WordPress.org

Make WordPress Core

Changeset 24716


Ignore:
Timestamp:
07/16/2013 02:38:54 PM (5 years ago)
Author:
nacin
Message:

Use wp_slash() instead of the DB layer in XML-RPC. see #21767.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/class-wp-xmlrpc-server.php

    r24639 r24716  
    212212
    213213    /**
    214      * Sanitize string or array of strings for database.
     214     * Escape string or array of strings for database.
    215215     *
    216216     * @since 1.5.2
    217217     *
    218      * @param string|array $array Sanitize single string or array of strings.
    219      * @return string|array Type matches $array and sanitized for the database.
    220      */
    221     function escape(&$array) {
    222         global $wpdb;
    223 
    224         if (!is_array($array)) {
    225             return($wpdb->escape($array));
    226         } else {
    227             foreach ( (array) $array as $k => $v ) {
    228                 if ( is_array($v) ) {
    229                     $this->escape($array[$k]);
    230                 } else if ( is_object($v) ) {
    231                     //skip
    232                 } else {
    233                     $array[$k] = $wpdb->escape($v);
    234                 }
    235             }
     218     * @param string|array $data Escape single string or array of strings.
     219     * @return string|array Type matches $data and sanitized for the database.
     220     */
     221    function escape( &$data ) {
     222        if ( ! is_array( $data ) )
     223            return wp_slash( $data );
     224
     225        foreach ( $data as &$v ) {
     226            if ( ! is_object( $v ) )
     227                $v = wp_slash( $v );
    236228        }
    237229    }
     
    29862978
    29872979        if ( $logged_in ) {
    2988             $comment['comment_author'] = $wpdb->escape( $user->display_name );
    2989             $comment['comment_author_email'] = $wpdb->escape( $user->user_email );
    2990             $comment['comment_author_url'] = $wpdb->escape( $user->user_url );
     2980            $comment['comment_author'] = $this->escape( $user->display_name );
     2981            $comment['comment_author_email'] = $this->escape( $user->user_email );
     2982            $comment['comment_author_url'] = $this->escape( $user->user_url );
    29912983            $comment['user_ID'] = $user->ID;
    29922984        } else {
     
    49244916
    49254917        $blog_ID     = (int) $args[0];
    4926         $username  = $wpdb->escape($args[1]);
    4927         $password   = $wpdb->escape($args[2]);
     4918        $username  = $this->escape($args[1]);
     4919        $password   = $this->escape($args[2]);
    49284920        $data        = $args[3];
    49294921
     
    54525444
    54535445        $context = '[…] ' . esc_html( $excerpt ) . ' […]';
    5454         $pagelinkedfrom = $wpdb->escape( $pagelinkedfrom );
     5446        $pagelinkedfrom = $this->escape( $pagelinkedfrom );
    54555447
    54565448        $comment_post_ID = (int) $post_ID;
Note: See TracChangeset for help on using the changeset viewer.