WordPress.org

Make WordPress Core

Changeset 24713


Ignore:
Timestamp:
07/16/13 14:19:03 (20 months ago)
Author:
nacin
Message:

Use wp_slash() in places where we improperly used the DB API instead. see #21767.

Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/ajax-actions.php

    r24707 r24713  
    740740    if ( $user->exists() ) { 
    741741        $user_ID = $user->ID; 
    742         $comment_author       = $wpdb->escape($user->display_name); 
    743         $comment_author_email = $wpdb->escape($user->user_email); 
    744         $comment_author_url   = $wpdb->escape($user->user_url); 
     742        $comment_author       = wp_slash( $user->display_name ); 
     743        $comment_author_email = wp_slash( $user->user_email ); 
     744        $comment_author_url   = wp_slash( $user->user_url ); 
    745745        $comment_content      = trim($_POST['content']); 
    746746        if ( current_user_can( 'unfiltered_html' ) ) { 
  • trunk/wp-admin/includes/post.php

    r24593 r24713  
    647647            return false; 
    648648 
    649         $metakey = esc_sql( $metakey ); 
     649        $metakey = wp_slash( $metakey ); 
    650650 
    651651        return add_post_meta( $post_ID, $metakey, $metavalue ); 
  • trunk/wp-comments-post.php

    r23554 r24713  
    5858    if ( empty( $user->display_name ) ) 
    5959        $user->display_name=$user->user_login; 
    60     $comment_author       = $wpdb->escape($user->display_name); 
    61     $comment_author_email = $wpdb->escape($user->user_email); 
    62     $comment_author_url   = $wpdb->escape($user->user_url); 
     60    $comment_author       = wp_slash( $user->display_name ); 
     61    $comment_author_email = wp_slash( $user->user_email ); 
     62    $comment_author_url   = wp_slash( $user->user_url ); 
    6363    if ( current_user_can('unfiltered_html') ) { 
    6464        if ( wp_create_nonce('unfiltered-html-comment_' . $comment_post_ID) != $_POST['_wp_unfiltered_html_comment'] ) { 
  • trunk/wp-includes/comment.php

    r24490 r24713  
    14931493 
    14941494    // Escape data pulled from DB. 
    1495     $comment = esc_sql($comment); 
     1495    $comment = wp_slash($comment); 
    14961496 
    14971497    $old_status = $comment['comment_approved']; 
Note: See TracChangeset for help on using the changeset viewer.