Changeset 24714 for trunk/wp-includes/meta.php

Timestamp:

07/16/2013 02:21:05 PM (5 years ago)

Author:

nacin

Message:

Use sanitize_key() instead of esc_sql() when 'escaping' variable DB field names. see #21767.

File:

• trunk/wp-includes/meta.php (modified) (7 diffs)

trunk/wp-includes/meta.php

@@ -41 +41 @@
     global $wpdb;
 
-    $column = esc_sql($meta_type . '_id');
+    $column = sanitize_key($meta_type . '_id');
 
     // expected_slashed ($meta_key)
@@ -111 +111 @@
     global $wpdb;
 
-    $column = esc_sql($meta_type . '_id');
+    $column = sanitize_key($meta_type . '_id');
     $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
 
@@ -194 +194 @@
     global $wpdb;
 
-    $type_column = esc_sql($meta_type . '_id');
+    $type_column = sanitize_key($meta_type . '_id');
     $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
     // expected_slashed ($meta_key)
@@ -398 +398 @@
         return false;
 
-    $column = esc_sql($meta_type . '_id');
+    $column = sanitize_key($meta_type . '_id');
     $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
 
@@ -479 +479 @@
 
     // object and id columns
-    $column = esc_sql($meta_type . '_id');
+    $column = sanitize_key($meta_type . '_id');
     $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
 
@@ -529 +529 @@
         return false;
 
-    $column = esc_sql($meta_type . '_id');
+    $column = sanitize_key($meta_type . '_id');
 
     global $wpdb;
@@ -707 +707 @@
             return false;
 
-        $meta_id_column = esc_sql( $type . '_id' );
+        $meta_id_column = sanitize_key( $type . '_id' );
 
         $join = array();