3567  * @param string $transient Transient name. Expected to not be SQL-escaped 
     3557 * @param string $transient Transient name. Expected to not be SQL-escaped. 
    35683558 * @return bool True if successful, false otherwise 
    35693559 */ 
     
    35753565        $result = wp_cache_delete( $transient, 'site-transient' ); 
    35763566    } else { 
    3577         $option = '_site_transient_' . esc_sql( $transient ); 
     3567        $option = '_site_transient_' . $transient; 
    35783568        $result = delete_site_option( $option ); 
    35793569    } 
     
    36003590 *  the transient value. 
    36013591 * 
    3602  * @param string $transient Transient name. Expected to not be SQL-escaped 
     3592 * @param string $transient Transient name. Expected to not be SQL-escaped. 
    36033593 * @return mixed Value of transient 
    36043594 */ 
     
    36153605        // Core transients that do not have a timeout. Listed here so querying timeouts can be avoided. 
    36163606        $no_timeout = array('update_core', 'update_plugins', 'update_themes'); 
    3617         $transient_option = '_site_transient_' . esc_sql( $transient ); 
     3607        $transient_option = '_site_transient_' . $transient; 
    36183608        if ( ! in_array( $transient, $no_timeout ) ) { 
    3619             $transient_timeout = '_site_transient_timeout_' . esc_sql( $transient ); 
     3609            $transient_timeout = '_site_transient_timeout_' . $transient; 
    36203610            $timeout = get_site_option( $transient_timeout ); 
    36213611            if ( false !== $timeout && $timeout < time() ) { 
     
    36473637 * @uses do_action() Calls 'set_site_transient_$transient' and 'setted_site_transient' hooks on success. 
    36483638 * 
    3649  * @param string $transient Transient name. Expected to not be SQL-escaped 
    3650  * @param mixed $value Transient value. 
     3639 * @param string $transient Transient name. Expected to not be SQL-escaped. 
     3640 * @param mixed $value Transient value. Expected to not be SQL-escaped. 
    36513641 * @param int $expiration Time until expiration in seconds, default 0 
    36523642 * @return bool False if value was not set and true if value was set. 
     
    36623652        $transient_timeout = '_site_transient_timeout_' . $transient; 
    36633653        $transient = '_site_transient_' . $transient; 
    3664         $safe_transient = esc_sql( $transient ); 
    3665         if ( false === get_site_option( $safe_transient ) ) { 
     3654        if ( false === get_site_option( $transient ) ) { 
    36663655            if ( $expiration ) 
    36673656                add_site_option( $transient_timeout, time() + $expiration ); 
  • trunk/wp-includes/theme.php

    r13668 r13673  
    12011201    $theme = get_current_theme(); 
    12021202 
    1203     $mods = get_option( esc_sql( "mods_$theme" ) ); 
     1203    $mods = get_option( "mods_$theme" ); 
    12041204 
    12051205    if ( isset($mods[$name]) ) 
Note: See TracChangeset for help on using the changeset viewer.