Make WordPress Core

Changeset 13673


Ignore:
Timestamp:
03/11/2010 09:49:56 PM (15 years ago)
Author:
ryan
Message:

make *_option(), *_transient() functions consistently expect unslashed data. Props Denis-de-Bernardy. see #12416

Location:
trunk/wp-includes
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/formatting.php

    r13468 r13673  
    24422442        case 'siteurl':
    24432443        case 'home':
    2444             $value = stripslashes($value);
    2445             $value = esc_url($value);
     2444            $value = esc_url_raw($value);
    24462445            break;
    24472446        default :
  • trunk/wp-includes/functions.php

    r13631 r13673  
    308308 *  the option value.
    309309 *
    310  * @param string $option Name of option to retrieve. Should already be SQL-escaped
     310 * @param string $option Name of option to retrieve. Expected to not be SQL-escaped.
    311311 * @return mixed Value set for the option.
    312312 */
     
    340340            if ( defined( 'WP_INSTALLING' ) )
    341341                $suppress = $wpdb->suppress_errors();
    342             // expected_slashed ($option)
    343             $row = $wpdb->get_row( "SELECT option_value FROM $wpdb->options WHERE option_name = '$option' LIMIT 1" );
     342            $row = $wpdb->get_row( $wpdb->prepare( "SELECT option_value FROM $wpdb->options WHERE option_name = '%s' LIMIT 1", $option ) );
    344343            if ( defined( 'WP_INSTALLING' ) )
    345344                $wpdb->suppress_errors( $suppress );
     
    483482 * @uses do_action() Calls 'update_option_$option' and 'updated_option' hooks on success.
    484483 *
    485  * @param string $option Option name. Expected to not be SQL-escaped
    486  * @param mixed $newvalue Option value.
     484 * @param string $option Option name. Expected to not be SQL-escaped.
     485 * @param mixed $newvalue Option value. Expected to not be SQL-escaped.
    487486 * @return bool False if value was not updated and true if value was updated.
    488487 */
     
    492491    wp_protect_special_option( $option );
    493492
    494     $safe_option = esc_sql( $option );
    495493    $newvalue = sanitize_option( $option, $newvalue );
    496     $oldvalue = get_option( $safe_option );
     494    $oldvalue = get_option( $option );
    497495    $newvalue = apply_filters( 'pre_update_option_' . $option, $newvalue, $oldvalue );
    498496
     
    517515        $alloptions = wp_load_alloptions();
    518516        if ( isset( $alloptions[$option] ) ) {
    519             $alloptions[$option] = $newvalue;
    520             wp_cache_set( 'alloptions', $alloptions, 'options' );
     517            $alloptions[$option] = $_newvalue;
     518            wp_cache_set( 'alloptions', $_alloptions, 'options' );
    521519        } else {
    522             wp_cache_set( $option, $newvalue, 'options' );
     520            wp_cache_set( $option, $_newvalue, 'options' );
    523521        }
    524522    }
     
    555553 * @uses do_action() Calls 'add_option_$option' and 'added_option' hooks on success.
    556554 *
    557  * @param string $option Name of option to add. Expects to NOT be SQL escaped.
    558  * @param mixed $value Optional. Option value, can be anything.
     555 * @param string $option Name of option to add. Expected to not be SQL-escaped.
     556 * @param mixed $value Optional. Option value, can be anything. Expected to not be SQL-escaped.
    559557 * @param mixed $deprecated Optional. Description. Not used anymore.
    560558 * @param bool $autoload Optional. Default is enabled. Whether to load the option when WordPress starts up.
     
    568566
    569567    wp_protect_special_option( $option );
    570     $safe_option = esc_sql( $option );
    571568    $value = sanitize_option( $option, $value );
    572569
     
    574571    $notoptions = wp_cache_get( 'notoptions', 'options' );
    575572    if ( !is_array( $notoptions ) || !isset( $notoptions[$option] ) )
    576         if ( false !== get_option( $safe_option ) )
     573        if ( false !== get_option( $option ) )
    577574            return;
    578575
     
    618615 * @uses do_action() Calls 'deleted_option' and 'delete_option_$option' hooks on success.
    619616 *
    620  * @param string $option Name of option to remove.
     617 * @param string $option Name of option to remove. Expected to not be SQL-escaped.
    621618 * @return bool True, if option is successfully deleted. False on failure.
    622619 */
     
    627624
    628625    // Get the ID, if no ID then return
    629     // expected_slashed ($option)
    630     $row = $wpdb->get_row( "SELECT autoload FROM $wpdb->options WHERE option_name = '$option'" );
     626    $row = $wpdb->get_row( $wpdb->prepare( "SELECT autoload FROM $wpdb->options WHERE option_name = '%s'", $option ) );
    631627    if ( is_null( $row ) )
    632628        return false;
    633629    do_action( 'delete_option', $option );
    634     // expected_slashed ($option)
    635     $result = $wpdb->query( "DELETE FROM $wpdb->options WHERE option_name = '$option'" );
     630    $result = $wpdb->query( $wpdb->prepare( "DELETE FROM $wpdb->options WHERE option_name = '%s'", $option) );
    636631    if ( ! defined( 'WP_INSTALLING' ) ) {
    637632        if ( 'yes' == $row->autoload ) {
     
    663658 * @uses do_action() Calls 'deleted_transient' hook on success.
    664659 *
    665  * @param string $transient Transient name. Expected to not be SQL-escaped
     660 * @param string $transient Transient name. Expected to not be SQL-escaped.
    666661 * @return bool true if successful, false otherwise
    667662 */
     
    674669        $result = wp_cache_delete( $transient, 'transient' );
    675670    } else {
    676         $option = '_transient_' . esc_sql( $transient );
     671        $option = '_transient_' . $transient;
    677672        $result = delete_option( $option );
    678673    }
     
    712707        $value = wp_cache_get( $transient, 'transient' );
    713708    } else {
    714         $safe_transient   = esc_sql( $transient );
    715         $transient_option = '_transient_' . $safe_transient;
     709        $transient_option = '_transient_' . $transient;
    716710        if ( ! defined( 'WP_INSTALLING' ) ) {
    717711            // If option is not in alloptions, it is not autoloaded and thus has a timeout
    718712            $alloptions = wp_load_alloptions();
    719713            if ( !isset( $alloptions[$transient_option] ) ) {
    720                 $transient_timeout = '_transient_timeout_' . $safe_transient;
     714                $transient_timeout = '_transient_timeout_' . $transient;
    721715                if ( get_option( $transient_timeout ) < time() ) {
    722716                    delete_option( $transient_option  );
     
    747741 * @uses do_action() Calls 'set_transient_$transient' and 'setted_transient' hooks on success.
    748742 *
    749  * @param string $transient Transient name. Expected to not be SQL-escaped
    750  * @param mixed $value Transient value.
     743 * @param string $transient Transient name. Expected to not be SQL-escaped.
     744 * @param mixed $value Transient value. Expected to not be SQL-escaped.
    751745 * @param int $expiration Time until expiration in seconds, default 0
    752746 * @return bool False if value was not set and true if value was set.
     
    762756        $transient_timeout = '_transient_timeout_' . $transient;
    763757        $transient = '_transient_' . $transient;
    764         $safe_transient = esc_sql( $transient );
    765         if ( false === get_option( $safe_transient ) ) {
     758        if ( false === get_option( $transient ) ) {
    766759            $autoload = 'yes';
    767760            if ( $expiration ) {
     
    1001994 */
    1002995function maybe_serialize( $data ) {
    1003     if ( is_array( $data ) || is_object( $data ) )
    1004         return serialize( $data );
    1005 
    1006     if ( is_serialized( $data ) )
     996    if ( !is_scalar( $data ) )
    1007997        return serialize( $data );
    1008998
     
    33853375 *  the option value.
    33863376 *
    3387  * @param string $option Name of option to retrieve. Should already be SQL-escaped
     3377 * @param string $option Name of option to retrieve. Expected to not be SQL-escaped.
    33883378 * @param mixed $default Optional value to return if option doesn't exist. Default false.
    33893379 * @param bool $use_cache Whether to use cache. Multisite only. Default true.
     
    34323422 * @uses do_action() Calls 'add_site_option_$option' and 'add_site_option' hooks on success.
    34333423 *
    3434  * @param string $option Name of option to add. Expects to not be SQL escaped.
    3435  * @param mixed $value Optional. Option value, can be anything.
     3424 * @param string $option Name of option to add. Expected to not be SQL-escaped.
     3425 * @param mixed $value Optional. Option value, can be anything. Expected to not be SQL-escaped.
    34363426 * @return bool False if option was not added and true if option was added.
    34373427 */
     
    34763466 *  hooks on success.
    34773467 *
    3478  * @param string $option Name of option to remove. Expected to be SQL-escaped.
     3468 * @param string $option Name of option to remove. Expected to not be SQL-escaped.
    34793469 * @return bool True, if succeed. False, if failure.
    34803470 */
     
    35183508 * @uses do_action() Calls 'update_site_option_$option' and 'update_site_option' hooks on success.
    35193509 *
    3520  * @param string $option Name of option. Expected to not be SQL-escaped
    3521  * @param mixed $value Option value.
     3510 * @param string $option Name of option. Expected to not be SQL-escaped.
     3511 * @param mixed $value Option value. Expected to not be SQL-escaped.
    35223512 * @return bool False if value was not updated and true if value was updated.
    35233513 */
     
    35653555 * @uses do_action() Calls 'deleted_site_transient' hook on success.
    35663556 *
    3567  * @param string $transient Transient name. Expected to not be SQL-escaped
     3557 * @param string $transient Transient name. Expected to not be SQL-escaped.
    35683558 * @return bool True if successful, false otherwise
    35693559 */
     
    35753565        $result = wp_cache_delete( $transient, 'site-transient' );
    35763566    } else {
    3577         $option = '_site_transient_' . esc_sql( $transient );
     3567        $option = '_site_transient_' . $transient;
    35783568        $result = delete_site_option( $option );
    35793569    }
     
    36003590 *  the transient value.
    36013591 *
    3602  * @param string $transient Transient name. Expected to not be SQL-escaped
     3592 * @param string $transient Transient name. Expected to not be SQL-escaped.
    36033593 * @return mixed Value of transient
    36043594 */
     
    36153605        // Core transients that do not have a timeout. Listed here so querying timeouts can be avoided.
    36163606        $no_timeout = array('update_core', 'update_plugins', 'update_themes');
    3617         $transient_option = '_site_transient_' . esc_sql( $transient );
     3607        $transient_option = '_site_transient_' . $transient;
    36183608        if ( ! in_array( $transient, $no_timeout ) ) {
    3619             $transient_timeout = '_site_transient_timeout_' . esc_sql( $transient );
     3609            $transient_timeout = '_site_transient_timeout_' . $transient;
    36203610            $timeout = get_site_option( $transient_timeout );
    36213611            if ( false !== $timeout && $timeout < time() ) {
     
    36473637 * @uses do_action() Calls 'set_site_transient_$transient' and 'setted_site_transient' hooks on success.
    36483638 *
    3649  * @param string $transient Transient name. Expected to not be SQL-escaped
    3650  * @param mixed $value Transient value.
     3639 * @param string $transient Transient name. Expected to not be SQL-escaped.
     3640 * @param mixed $value Transient value. Expected to not be SQL-escaped.
    36513641 * @param int $expiration Time until expiration in seconds, default 0
    36523642 * @return bool False if value was not set and true if value was set.
     
    36623652        $transient_timeout = '_site_transient_timeout_' . $transient;
    36633653        $transient = '_site_transient_' . $transient;
    3664         $safe_transient = esc_sql( $transient );
    3665         if ( false === get_site_option( $safe_transient ) ) {
     3654        if ( false === get_site_option( $transient ) ) {
    36663655            if ( $expiration )
    36673656                add_site_option( $transient_timeout, time() + $expiration );
  • trunk/wp-includes/theme.php

    r13668 r13673  
    12011201    $theme = get_current_theme();
    12021202
    1203     $mods = get_option( esc_sql( "mods_$theme" ) );
     1203    $mods = get_option( "mods_$theme" );
    12041204
    12051205    if ( isset($mods[$name]) )
Note: See TracChangeset for help on using the changeset viewer.