WordPress.org

Make WordPress Core

Changeset 24714


Ignore:
Timestamp:
07/16/13 14:21:05 (9 months ago)
Author:
nacin
Message:

Use sanitize_key() instead of esc_sql() when 'escaping' variable DB field names. see #21767.

Location:
trunk/wp-includes
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/meta.php

    r24580 r24714  
    4141    global $wpdb; 
    4242 
    43     $column = esc_sql($meta_type . '_id'); 
     43    $column = sanitize_key($meta_type . '_id'); 
    4444 
    4545    // expected_slashed ($meta_key) 
     
    111111    global $wpdb; 
    112112 
    113     $column = esc_sql($meta_type . '_id'); 
     113    $column = sanitize_key($meta_type . '_id'); 
    114114    $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id'; 
    115115 
     
    194194    global $wpdb; 
    195195 
    196     $type_column = esc_sql($meta_type . '_id'); 
     196    $type_column = sanitize_key($meta_type . '_id'); 
    197197    $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id'; 
    198198    // expected_slashed ($meta_key) 
     
    398398        return false; 
    399399 
    400     $column = esc_sql($meta_type . '_id'); 
     400    $column = sanitize_key($meta_type . '_id'); 
    401401    $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id'; 
    402402 
     
    479479 
    480480    // object and id columns 
    481     $column = esc_sql($meta_type . '_id'); 
     481    $column = sanitize_key($meta_type . '_id'); 
    482482    $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id'; 
    483483 
     
    529529        return false; 
    530530 
    531     $column = esc_sql($meta_type . '_id'); 
     531    $column = sanitize_key($meta_type . '_id'); 
    532532 
    533533    global $wpdb; 
     
    707707            return false; 
    708708 
    709         $meta_id_column = esc_sql( $type . '_id' ); 
     709        $meta_id_column = sanitize_key( $type . '_id' ); 
    710710 
    711711        $join = array(); 
  • trunk/wp-includes/taxonomy.php

    r24303 r24714  
    792792            return; 
    793793 
    794         $resulting_field = esc_sql( $resulting_field ); 
     794        $resulting_field = sanitize_key( $resulting_field ); 
    795795 
    796796        switch ( $query['field'] ) { 
  • trunk/wp-includes/user.php

    r24490 r24714  
    394394            $this->query_fields = array(); 
    395395            foreach ( $qv['fields'] as $field ) 
    396                 $this->query_fields[] = $wpdb->users . '.' . esc_sql( $field ); 
     396                $this->query_fields[] = $wpdb->users . '.' . sanitize_key( $field ); 
    397397            $this->query_fields = implode( ',', $this->query_fields ); 
    398398        } elseif ( 'all' == $qv['fields'] ) { 
Note: See TracChangeset for help on using the changeset viewer.