Make WordPress Core

Changeset 24714


Ignore:
Timestamp:
07/16/2013 02:21:05 PM (11 years ago)
Author:
nacin
Message:

Use sanitize_key() instead of esc_sql() when 'escaping' variable DB field names. see #21767.

Location:
trunk/wp-includes
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/meta.php

    r24580 r24714  
    4141    global $wpdb;
    4242
    43     $column = esc_sql($meta_type . '_id');
     43    $column = sanitize_key($meta_type . '_id');
    4444
    4545    // expected_slashed ($meta_key)
     
    111111    global $wpdb;
    112112
    113     $column = esc_sql($meta_type . '_id');
     113    $column = sanitize_key($meta_type . '_id');
    114114    $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
    115115
     
    194194    global $wpdb;
    195195
    196     $type_column = esc_sql($meta_type . '_id');
     196    $type_column = sanitize_key($meta_type . '_id');
    197197    $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
    198198    // expected_slashed ($meta_key)
     
    398398        return false;
    399399
    400     $column = esc_sql($meta_type . '_id');
     400    $column = sanitize_key($meta_type . '_id');
    401401    $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
    402402
     
    479479
    480480    // object and id columns
    481     $column = esc_sql($meta_type . '_id');
     481    $column = sanitize_key($meta_type . '_id');
    482482    $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
    483483
     
    529529        return false;
    530530
    531     $column = esc_sql($meta_type . '_id');
     531    $column = sanitize_key($meta_type . '_id');
    532532
    533533    global $wpdb;
     
    707707            return false;
    708708
    709         $meta_id_column = esc_sql( $type . '_id' );
     709        $meta_id_column = sanitize_key( $type . '_id' );
    710710
    711711        $join = array();
  • trunk/wp-includes/taxonomy.php

    r24303 r24714  
    792792            return;
    793793
    794         $resulting_field = esc_sql( $resulting_field );
     794        $resulting_field = sanitize_key( $resulting_field );
    795795
    796796        switch ( $query['field'] ) {
  • trunk/wp-includes/user.php

    r24490 r24714  
    394394            $this->query_fields = array();
    395395            foreach ( $qv['fields'] as $field )
    396                 $this->query_fields[] = $wpdb->users . '.' . esc_sql( $field );
     396                $this->query_fields[] = $wpdb->users . '.' . sanitize_key( $field );
    397397            $this->query_fields = implode( ',', $this->query_fields );
    398398        } elseif ( 'all' == $qv['fields'] ) {
Note: See TracChangeset for help on using the changeset viewer.