Changeset 13673
- Timestamp:
- 03/11/2010 09:49:56 PM (15 years ago)
- Location:
- trunk/wp-includes
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/wp-includes/formatting.php
r13468 r13673 2442 2442 case 'siteurl': 2443 2443 case 'home': 2444 $value = stripslashes($value); 2445 $value = esc_url($value); 2444 $value = esc_url_raw($value); 2446 2445 break; 2447 2446 default : -
trunk/wp-includes/functions.php
r13631 r13673 308 308 * the option value. 309 309 * 310 * @param string $option Name of option to retrieve. Should already be SQL-escaped310 * @param string $option Name of option to retrieve. Expected to not be SQL-escaped. 311 311 * @return mixed Value set for the option. 312 312 */ … … 340 340 if ( defined( 'WP_INSTALLING' ) ) 341 341 $suppress = $wpdb->suppress_errors(); 342 // expected_slashed ($option) 343 $row = $wpdb->get_row( "SELECT option_value FROM $wpdb->options WHERE option_name = '$option' LIMIT 1" ); 342 $row = $wpdb->get_row( $wpdb->prepare( "SELECT option_value FROM $wpdb->options WHERE option_name = '%s' LIMIT 1", $option ) ); 344 343 if ( defined( 'WP_INSTALLING' ) ) 345 344 $wpdb->suppress_errors( $suppress ); … … 483 482 * @uses do_action() Calls 'update_option_$option' and 'updated_option' hooks on success. 484 483 * 485 * @param string $option Option name. Expected to not be SQL-escaped 486 * @param mixed $newvalue Option value. 484 * @param string $option Option name. Expected to not be SQL-escaped. 485 * @param mixed $newvalue Option value. Expected to not be SQL-escaped. 487 486 * @return bool False if value was not updated and true if value was updated. 488 487 */ … … 492 491 wp_protect_special_option( $option ); 493 492 494 $safe_option = esc_sql( $option );495 493 $newvalue = sanitize_option( $option, $newvalue ); 496 $oldvalue = get_option( $ safe_option );494 $oldvalue = get_option( $option ); 497 495 $newvalue = apply_filters( 'pre_update_option_' . $option, $newvalue, $oldvalue ); 498 496 … … 517 515 $alloptions = wp_load_alloptions(); 518 516 if ( isset( $alloptions[$option] ) ) { 519 $alloptions[$option] = $ newvalue;520 wp_cache_set( 'alloptions', $ alloptions, 'options' );517 $alloptions[$option] = $_newvalue; 518 wp_cache_set( 'alloptions', $_alloptions, 'options' ); 521 519 } else { 522 wp_cache_set( $option, $ newvalue, 'options' );520 wp_cache_set( $option, $_newvalue, 'options' ); 523 521 } 524 522 } … … 555 553 * @uses do_action() Calls 'add_option_$option' and 'added_option' hooks on success. 556 554 * 557 * @param string $option Name of option to add. Expect s to NOT be SQLescaped.558 * @param mixed $value Optional. Option value, can be anything. 555 * @param string $option Name of option to add. Expected to not be SQL-escaped. 556 * @param mixed $value Optional. Option value, can be anything. Expected to not be SQL-escaped. 559 557 * @param mixed $deprecated Optional. Description. Not used anymore. 560 558 * @param bool $autoload Optional. Default is enabled. Whether to load the option when WordPress starts up. … … 568 566 569 567 wp_protect_special_option( $option ); 570 $safe_option = esc_sql( $option );571 568 $value = sanitize_option( $option, $value ); 572 569 … … 574 571 $notoptions = wp_cache_get( 'notoptions', 'options' ); 575 572 if ( !is_array( $notoptions ) || !isset( $notoptions[$option] ) ) 576 if ( false !== get_option( $ safe_option ) )573 if ( false !== get_option( $option ) ) 577 574 return; 578 575 … … 618 615 * @uses do_action() Calls 'deleted_option' and 'delete_option_$option' hooks on success. 619 616 * 620 * @param string $option Name of option to remove. 617 * @param string $option Name of option to remove. Expected to not be SQL-escaped. 621 618 * @return bool True, if option is successfully deleted. False on failure. 622 619 */ … … 627 624 628 625 // Get the ID, if no ID then return 629 // expected_slashed ($option) 630 $row = $wpdb->get_row( "SELECT autoload FROM $wpdb->options WHERE option_name = '$option'" ); 626 $row = $wpdb->get_row( $wpdb->prepare( "SELECT autoload FROM $wpdb->options WHERE option_name = '%s'", $option ) ); 631 627 if ( is_null( $row ) ) 632 628 return false; 633 629 do_action( 'delete_option', $option ); 634 // expected_slashed ($option) 635 $result = $wpdb->query( "DELETE FROM $wpdb->options WHERE option_name = '$option'" ); 630 $result = $wpdb->query( $wpdb->prepare( "DELETE FROM $wpdb->options WHERE option_name = '%s'", $option) ); 636 631 if ( ! defined( 'WP_INSTALLING' ) ) { 637 632 if ( 'yes' == $row->autoload ) { … … 663 658 * @uses do_action() Calls 'deleted_transient' hook on success. 664 659 * 665 * @param string $transient Transient name. Expected to not be SQL-escaped 660 * @param string $transient Transient name. Expected to not be SQL-escaped. 666 661 * @return bool true if successful, false otherwise 667 662 */ … … 674 669 $result = wp_cache_delete( $transient, 'transient' ); 675 670 } else { 676 $option = '_transient_' . esc_sql( $transient );671 $option = '_transient_' . $transient; 677 672 $result = delete_option( $option ); 678 673 } … … 712 707 $value = wp_cache_get( $transient, 'transient' ); 713 708 } else { 714 $safe_transient = esc_sql( $transient ); 715 $transient_option = '_transient_' . $safe_transient; 709 $transient_option = '_transient_' . $transient; 716 710 if ( ! defined( 'WP_INSTALLING' ) ) { 717 711 // If option is not in alloptions, it is not autoloaded and thus has a timeout 718 712 $alloptions = wp_load_alloptions(); 719 713 if ( !isset( $alloptions[$transient_option] ) ) { 720 $transient_timeout = '_transient_timeout_' . $ safe_transient;714 $transient_timeout = '_transient_timeout_' . $transient; 721 715 if ( get_option( $transient_timeout ) < time() ) { 722 716 delete_option( $transient_option ); … … 747 741 * @uses do_action() Calls 'set_transient_$transient' and 'setted_transient' hooks on success. 748 742 * 749 * @param string $transient Transient name. Expected to not be SQL-escaped 750 * @param mixed $value Transient value. 743 * @param string $transient Transient name. Expected to not be SQL-escaped. 744 * @param mixed $value Transient value. Expected to not be SQL-escaped. 751 745 * @param int $expiration Time until expiration in seconds, default 0 752 746 * @return bool False if value was not set and true if value was set. … … 762 756 $transient_timeout = '_transient_timeout_' . $transient; 763 757 $transient = '_transient_' . $transient; 764 $safe_transient = esc_sql( $transient ); 765 if ( false === get_option( $safe_transient ) ) { 758 if ( false === get_option( $transient ) ) { 766 759 $autoload = 'yes'; 767 760 if ( $expiration ) { … … 1001 994 */ 1002 995 function maybe_serialize( $data ) { 1003 if ( is_array( $data ) || is_object( $data ) ) 1004 return serialize( $data ); 1005 1006 if ( is_serialized( $data ) ) 996 if ( !is_scalar( $data ) ) 1007 997 return serialize( $data ); 1008 998 … … 3385 3375 * the option value. 3386 3376 * 3387 * @param string $option Name of option to retrieve. Should already be SQL-escaped3377 * @param string $option Name of option to retrieve. Expected to not be SQL-escaped. 3388 3378 * @param mixed $default Optional value to return if option doesn't exist. Default false. 3389 3379 * @param bool $use_cache Whether to use cache. Multisite only. Default true. … … 3432 3422 * @uses do_action() Calls 'add_site_option_$option' and 'add_site_option' hooks on success. 3433 3423 * 3434 * @param string $option Name of option to add. Expect s to not be SQLescaped.3435 * @param mixed $value Optional. Option value, can be anything. 3424 * @param string $option Name of option to add. Expected to not be SQL-escaped. 3425 * @param mixed $value Optional. Option value, can be anything. Expected to not be SQL-escaped. 3436 3426 * @return bool False if option was not added and true if option was added. 3437 3427 */ … … 3476 3466 * hooks on success. 3477 3467 * 3478 * @param string $option Name of option to remove. Expected to be SQL-escaped.3468 * @param string $option Name of option to remove. Expected to not be SQL-escaped. 3479 3469 * @return bool True, if succeed. False, if failure. 3480 3470 */ … … 3518 3508 * @uses do_action() Calls 'update_site_option_$option' and 'update_site_option' hooks on success. 3519 3509 * 3520 * @param string $option Name of option. Expected to not be SQL-escaped 3521 * @param mixed $value Option value. 3510 * @param string $option Name of option. Expected to not be SQL-escaped. 3511 * @param mixed $value Option value. Expected to not be SQL-escaped. 3522 3512 * @return bool False if value was not updated and true if value was updated. 3523 3513 */ … … 3565 3555 * @uses do_action() Calls 'deleted_site_transient' hook on success. 3566 3556 * 3567 * @param string $transient Transient name. Expected to not be SQL-escaped 3557 * @param string $transient Transient name. Expected to not be SQL-escaped. 3568 3558 * @return bool True if successful, false otherwise 3569 3559 */ … … 3575 3565 $result = wp_cache_delete( $transient, 'site-transient' ); 3576 3566 } else { 3577 $option = '_site_transient_' . esc_sql( $transient );3567 $option = '_site_transient_' . $transient; 3578 3568 $result = delete_site_option( $option ); 3579 3569 } … … 3600 3590 * the transient value. 3601 3591 * 3602 * @param string $transient Transient name. Expected to not be SQL-escaped 3592 * @param string $transient Transient name. Expected to not be SQL-escaped. 3603 3593 * @return mixed Value of transient 3604 3594 */ … … 3615 3605 // Core transients that do not have a timeout. Listed here so querying timeouts can be avoided. 3616 3606 $no_timeout = array('update_core', 'update_plugins', 'update_themes'); 3617 $transient_option = '_site_transient_' . esc_sql( $transient );3607 $transient_option = '_site_transient_' . $transient; 3618 3608 if ( ! in_array( $transient, $no_timeout ) ) { 3619 $transient_timeout = '_site_transient_timeout_' . esc_sql( $transient );3609 $transient_timeout = '_site_transient_timeout_' . $transient; 3620 3610 $timeout = get_site_option( $transient_timeout ); 3621 3611 if ( false !== $timeout && $timeout < time() ) { … … 3647 3637 * @uses do_action() Calls 'set_site_transient_$transient' and 'setted_site_transient' hooks on success. 3648 3638 * 3649 * @param string $transient Transient name. Expected to not be SQL-escaped 3650 * @param mixed $value Transient value. 3639 * @param string $transient Transient name. Expected to not be SQL-escaped. 3640 * @param mixed $value Transient value. Expected to not be SQL-escaped. 3651 3641 * @param int $expiration Time until expiration in seconds, default 0 3652 3642 * @return bool False if value was not set and true if value was set. … … 3662 3652 $transient_timeout = '_site_transient_timeout_' . $transient; 3663 3653 $transient = '_site_transient_' . $transient; 3664 $safe_transient = esc_sql( $transient ); 3665 if ( false === get_site_option( $safe_transient ) ) { 3654 if ( false === get_site_option( $transient ) ) { 3666 3655 if ( $expiration ) 3667 3656 add_site_option( $transient_timeout, time() + $expiration ); -
trunk/wp-includes/theme.php
r13668 r13673 1201 1201 $theme = get_current_theme(); 1202 1202 1203 $mods = get_option( esc_sql( "mods_$theme" ));1203 $mods = get_option( "mods_$theme" ); 1204 1204 1205 1205 if ( isset($mods[$name]) )
Note: See TracChangeset
for help on using the changeset viewer.