WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
06/27/2011 08:47:04 PM (14 years ago)
Author:
ryan
Message:

Sanitize sort_column and sort_order in get_pages(). Escape search_term in WP_User_Search. Cast blog_id to int in get_blog_prefix(). Props duck_

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/wp-admin/includes/deprecated.php

    r17743 r18350  
    455455        _deprecated_function( __FUNCTION__, '3.1', 'WP_User_Query' );
    456456
    457         $this->search_term = $search_term;
     457        $this->search_term = stripslashes( $search_term );
    458458        $this->raw_page = ( '' == $page ) ? false : (int) $page;
    459459        $this->page = (int) ( '' == $page ) ? 1 : $page;
     
    486486            $search_sql = 'AND (';
    487487            foreach ( array('user_login', 'user_nicename', 'user_email', 'user_url', 'display_name') as $col )
    488                 $searches[] = $col . " LIKE '%$this->search_term%'";
     488                $searches[] = $wpdb->prepare( $col . ' LIKE %s', '%' . like_escape($this->search_term) . '%' );
    489489            $search_sql .= implode(' OR ', $searches);
    490490            $search_sql .= ')';
Note: See TracChangeset for help on using the changeset viewer.