WordPress.org

Make WordPress Core


Ignore:
Timestamp:
07/16/2013 02:21:05 PM (8 years ago)
Author:
nacin
Message:

Use sanitize_key() instead of esc_sql() when 'escaping' variable DB field names. see #21767.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/user.php

    r24490 r24714  
    394394            $this->query_fields = array();
    395395            foreach ( $qv['fields'] as $field )
    396                 $this->query_fields[] = $wpdb->users . '.' . esc_sql( $field );
     396                $this->query_fields[] = $wpdb->users . '.' . sanitize_key( $field );
    397397            $this->query_fields = implode( ',', $this->query_fields );
    398398        } elseif ( 'all' == $qv['fields'] ) {
Note: See TracChangeset for help on using the changeset viewer.