WordPress.org

Make WordPress Core

Changeset 18350


Ignore:
Timestamp:
06/27/2011 08:47:04 PM (7 years ago)
Author:
ryan
Message:

Sanitize sort_column and sort_order in get_pages(). Escape search_term in WP_User_Search. Cast blog_id to int in get_blog_prefix(). Props duck_

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/deprecated.php

    r17743 r18350  
    455455        _deprecated_function( __FUNCTION__, '3.1', 'WP_User_Query' );
    456456
    457         $this->search_term = $search_term;
     457        $this->search_term = stripslashes( $search_term );
    458458        $this->raw_page = ( '' == $page ) ? false : (int) $page;
    459459        $this->page = (int) ( '' == $page ) ? 1 : $page;
     
    486486            $search_sql = 'AND (';
    487487            foreach ( array('user_login', 'user_nicename', 'user_email', 'user_url', 'display_name') as $col )
    488                 $searches[] = $col . " LIKE '%$this->search_term%'";
     488                $searches[] = $wpdb->prepare( $col . ' LIKE %s', '%' . like_escape($this->search_term) . '%' );
    489489            $search_sql .= implode(' OR ', $searches);
    490490            $search_sql .= ')';
  • trunk/wp-includes/post.php

    r18261 r18350  
    34493449    }
    34503450
     3451    $orderby_array = array();
     3452    $allowed_keys = array('author', 'post_author', 'date', 'post_date', 'title', 'post_title', 'modified',
     3453                          'post_modified', 'modified_gmt', 'post_modified_gmt', 'menu_order', 'parent', 'post_parent',
     3454                          'ID', 'rand', 'comment_count');
     3455    foreach ( explode( ',', $sort_column ) as $orderby ) {
     3456        $orderby = trim( $orderby );
     3457        if ( !in_array( $orderby, $allowed_keys ) )
     3458            continue;
     3459
     3460        switch ( $orderby ) {
     3461            case 'menu_order':
     3462                break;
     3463            case 'ID':
     3464                $orderby = "$wpdb->posts.ID";
     3465                break;
     3466            case 'rand':
     3467                $orderby = 'RAND()';
     3468                break;
     3469            case 'comment_count':
     3470                $orderby = "$wpdb->posts.comment_count";
     3471                break;
     3472            default:
     3473                if ( 0 === strpos( $orderby, 'post_' ) )
     3474                    $orderby = "$wpdb->posts." . $orderby;
     3475                else
     3476                    $orderby = "$wpdb->posts.post_" . $orderby;
     3477        }
     3478
     3479        $orderby_array[] = $orderby;
     3480
     3481    }
     3482    $sort_column = ! empty( $orderby_array ) ? implode( ',', $orderby_array ) : "$wpdb->posts.post_title";
     3483
     3484    $sort_order = strtoupper( $sort_order );
     3485    if ( '' !== $sort_order && !in_array( $sort_order, array( 'ASC', 'DESC' ) ) )
     3486        $sort_order = 'ASC';
     3487
    34513488    $query = "SELECT * FROM $wpdb->posts $join WHERE ($where_post_type) $where ";
    34523489    $query .= $author_query;
  • trunk/wp-includes/wp-db.php

    r18110 r18350  
    627627            if ( null === $blog_id )
    628628                $blog_id = $this->blogid;
     629            $blog_id = (int) $blog_id;
    629630            if ( defined( 'MULTISITE' ) && ( 0 == $blog_id || 1 == $blog_id ) )
    630631                return $this->base_prefix;
Note: See TracChangeset for help on using the changeset viewer.