WordPress.org

Make WordPress Core

Changeset 2699


Ignore:
Timestamp:
07/05/2005 08:47:22 PM (13 years ago)
Author:
ryan
Message:

Use wpdb->escape instead of addslashes to prepare DB bound data.

Location:
trunk
Files:
19 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/admin-functions.php

    r2698 r2699  
    449449                $pad = str_repeat('— ', $level);
    450450                if ( $user_level > 3 )
    451                     $edit = "<a href='categories.php?action=edit&amp;cat_ID=$category->cat_ID' class='edit'>" . __('Edit') . "</a></td><td><a href='categories.php?action=delete&amp;cat_ID=$category->cat_ID' onclick=\"return confirm('".  sprintf(__("You are about to delete the category \'%s\'.  All of its posts will go to the default category.\\n  \'OK\' to delete, \'Cancel\' to stop."), addslashes($category->cat_name)) . "')\" class='delete'>" .  __('Delete') . "</a>";
     451                    $edit = "<a href='categories.php?action=edit&amp;cat_ID=$category->cat_ID' class='edit'>" . __('Edit') . "</a></td><td><a href='categories.php?action=delete&amp;cat_ID=$category->cat_ID' onclick=\"return confirm('".  sprintf(__("You are about to delete the category \'%s\'.  All of its posts will go to the default category.\\n  \'OK\' to delete, \'Cancel\' to stop."), $wpdb->escape($category->cat_name)) . "')\" class='delete'>" .  __('Delete') . "</a>";
    452452                else
    453453                    $edit = '';
  • trunk/wp-admin/edit-page-form.php

    r2652 r2699  
    133133        <th scope="row"><?php _e('Delete'); ?>:</th>
    134134        <td><?php if ('edit' == $action) : ?>
    135         <input name="deletepost" class="delete" type="submit" id="deletepost" tabindex="10" value="<?php _e('Delete this page') ?>" <?php echo "onclick=\"return confirm('" . sprintf(__("You are about to delete this page \'%s\'\\n  \'Cancel\' to stop, \'OK\' to delete."), addslashes($post->post_title) ) . "')\""; ?> />
     135        <input name="deletepost" class="delete" type="submit" id="deletepost" tabindex="10" value="<?php _e('Delete this page') ?>" <?php echo "onclick=\"return confirm('" . sprintf(__("You are about to delete this page \'%s\'\\n  \'Cancel\' to stop, \'OK\' to delete."), $wpdb->escape($post->post_title) ) . "')\""; ?> />
    136136<?php endif; ?></td>
    137137    </tr>
  • trunk/wp-admin/import-blogger.php

    r2687 r2699  
    6363            $post_title = $postinfo[4];
    6464
    65             $post_author = trim(addslashes($postinfo[1]));
     65            $post_author = trim($wpdb->escape($postinfo[1]));
    6666            // we'll check the author is registered already
    6767            $user = $wpdb->get_row("SELECT * FROM $wpdb->users WHERE user_login = '$post_author'");
    6868            if (!$user) { // seems s/he's not, so let's register
    6969                $user_joindate = '1979-06-06 00:41:00'; // that's my birthdate (gmt+1) - I could choose any other date. You could change the date too. Just remember the year must be >=1970 or the world would just randomly fall on your head (everything might look fine, and then blam! major headache!)
    70                 $user_login = addslashes($post_author);
    71                 $pass1 = addslashes('password');
    72                 $user_email = addslashes('user@wordpress.org');
    73                 $user_url = addslashes('');
    74                 $user_joindate = addslashes($user_joindate);
     70                $user_login = $wpdb->escape($post_author);
     71                $pass1 = $wpdb->escape('password');
     72                $user_email = $wpdb->escape('user@wordpress.org');
     73                $user_url = $wpdb->escape('');
     74                $user_joindate = $wpdb->escape($user_joindate);
    7575                $result = $wpdb->query("
    7676                INSERT INTO $wpdb->users (
     
    112112            $post_date = "$postyear-$postmonth-$postday $posthour:$postminute:$postsecond";
    113113
    114             $post_content = addslashes($post_content);
     114            $post_content = $wpdb->escape($post_content);
    115115            $post_content = str_replace('<br>', '<br />', $post_content); // the XHTML touch... ;)
    116116           
    117             $post_title = addslashes($post_title);
     117            $post_title = $wpdb->escape($post_title);
    118118           
    119119            // Quick-n-dirty check for dups:
  • trunk/wp-admin/import-greymatter.php

    r2687 r2699  
    9191        $user_joindate=substr($s,6,4)."-".substr($s,0,2)."-".substr($s,3,2)." 00:00:00";
    9292
    93         $user_login=addslashes($userdata[0]);
    94         $pass1=addslashes($userdata[1]);
    95         $user_nickname=addslashes($userdata[0]);
    96         $user_email=addslashes($userdata[2]);
    97         $user_url=addslashes($userdata[3]);
    98         $user_joindate=addslashes($user_joindate);
     93        $user_login=$wpdb->escape($userdata[0]);
     94        $pass1=$wpdb->escape($userdata[1]);
     95        $user_nickname=$wpdb->escape($userdata[0]);
     96        $user_email=$wpdb->escape($userdata[2]);
     97        $user_url=$wpdb->escape($userdata[3]);
     98        $user_joindate=$wpdb->escape($user_joindate);
    9999
    100100        $loginthere = $wpdb->get_var("SELECT user_login FROM $wpdb->users WHERE user_login = '$user_login'");
     
    148148            $postmorecontent=gm2autobr($entry[3]);
    149149
    150             $post_author=trim(addslashes($postinfo[1]));
     150            $post_author=trim($wpdb->escape($postinfo[1]));
    151151            // we'll check the author is registered, or if it's a deleted author
    152152            $sql = "SELECT * FROM $wpdb->users WHERE user_login = '$post_author'";
     
    154154            if (! $result) { // if deleted from GM, we register the author as a level 0 user in wp
    155155                $user_joindate="1979-06-06 00:41:00";
    156                 $user_login=addslashes($post_author);
    157                 $pass1=addslashes("password");
    158                 $user_nickname=addslashes($post_author);
    159                 $user_email=addslashes("user@deleted.com");
    160                 $user_url=addslashes("");
    161                 $user_joindate=addslashes($user_joindate);
     156                $user_login=$wpdb->escape($post_author);
     157                $pass1=$wpdb->escape("password");
     158                $user_nickname=$wpdb->escape($post_author);
     159                $user_email=$wpdb->escape("user@deleted.com");
     160                $user_url=$wpdb->escape("");
     161                $user_joindate=$wpdb->escape($user_joindate);
    162162                $query = "INSERT INTO $wpdb->users (user_login,user_pass,user_email,user_url,user_registered,user_level) VALUES ('$user_login','$pass1','$user_email','$user_url','$user_joindate','0')";
    163163                $result = $wpdb->query($query);
     
    172172
    173173            $post_title=gm2autobr($postinfo[2]);
    174             $post_title=addslashes($post_title);
     174            $post_title=$wpdb->escape($post_title);
    175175
    176176            $postyear=$postinfo[6];
     
    189189            if (strlen($postmorecontent)>3)
    190190                $post_content .= "<!--more--><br /><br />".$postmorecontent;
    191             $post_content=addslashes($post_content);
     191            $post_content=$wpdb->escape($post_content);
    192192
    193193            $post_karma=$postinfo[12];
     
    223223                    $commentinfo=explode("|",$entry[$j]);
    224224                    $comment_post_ID=$post_ID;
    225                     $comment_author=addslashes($commentinfo[0]);
    226                     $comment_author_email=addslashes($commentinfo[2]);
    227                     $comment_author_url=addslashes($commentinfo[3]);
    228                     $comment_author_IP=addslashes($commentinfo[1]);
     225                    $comment_author=$wpdb->escape($commentinfo[0]);
     226                    $comment_author_email=$wpdb->escape($commentinfo[2]);
     227                    $comment_author_url=$wpdb->escape($commentinfo[3]);
     228                    $comment_author_IP=$wpdb->escape($commentinfo[1]);
    229229
    230230                    $commentyear=$commentinfo[7];
     
    238238                    $comment_date="$commentyear-$commentmonth-$commentday $commenthour:$commentminute:$commentsecond";
    239239
    240                     $comment_content=addslashes($commentinfo[12]);
     240                    $comment_content=$wpdb->escape($commentinfo[12]);
    241241
    242242                    $sql3 = "INSERT INTO $wpdb->comments (comment_post_ID,comment_author,comment_author_email,comment_author_url,comment_author_IP,comment_date,comment_content) VALUES ('$comment_post_ID','$comment_author','$comment_author_email','$comment_author_url','$comment_author_IP','$comment_date','$comment_content')";
  • trunk/wp-admin/import-livejournal.php

    r2687 r2699  
    8383
    8484preg_match('|<subject>(.*?)</subject>|is', $post, $title);
    85 $title = addslashes( trim($title[1]) );
     85$title = $wpdb->escape( trim($title[1]) );
    8686$post_name = sanitize_title($title);
    8787
     
    9393
    9494preg_match('|<event>(.*?)</event>|is', $post, $content);
    95 $content = str_replace( array('<![CDATA[', ']]>'), '', addslashes( trim($content[1]) ) );
     95$content = str_replace( array('<![CDATA[', ']]>'), '', $wpdb->escape( trim($content[1]) ) );
    9696
    9797// Now lets put it in the DB
  • trunk/wp-admin/import-mt.php

    r2687 r2699  
    207207    // We want the excerpt
    208208    preg_match("|-----\nEXCERPT:(.*)|s", $post, $excerpt);
    209     $excerpt = addslashes(trim($excerpt[1]));
     209    $excerpt = $wpdb->escape(trim($excerpt[1]));
    210210    $post = preg_replace("|(-----\nEXCERPT:.*)|s", '', $post);
    211211   
     
    219219    preg_match("|-----\nBODY:(.*)|s", $post, $body);
    220220    $body = trim($body[1]);
    221     $post_content = addslashes($body . $extended);
     221    $post_content = $wpdb->escape($body . $extended);
    222222    $post = preg_replace("|(-----\nBODY:.*)|s", '', $post);
    223223   
     
    236236                break;
    237237            case 'TITLE':
    238                 $post_title = addslashes($value);
     238                $post_title = $wpdb->escape($value);
    239239                echo '<i>'.stripslashes($post_title).'</i>... ';
    240240                $post_name = sanitize_title($post_title);
     
    265265                break;
    266266            case 'PRIMARY CATEGORY':
    267                 $post_categories[] = addslashes($value);
     267                $post_categories[] = $wpdb->escape($value);
    268268                break;
    269269            case 'CATEGORY':   
    270                 $post_categories[] = addslashes($value);
     270                $post_categories[] = $wpdb->escape($value);
    271271                break;
    272272            case 'DATE':
     
    324324            // Author
    325325            preg_match("|AUTHOR:(.*)|", $comment, $comment_author);
    326             $comment_author = addslashes(trim($comment_author[1]));
     326            $comment_author = $wpdb->escape(trim($comment_author[1]));
    327327            $comment = preg_replace('|(\n?AUTHOR:.*)|', '', $comment);
    328328
    329329            preg_match("|EMAIL:(.*)|", $comment, $comment_email);
    330             $comment_email = addslashes(trim($comment_email[1]));
     330            $comment_email = $wpdb->escape(trim($comment_email[1]));
    331331            $comment = preg_replace('|(\n?EMAIL:.*)|', '', $comment);
    332332
     
    336336
    337337            preg_match("|URL:(.*)|", $comment, $comment_url);
    338             $comment_url = addslashes(trim($comment_url[1]));
     338            $comment_url = $wpdb->escape(trim($comment_url[1]));
    339339            $comment = preg_replace('|(\n?URL:.*)|', '', $comment);
    340340
     
    344344            $comment = preg_replace('|(\n?DATE:.*)|', '', $comment);
    345345
    346             $comment_content = addslashes(trim($comment));
     346            $comment_content = $wpdb->escape(trim($comment));
    347347            $comment_content = str_replace('-----', '', $comment_content);
    348348
     
    365365            // 'Author'
    366366            preg_match("|BLOG NAME:(.*)|", $ping, $comment_author);
    367             $comment_author = addslashes(trim($comment_author[1]));
     367            $comment_author = $wpdb->escape(trim($comment_author[1]));
    368368            $ping = preg_replace('|(\n?BLOG NAME:.*)|', '', $ping);
    369369
     
    375375
    376376            preg_match("|URL:(.*)|", $ping, $comment_url);
    377             $comment_url = addslashes(trim($comment_url[1]));
     377            $comment_url = $wpdb->escape(trim($comment_url[1]));
    378378            $ping = preg_replace('|(\n?URL:.*)|', '', $ping);
    379379
     
    384384     
    385385            preg_match("|TITLE:(.*)|", $ping, $ping_title);
    386             $ping_title = addslashes(trim($ping_title[1]));
     386            $ping_title = $wpdb->escape(trim($ping_title[1]));
    387387            $ping = preg_replace('|(\n?TITLE:.*)|', '', $ping);
    388388
    389             $comment_content = addslashes(trim($ping));
     389            $comment_content = $wpdb->escape(trim($ping));
    390390            $comment_content = str_replace('-----', '', $comment_content);
    391391           
  • trunk/wp-admin/import-rss.php

    r2687 r2699  
    8888
    8989preg_match('|<title>(.*?)</title>|is', $post, $title);
    90 $title = addslashes( trim($title[1]) );
     90$title = $wpdb->escape( trim($title[1]) );
    9191$post_name = sanitize_title($title);
    9292
     
    113113
    114114preg_match('|<guid.+?>(.*?)</guid>|is', $post, $guid);
    115 if ($guid) $guid = addslashes( trim($guid[1]) );
     115if ($guid) $guid = $wpdb->escape( trim($guid[1]) );
    116116else $guid = '';
    117117
    118118preg_match('|<content:encoded>(.*?)</content:encoded>|is', $post, $content);
    119 $content = str_replace( array('<![CDATA[', ']]>'), '', addslashes( trim($content[1]) ) );
     119$content = str_replace( array('<![CDATA[', ']]>'), '', $wpdb->escape( trim($content[1]) ) );
    120120
    121121if (!$content) : // This is for feeds that put content in description
  • trunk/wp-admin/import-textpattern.php

    r2687 r2699  
    9999    $posted = date('Y-m-d H:i:s', $timestamp);
    100100   
    101     $content = addslashes($post['Body_html']);
    102     $title = addslashes($post['Title']);
     101    $content = $wpdb->escape($post['Body_html']);
     102    $title = $wpdb->escape($post['Title']);
    103103    $post_name = sanitize_title($title);
    104104
  • trunk/wp-admin/install.php

    r2664 r2699  
    144144
    145145// Now drop in some default links
    146 $wpdb->query("INSERT INTO $wpdb->linkcategories (cat_id, cat_name) VALUES (1, '".addslashes(__('Blogroll'))."')");
     146$wpdb->query("INSERT INTO $wpdb->linkcategories (cat_id, cat_name) VALUES (1, '".$wpdb->escape(__('Blogroll'))."')");
    147147$wpdb->query("INSERT INTO $wpdb->links (link_url, link_name, link_category, link_rss) VALUES ('http://blog.carthik.net/index.php', 'Carthik', 1, 'http://blog.carthik.net/feed/');");
    148148$wpdb->query("INSERT INTO $wpdb->links (link_url, link_name, link_category, link_rss) VALUES ('http://blogs.linux.ie/xeer/', 'Donncha', 1, 'http://blogs.linux.ie/xeer/feed/');");
     
    155155
    156156// Default category
    157 $wpdb->query("INSERT INTO $wpdb->categories (cat_ID, cat_name, category_nicename) VALUES ('0', '".addslashes(__('Uncategorized'))."', '".sanitize_title(__('Uncategorized'))."')");
     157$wpdb->query("INSERT INTO $wpdb->categories (cat_ID, cat_name, category_nicename) VALUES ('0', '".$wpdb->escape(__('Uncategorized'))."', '".sanitize_title(__('Uncategorized'))."')");
    158158
    159159// First post
    160160$now = date('Y-m-d H:i:s');
    161161$now_gmt = gmdate('Y-m-d H:i:s');
    162 $wpdb->query("INSERT INTO $wpdb->posts (post_author, post_date, post_date_gmt, post_content, post_title, post_category, post_name, post_modified, post_modified_gmt) VALUES ('1', '$now', '$now_gmt', '".addslashes(__('Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!'))."', '".addslashes(__('Hello world!'))."', '0', '".addslashes(__('hello-world'))."', '$now', '$now_gmt')");
     162$wpdb->query("INSERT INTO $wpdb->posts (post_author, post_date, post_date_gmt, post_content, post_title, post_category, post_name, post_modified, post_modified_gmt) VALUES ('1', '$now', '$now_gmt', '".$wpdb->escape(__('Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!'))."', '".$wpdb->escape(__('Hello world!'))."', '0', '".$wpdb->escape(__('hello-world'))."', '$now', '$now_gmt')");
    163163
    164164$wpdb->query( "INSERT INTO $wpdb->post2cat (`rel_id`, `post_id`, `category_id`) VALUES (1, 1, 1)" );
    165165
    166166// Default comment
    167 $wpdb->query("INSERT INTO $wpdb->comments (comment_post_ID, comment_author, comment_author_email, comment_author_url, comment_date, comment_date_gmt, comment_content) VALUES ('1', '".addslashes(__('Mr WordPress'))."', '', 'http://wordpress.org', '$now', '$now_gmt', '".addslashes(__('Hi, this is a comment.<br />To delete a comment, just log in, and view the posts\' comments, there you will have the option to edit or delete them.'))."')");
     167$wpdb->query("INSERT INTO $wpdb->comments (comment_post_ID, comment_author, comment_author_email, comment_author_url, comment_date, comment_date_gmt, comment_content) VALUES ('1', '".$wpdb->escape(__('Mr WordPress'))."', '', 'http://wordpress.org', '$now', '$now_gmt', '".$wpdb->escape(__('Hi, this is a comment.<br />To delete a comment, just log in, and view the posts\' comments, there you will have the option to edit or delete them.'))."')");
    168168
    169169// First Page
    170170
    171 $wpdb->query("INSERT INTO $wpdb->posts (post_author, post_date, post_date_gmt, post_content, post_title, post_category, post_name, post_modified, post_modified_gmt, post_status) VALUES ('1', '$now', '$now_gmt', '".addslashes(__('This is an example of a WordPress page, you could edit this to put information about yourself or your site so readers know where you are coming from. You can create as many pages like this one or sub-pages as you like and manage all of your content inside of WordPress.'))."', '".addslashes(__('About'))."', '0', '".addslashes(__('about'))."', '$now', '$now_gmt', 'static')");
     171$wpdb->query("INSERT INTO $wpdb->posts (post_author, post_date, post_date_gmt, post_content, post_title, post_category, post_name, post_modified, post_modified_gmt, post_status) VALUES ('1', '$now', '$now_gmt', '".$wpdb->escape(__('This is an example of a WordPress page, you could edit this to put information about yourself or your site so readers know where you are coming from. You can create as many pages like this one or sub-pages as you like and manage all of your content inside of WordPress.'))."', '".$wpdb->escape(__('About'))."', '0', '".$wpdb->escape(__('about'))."', '$now', '$now_gmt', 'static')");
    172172
    173173// Set up admin user
  • trunk/wp-admin/link-categories.php

    r2445 r2699  
    6161          $sort_desc = 'N';
    6262      }
    63       $text_before_link = addslashes($_POST['text_before_link']);
    64       $text_after_link = addslashes($_POST['text_after_link']);
    65       $text_after_all = addslashes($_POST['text_after_all']);
     63      $text_before_link = $_POST['text_before_link'];
     64      $text_after_link = $_POST['text_after_link'];
     65      $text_after_all = $_POST['text_after_all'];
    6666
    6767      $list_limit = $_POST['list_limit'];
     
    239239        $sort_desc = 'N';
    240240    }
    241     $text_before_link = addslashes($_POST["text_before_link"]);
    242     $text_after_link = addslashes($_POST["text_after_link"]);
    243     $text_after_all = addslashes($_POST["text_after_all"]);
     241    $text_before_link = $_POST["text_before_link"];
     242    $text_after_link = $_POST["text_after_link"];
     243    $text_after_all = $_POST["text_after_all"];
    244244
    245245    $list_limit = $_POST["list_limit"];
  • trunk/wp-admin/link-import.php

    r2446 r2699  
    108108                            $titles[$i] = '';
    109109                        $query = "INSERT INTO $wpdb->links (link_url, link_name, link_target, link_category, link_description, link_owner, link_rss)
    110                                 VALUES('{$urls[$i]}', '".addslashes($names[$i])."', '', $cat_id, '".addslashes($descriptions[$i])."', $user_ID, '{$feeds[$i]}')\n";
     110                                VALUES('{$urls[$i]}', '".$wpdb->escape($names[$i])."', '', $cat_id, '".$wpdb->escape($descriptions[$i])."', $user_ID, '{$feeds[$i]}')\n";
    111111                        $result = $wpdb->query($query);
    112112                        echo sprintf(__("<p>Inserted <strong>%s</strong></p>"), $names[$i]);
  • trunk/wp-admin/update-links.php

    r2495 r2699  
    3737   
    3838    foreach ($returns as $return) :
    39         $time = addslashes( substr($return, 0, 19) );
    40         $uri = addslashes( preg_replace('/(.*?) | (.*?)/', '$2', $return) );
     39        $time = $wpdb->escape( substr($return, 0, 19) );
     40        $uri = $wpdb->escape( preg_replace('/(.*?) | (.*?)/', '$2', $return) );
    4141        $wpdb->query("UPDATE $wpdb->links SET link_updated = '$time' WHERE link_url = '$uri'");
    4242    endforeach;
  • trunk/wp-admin/upgrade-functions.php

    r2643 r2699  
    222222    foreach ( $users as $user ) :
    223223        if ( !empty( $user->user_firstname ) )
    224             update_usermeta( $user->ID, 'first_name', addslashes($user->user_firstname) );
     224            update_usermeta( $user->ID, 'first_name', $wpdb->escape($user->user_firstname) );
    225225        if ( !empty( $user->user_lastname ) )
    226             update_usermeta( $user->ID, 'last_name', addslashes($user->user_lastname) );
     226            update_usermeta( $user->ID, 'last_name', $wpdb->escape($user->user_lastname) );
    227227        if ( !empty( $user->user_nickname ) )
    228             update_usermeta( $user->ID, 'nickname', addslashes($user->user_nickname) );
     228            update_usermeta( $user->ID, 'nickname', $wpdb->escape($user->user_nickname) );
    229229        if ( !empty( $user->user_level ) )
    230230            update_usermeta( $user->ID, $table_prefix . 'user_level', $user->user_level );
    231231        if ( !empty( $user->user_icq ) )
    232             update_usermeta( $user->ID, 'icq', addslashes($user->user_icq) );
     232            update_usermeta( $user->ID, 'icq', $wpdb->escape($user->user_icq) );
    233233        if ( !empty( $user->user_aim ) )
    234             update_usermeta( $user->ID, 'aim', addslashes($user->user_aim) );
     234            update_usermeta( $user->ID, 'aim', $wpdb->escape($user->user_aim) );
    235235        if ( !empty( $user->user_msn ) )
    236             update_usermeta( $user->ID, 'msn', addslashes($user->user_msn) );
     236            update_usermeta( $user->ID, 'msn', $wpdb->escape($user->user_msn) );
    237237        if ( !empty( $user->user_yim ) )
    238             update_usermeta( $user->ID, 'yim', addslashes($user->user_icq) );
     238            update_usermeta( $user->ID, 'yim', $wpdb->escape($user->user_icq) );
    239239        if ( !empty( $user->user_description ) )
    240             update_usermeta( $user->ID, 'description', addslashes($user->user_description) );
     240            update_usermeta( $user->ID, 'description', $wpdb->escape($user->user_description) );
    241241
    242242        if ( !isset( $user->user_idmode ) ):
     
    249249            if ($idmode == 'namelf') $id = $user->user_lastname.' '.$user->user_firstname;
    250250            if (!$idmode) $id = $user->user_nickname;
    251             $id = addslashes( $id );
     251            $id = $wpdb->escape( $id );
    252252            $wpdb->query("UPDATE $wpdb->users SET display_name = '$id' WHERE ID = '$user->ID'");
    253253        endif;
  • trunk/wp-comments-post.php

    r2623 r2699  
    2525get_currentuserinfo();
    2626if ( $user_ID ) :
    27     $comment_author       = addslashes($user_identity);
    28     $comment_author_email = addslashes($user_email);
    29     $comment_author_url   = addslashes($user_url);
     27    $comment_author       = $wpdb->escape($user_identity);
     28    $comment_author_email = $wpdb->escape($user_email);
     29    $comment_author_url   = $wpdb->escape($user_url);
    3030else :
    3131    if ( get_option('comment_registration') )
  • trunk/wp-includes/comment-functions.php

    r2685 r2699  
    1414        $comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND comment_approved = '1' ORDER BY comment_date");
    1515    } else {
    16         $author_db = addslashes($comment_author);
    17         $email_db  = addslashes($comment_author_email);
     16        $author_db = $wpdb->escape($comment_author);
     17        $email_db  = $wpdb->escape($comment_author_email);
    1818        $comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND ( comment_approved = '1' OR ( comment_author = '$author_db' AND comment_author_email = '$email_db' AND comment_approved = '0' ) ) ORDER BY comment_date");
    1919    }
  • trunk/wp-includes/functions-formatting.php

    r2689 r2699  
    524524
    525525function addslashes_gpc($gpc) {
    526     if (!get_magic_quotes_gpc()) {
    527         $gpc = addslashes($gpc);
    528     }
    529     return $gpc;
     526    global $wpdb;
     527
     528    if (get_magic_quotes_gpc()) {
     529        $gpc = stripslashes($gpc);
     530    }
     531
     532    return $wpdb->escape($gpc);
    530533}
    531534
  • trunk/wp-includes/functions.php

    r2697 r2699  
    844844            if ( $headers = wp_get_http_headers( $url) ) {
    845845                $len  = (int) $headers['content-length'];
    846                 $type = addslashes( $headers['content-type'] );
     846                $type = $wpdb->escape( $headers['content-type'] );
    847847                $allowed_types = array( 'video', 'audio' );
    848848                if( in_array( substr( $type, 0, strpos( $type, "/" ) ), $allowed_types ) ) {
     
    18831883
    18841884function add_magic_quotes($array) {
     1885    global $wpdb;
     1886
    18851887    foreach ($array as $k => $v) {
    18861888        if (is_array($v)) {
    18871889            $array[$k] = add_magic_quotes($v);
    18881890        } else {
    1889             $array[$k] = addslashes($v);
     1891            $array[$k] = $wpdb->escape($v);
    18901892        }
    18911893    }
  • trunk/wp-settings.php

    r2632 r2699  
    137137require_once(ABSPATH . WPINC . '/locale.php');
    138138
    139 if ( !get_magic_quotes_gpc() ) {
    140     $_GET    = add_magic_quotes($_GET   );
    141     $_POST   = add_magic_quotes($_POST  );
    142     $_COOKIE = add_magic_quotes($_COOKIE);
    143     $_SERVER = add_magic_quotes($_SERVER);
     139// If already slashed, strip.
     140if ( get_magic_quotes_gpc() ) {
     141    $_GET    = stripslashes($_GET   );
     142    $_POST   = stripslashes($_POST  );
     143    $_COOKIE = stripslashes($_COOKIE);
     144    $_SERVER = stripslashes($_SERVER);
    144145}
     146
     147// Escape with wpdb.
     148$_GET    = add_magic_quotes($_GET   );
     149$_POST   = add_magic_quotes($_POST  );
     150$_COOKIE = add_magic_quotes($_COOKIE);
     151$_SERVER = add_magic_quotes($_SERVER);
    145152
    146153function shutdown_action_hook() {
  • trunk/xmlrpc.php

    r2694 r2699  
    12501250        $context = '[...] ' . wp_specialchars( $excerpt ) . ' [...]';
    12511251        $original_pagelinkedfrom = $pagelinkedfrom;
    1252         $pagelinkedfrom = addslashes( $pagelinkedfrom );
     1252        $pagelinkedfrom = $wpdb->escape( $pagelinkedfrom );
    12531253        $original_title = $title;
    12541254
Note: See TracChangeset for help on using the changeset viewer.