WordPress.org

Make WordPress Core


Ignore:
Timestamp:
07/16/2013 02:21:05 PM (5 years ago)
Author:
nacin
Message:

Use sanitize_key() instead of esc_sql() when 'escaping' variable DB field names. see #21767.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/meta.php

    r24580 r24714  
    4141    global $wpdb;
    4242
    43     $column = esc_sql($meta_type . '_id');
     43    $column = sanitize_key($meta_type . '_id');
    4444
    4545    // expected_slashed ($meta_key)
     
    111111    global $wpdb;
    112112
    113     $column = esc_sql($meta_type . '_id');
     113    $column = sanitize_key($meta_type . '_id');
    114114    $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
    115115
     
    194194    global $wpdb;
    195195
    196     $type_column = esc_sql($meta_type . '_id');
     196    $type_column = sanitize_key($meta_type . '_id');
    197197    $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
    198198    // expected_slashed ($meta_key)
     
    398398        return false;
    399399
    400     $column = esc_sql($meta_type . '_id');
     400    $column = sanitize_key($meta_type . '_id');
    401401    $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
    402402
     
    479479
    480480    // object and id columns
    481     $column = esc_sql($meta_type . '_id');
     481    $column = sanitize_key($meta_type . '_id');
    482482    $id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
    483483
     
    529529        return false;
    530530
    531     $column = esc_sql($meta_type . '_id');
     531    $column = sanitize_key($meta_type . '_id');
    532532
    533533    global $wpdb;
     
    707707            return false;
    708708
    709         $meta_id_column = esc_sql( $type . '_id' );
     709        $meta_id_column = sanitize_key( $type . '_id' );
    710710
    711711        $join = array();
Note: See TracChangeset for help on using the changeset viewer.