WordPress.org

Make WordPress Core

Changeset 16999


Ignore:
Timestamp:
12/16/10 14:22:41 (3 years ago)
Author:
ryan
Message:

Add like_escape() to some queries. fixes #15764

Location:
trunk
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/admin-ajax.php

    r16992 r16999  
    12561256    $searchand = $search = ''; 
    12571257    foreach ( (array) $search_terms as $term ) { 
    1258         $term = addslashes_gpc($term); 
     1258        $term = esc_sql( like_escape( $term ) ); 
    12591259        $search .= "{$searchand}(($wpdb->posts.post_title LIKE '%{$term}%') OR ($wpdb->posts.post_content LIKE '%{$term}%'))"; 
    12601260        $searchand = ' AND '; 
    12611261    } 
    1262     $term = $wpdb->escape($s); 
     1262    $term = esc_sql( like_escape( $s ) ); 
    12631263    if ( count($search_terms) > 1 && $search_terms[0] != $s ) 
    12641264        $search .= " OR ($wpdb->posts.post_title LIKE '%{$term}%') OR ($wpdb->posts.post_content LIKE '%{$term}%')"; 
  • trunk/wp-includes/canonical.php

    r16928 r16999  
    386386        return false; 
    387387 
    388     $where = $wpdb->prepare("post_name LIKE %s", get_query_var('name') . '%'); 
     388    $where = $wpdb->prepare("post_name LIKE %s", like_escape( get_query_var('name') ) . '%'); 
    389389 
    390390    // if any of post_type, year, monthnum, or day are set, use them to refine the query 
  • trunk/wp-includes/class-wp-xmlrpc-server.php

    r16900 r16999  
    33683368                // ...or a string #title, a little more complicated 
    33693369                $title = preg_replace('/[^a-z0-9]/i', '.', $urltest['fragment']); 
    3370                 $sql = $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title RLIKE %s", $title); 
     3370                $sql = $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title RLIKE %s", like_escape( $title ) ); 
    33713371                if (! ($post_ID = $wpdb->get_var($sql)) ) { 
    33723372                    // returning unknown error '0' is better than die()ing 
  • trunk/wp-includes/comment.php

    r16643 r16999  
    346346     */ 
    347347    function get_search_sql( $string, $cols ) { 
    348         $string = esc_sql( $string ); 
     348        $string = esc_sql( like_escape( $string ) ); 
    349349 
    350350        $searches = array(); 
  • trunk/wp-includes/functions.php

    r16946 r16999  
    12071207    foreach ( $pung as $link_test ) { 
    12081208        if ( !in_array( $link_test, $post_links_temp[0] ) ) { // link no longer in post 
    1209             $mid = $wpdb->get_col( $wpdb->prepare("SELECT meta_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = 'enclosure' AND meta_value LIKE (%s)", $post_ID, $link_test . '%') ); 
     1209            $mid = $wpdb->get_col( $wpdb->prepare("SELECT meta_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = 'enclosure' AND meta_value LIKE (%s)", $post_ID, like_escape( $link_test ) . '%') ); 
    12101210            do_action( 'delete_postmeta', $mid ); 
    12111211            $wpdb->query( $wpdb->prepare("DELETE FROM $wpdb->postmeta WHERE meta_id IN(%s)", implode( ',', $mid ) ) ); 
     
    12271227 
    12281228    foreach ( (array) $post_links as $url ) { 
    1229         if ( $url != '' && !$wpdb->get_var( $wpdb->prepare( "SELECT post_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = 'enclosure' AND meta_value LIKE (%s)", $post_ID, $url . '%' ) ) ) { 
     1229        if ( $url != '' && !$wpdb->get_var( $wpdb->prepare( "SELECT post_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = 'enclosure' AND meta_value LIKE (%s)", $post_ID, like_escape( $url ) . '%' ) ) ) { 
    12301230 
    12311231            if ( $headers = wp_get_http_headers( $url) ) { 
  • trunk/wp-includes/query.php

    r16947 r16999  
    20462046            $searchand = ''; 
    20472047            foreach( (array) $q['search_terms'] as $term ) { 
    2048                 $term = addslashes_gpc($term); 
     2048                $term = esc_sql( like_escape( $term ) ); 
    20492049                $search .= "{$searchand}(($wpdb->posts.post_title LIKE '{$n}{$term}{$n}') OR ($wpdb->posts.post_content LIKE '{$n}{$term}{$n}'))"; 
    20502050                $searchand = ' AND '; 
    20512051            } 
    2052             $term = esc_sql($q['s']); 
     2052            $term = esc_sql( like_escape( $q['s'] ) ); 
    20532053            if ( empty($q['sentence']) && count($q['search_terms']) > 1 && $q['search_terms'][0] != $q['s'] ) 
    20542054                $search .= " OR ($wpdb->posts.post_title LIKE '{$n}{$term}{$n}') OR ($wpdb->posts.post_content LIKE '{$n}{$term}{$n}')"; 
  • trunk/wp-includes/taxonomy.php

    r16918 r16999  
    12381238 
    12391239    if ( !empty($name__like) ) 
    1240         $where .= " AND t.name LIKE '{$name__like}%'"; 
     1240        $where .= " AND t.name LIKE '" . like_escape( $name__like ) . "%'"; 
    12411241 
    12421242    if ( '' !== $parent ) { 
Note: See TracChangeset for help on using the changeset viewer.