WordPress.org

Make WordPress Core

Changeset 2699


Ignore:
Timestamp:
07/05/05 20:47:22 (9 years ago)
Author:
ryan
Message:

Use wpdb->escape instead of addslashes to prepare DB bound data.

Location:
trunk
Files:
19 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/admin-functions.php

    r2698 r2699  
    449449                $pad = str_repeat('— ', $level); 
    450450                if ( $user_level > 3 ) 
    451                     $edit = "<a href='categories.php?action=edit&amp;cat_ID=$category->cat_ID' class='edit'>" . __('Edit') . "</a></td><td><a href='categories.php?action=delete&amp;cat_ID=$category->cat_ID' onclick=\"return confirm('".  sprintf(__("You are about to delete the category \'%s\'.  All of its posts will go to the default category.\\n  \'OK\' to delete, \'Cancel\' to stop."), addslashes($category->cat_name)) . "')\" class='delete'>" .  __('Delete') . "</a>"; 
     451                    $edit = "<a href='categories.php?action=edit&amp;cat_ID=$category->cat_ID' class='edit'>" . __('Edit') . "</a></td><td><a href='categories.php?action=delete&amp;cat_ID=$category->cat_ID' onclick=\"return confirm('".  sprintf(__("You are about to delete the category \'%s\'.  All of its posts will go to the default category.\\n  \'OK\' to delete, \'Cancel\' to stop."), $wpdb->escape($category->cat_name)) . "')\" class='delete'>" .  __('Delete') . "</a>"; 
    452452                else 
    453453                    $edit = ''; 
  • trunk/wp-admin/edit-page-form.php

    r2652 r2699  
    133133        <th scope="row"><?php _e('Delete'); ?>:</th> 
    134134        <td><?php if ('edit' == $action) : ?> 
    135         <input name="deletepost" class="delete" type="submit" id="deletepost" tabindex="10" value="<?php _e('Delete this page') ?>" <?php echo "onclick=\"return confirm('" . sprintf(__("You are about to delete this page \'%s\'\\n  \'Cancel\' to stop, \'OK\' to delete."), addslashes($post->post_title) ) . "')\""; ?> /> 
     135        <input name="deletepost" class="delete" type="submit" id="deletepost" tabindex="10" value="<?php _e('Delete this page') ?>" <?php echo "onclick=\"return confirm('" . sprintf(__("You are about to delete this page \'%s\'\\n  \'Cancel\' to stop, \'OK\' to delete."), $wpdb->escape($post->post_title) ) . "')\""; ?> /> 
    136136<?php endif; ?></td> 
    137137    </tr> 
  • trunk/wp-admin/import-blogger.php

    r2687 r2699  
    6363            $post_title = $postinfo[4]; 
    6464 
    65             $post_author = trim(addslashes($postinfo[1])); 
     65            $post_author = trim($wpdb->escape($postinfo[1])); 
    6666            // we'll check the author is registered already 
    6767            $user = $wpdb->get_row("SELECT * FROM $wpdb->users WHERE user_login = '$post_author'"); 
    6868            if (!$user) { // seems s/he's not, so let's register 
    6969                $user_joindate = '1979-06-06 00:41:00'; // that's my birthdate (gmt+1) - I could choose any other date. You could change the date too. Just remember the year must be >=1970 or the world would just randomly fall on your head (everything might look fine, and then blam! major headache!) 
    70                 $user_login = addslashes($post_author); 
    71                 $pass1 = addslashes('password'); 
    72                 $user_email = addslashes('user@wordpress.org'); 
    73                 $user_url = addslashes(''); 
    74                 $user_joindate = addslashes($user_joindate); 
     70                $user_login = $wpdb->escape($post_author); 
     71                $pass1 = $wpdb->escape('password'); 
     72                $user_email = $wpdb->escape('user@wordpress.org'); 
     73                $user_url = $wpdb->escape(''); 
     74                $user_joindate = $wpdb->escape($user_joindate); 
    7575                $result = $wpdb->query(" 
    7676                INSERT INTO $wpdb->users ( 
     
    112112            $post_date = "$postyear-$postmonth-$postday $posthour:$postminute:$postsecond"; 
    113113 
    114             $post_content = addslashes($post_content); 
     114            $post_content = $wpdb->escape($post_content); 
    115115            $post_content = str_replace('<br>', '<br />', $post_content); // the XHTML touch... ;) 
    116116             
    117             $post_title = addslashes($post_title); 
     117            $post_title = $wpdb->escape($post_title); 
    118118             
    119119            // Quick-n-dirty check for dups: 
  • trunk/wp-admin/import-greymatter.php

    r2687 r2699  
    9191        $user_joindate=substr($s,6,4)."-".substr($s,0,2)."-".substr($s,3,2)." 00:00:00"; 
    9292 
    93         $user_login=addslashes($userdata[0]); 
    94         $pass1=addslashes($userdata[1]); 
    95         $user_nickname=addslashes($userdata[0]); 
    96         $user_email=addslashes($userdata[2]); 
    97         $user_url=addslashes($userdata[3]); 
    98         $user_joindate=addslashes($user_joindate); 
     93        $user_login=$wpdb->escape($userdata[0]); 
     94        $pass1=$wpdb->escape($userdata[1]); 
     95        $user_nickname=$wpdb->escape($userdata[0]); 
     96        $user_email=$wpdb->escape($userdata[2]); 
     97        $user_url=$wpdb->escape($userdata[3]); 
     98        $user_joindate=$wpdb->escape($user_joindate); 
    9999 
    100100        $loginthere = $wpdb->get_var("SELECT user_login FROM $wpdb->users WHERE user_login = '$user_login'"); 
     
    148148            $postmorecontent=gm2autobr($entry[3]); 
    149149 
    150             $post_author=trim(addslashes($postinfo[1])); 
     150            $post_author=trim($wpdb->escape($postinfo[1])); 
    151151            // we'll check the author is registered, or if it's a deleted author 
    152152            $sql = "SELECT * FROM $wpdb->users WHERE user_login = '$post_author'"; 
     
    154154            if (! $result) { // if deleted from GM, we register the author as a level 0 user in wp 
    155155                $user_joindate="1979-06-06 00:41:00"; 
    156                 $user_login=addslashes($post_author); 
    157                 $pass1=addslashes("password"); 
    158                 $user_nickname=addslashes($post_author); 
    159                 $user_email=addslashes("user@deleted.com"); 
    160                 $user_url=addslashes(""); 
    161                 $user_joindate=addslashes($user_joindate); 
     156                $user_login=$wpdb->escape($post_author); 
     157                $pass1=$wpdb->escape("password"); 
     158                $user_nickname=$wpdb->escape($post_author); 
     159                $user_email=$wpdb->escape("user@deleted.com"); 
     160                $user_url=$wpdb->escape(""); 
     161                $user_joindate=$wpdb->escape($user_joindate); 
    162162                $query = "INSERT INTO $wpdb->users (user_login,user_pass,user_email,user_url,user_registered,user_level) VALUES ('$user_login','$pass1','$user_email','$user_url','$user_joindate','0')"; 
    163163                $result = $wpdb->query($query); 
     
    172172 
    173173            $post_title=gm2autobr($postinfo[2]); 
    174             $post_title=addslashes($post_title); 
     174            $post_title=$wpdb->escape($post_title); 
    175175 
    176176            $postyear=$postinfo[6]; 
     
    189189            if (strlen($postmorecontent)>3) 
    190190                $post_content .= "<!--more--><br /><br />".$postmorecontent; 
    191             $post_content=addslashes($post_content); 
     191            $post_content=$wpdb->escape($post_content); 
    192192 
    193193            $post_karma=$postinfo[12]; 
     
    223223                    $commentinfo=explode("|",$entry[$j]); 
    224224                    $comment_post_ID=$post_ID; 
    225                     $comment_author=addslashes($commentinfo[0]); 
    226                     $comment_author_email=addslashes($commentinfo[2]); 
    227                     $comment_author_url=addslashes($commentinfo[3]); 
    228                     $comment_author_IP=addslashes($commentinfo[1]); 
     225                    $comment_author=$wpdb->escape($commentinfo[0]); 
     226                    $comment_author_email=$wpdb->escape($commentinfo[2]); 
     227                    $comment_author_url=$wpdb->escape($commentinfo[3]); 
     228                    $comment_author_IP=$wpdb->escape($commentinfo[1]); 
    229229 
    230230                    $commentyear=$commentinfo[7]; 
     
    238238                    $comment_date="$commentyear-$commentmonth-$commentday $commenthour:$commentminute:$commentsecond"; 
    239239 
    240                     $comment_content=addslashes($commentinfo[12]); 
     240                    $comment_content=$wpdb->escape($commentinfo[12]); 
    241241 
    242242                    $sql3 = "INSERT INTO $wpdb->comments (comment_post_ID,comment_author,comment_author_email,comment_author_url,comment_author_IP,comment_date,comment_content) VALUES ('$comment_post_ID','$comment_author','$comment_author_email','$comment_author_url','$comment_author_IP','$comment_date','$comment_content')"; 
  • trunk/wp-admin/import-livejournal.php

    r2687 r2699  
    8383 
    8484preg_match('|<subject>(.*?)</subject>|is', $post, $title); 
    85 $title = addslashes( trim($title[1]) ); 
     85$title = $wpdb->escape( trim($title[1]) ); 
    8686$post_name = sanitize_title($title); 
    8787 
     
    9393 
    9494preg_match('|<event>(.*?)</event>|is', $post, $content); 
    95 $content = str_replace( array('<![CDATA[', ']]>'), '', addslashes( trim($content[1]) ) ); 
     95$content = str_replace( array('<![CDATA[', ']]>'), '', $wpdb->escape( trim($content[1]) ) ); 
    9696 
    9797// Now lets put it in the DB 
  • trunk/wp-admin/import-mt.php

    r2687 r2699  
    207207    // We want the excerpt 
    208208    preg_match("|-----\nEXCERPT:(.*)|s", $post, $excerpt); 
    209     $excerpt = addslashes(trim($excerpt[1])); 
     209    $excerpt = $wpdb->escape(trim($excerpt[1])); 
    210210    $post = preg_replace("|(-----\nEXCERPT:.*)|s", '', $post); 
    211211     
     
    219219    preg_match("|-----\nBODY:(.*)|s", $post, $body); 
    220220    $body = trim($body[1]); 
    221     $post_content = addslashes($body . $extended); 
     221    $post_content = $wpdb->escape($body . $extended); 
    222222    $post = preg_replace("|(-----\nBODY:.*)|s", '', $post); 
    223223     
     
    236236                break; 
    237237            case 'TITLE': 
    238                 $post_title = addslashes($value); 
     238                $post_title = $wpdb->escape($value); 
    239239                echo '<i>'.stripslashes($post_title).'</i>... '; 
    240240                $post_name = sanitize_title($post_title); 
     
    265265                break; 
    266266            case 'PRIMARY CATEGORY': 
    267                 $post_categories[] = addslashes($value); 
     267                $post_categories[] = $wpdb->escape($value); 
    268268                break; 
    269269            case 'CATEGORY':     
    270                 $post_categories[] = addslashes($value); 
     270                $post_categories[] = $wpdb->escape($value); 
    271271                break; 
    272272            case 'DATE': 
     
    324324            // Author 
    325325            preg_match("|AUTHOR:(.*)|", $comment, $comment_author); 
    326             $comment_author = addslashes(trim($comment_author[1])); 
     326            $comment_author = $wpdb->escape(trim($comment_author[1])); 
    327327            $comment = preg_replace('|(\n?AUTHOR:.*)|', '', $comment); 
    328328 
    329329            preg_match("|EMAIL:(.*)|", $comment, $comment_email); 
    330             $comment_email = addslashes(trim($comment_email[1])); 
     330            $comment_email = $wpdb->escape(trim($comment_email[1])); 
    331331            $comment = preg_replace('|(\n?EMAIL:.*)|', '', $comment); 
    332332 
     
    336336 
    337337            preg_match("|URL:(.*)|", $comment, $comment_url); 
    338             $comment_url = addslashes(trim($comment_url[1])); 
     338            $comment_url = $wpdb->escape(trim($comment_url[1])); 
    339339            $comment = preg_replace('|(\n?URL:.*)|', '', $comment); 
    340340 
     
    344344            $comment = preg_replace('|(\n?DATE:.*)|', '', $comment); 
    345345 
    346             $comment_content = addslashes(trim($comment)); 
     346            $comment_content = $wpdb->escape(trim($comment)); 
    347347            $comment_content = str_replace('-----', '', $comment_content); 
    348348 
     
    365365            // 'Author' 
    366366            preg_match("|BLOG NAME:(.*)|", $ping, $comment_author); 
    367             $comment_author = addslashes(trim($comment_author[1])); 
     367            $comment_author = $wpdb->escape(trim($comment_author[1])); 
    368368            $ping = preg_replace('|(\n?BLOG NAME:.*)|', '', $ping); 
    369369 
     
    375375 
    376376            preg_match("|URL:(.*)|", $ping, $comment_url); 
    377             $comment_url = addslashes(trim($comment_url[1])); 
     377            $comment_url = $wpdb->escape(trim($comment_url[1])); 
    378378            $ping = preg_replace('|(\n?URL:.*)|', '', $ping); 
    379379 
     
    384384       
    385385            preg_match("|TITLE:(.*)|", $ping, $ping_title); 
    386             $ping_title = addslashes(trim($ping_title[1])); 
     386            $ping_title = $wpdb->escape(trim($ping_title[1])); 
    387387            $ping = preg_replace('|(\n?TITLE:.*)|', '', $ping); 
    388388 
    389             $comment_content = addslashes(trim($ping)); 
     389            $comment_content = $wpdb->escape(trim($ping)); 
    390390            $comment_content = str_replace('-----', '', $comment_content); 
    391391             
  • trunk/wp-admin/import-rss.php

    r2687 r2699  
    8888 
    8989preg_match('|<title>(.*?)</title>|is', $post, $title); 
    90 $title = addslashes( trim($title[1]) ); 
     90$title = $wpdb->escape( trim($title[1]) ); 
    9191$post_name = sanitize_title($title); 
    9292 
     
    113113 
    114114preg_match('|<guid.+?>(.*?)</guid>|is', $post, $guid); 
    115 if ($guid) $guid = addslashes( trim($guid[1]) ); 
     115if ($guid) $guid = $wpdb->escape( trim($guid[1]) ); 
    116116else $guid = ''; 
    117117 
    118118preg_match('|<content:encoded>(.*?)</content:encoded>|is', $post, $content); 
    119 $content = str_replace( array('<![CDATA[', ']]>'), '', addslashes( trim($content[1]) ) ); 
     119$content = str_replace( array('<![CDATA[', ']]>'), '', $wpdb->escape( trim($content[1]) ) ); 
    120120 
    121121if (!$content) : // This is for feeds that put content in description 
  • trunk/wp-admin/import-textpattern.php

    r2687 r2699  
    9999    $posted = date('Y-m-d H:i:s', $timestamp); 
    100100     
    101     $content = addslashes($post['Body_html']); 
    102     $title = addslashes($post['Title']); 
     101    $content = $wpdb->escape($post['Body_html']); 
     102    $title = $wpdb->escape($post['Title']); 
    103103    $post_name = sanitize_title($title); 
    104104 
  • trunk/wp-admin/install.php

    r2664 r2699  
    144144 
    145145// Now drop in some default links 
    146 $wpdb->query("INSERT INTO $wpdb->linkcategories (cat_id, cat_name) VALUES (1, '".addslashes(__('Blogroll'))."')"); 
     146$wpdb->query("INSERT INTO $wpdb->linkcategories (cat_id, cat_name) VALUES (1, '".$wpdb->escape(__('Blogroll'))."')"); 
    147147$wpdb->query("INSERT INTO $wpdb->links (link_url, link_name, link_category, link_rss) VALUES ('http://blog.carthik.net/index.php', 'Carthik', 1, 'http://blog.carthik.net/feed/');"); 
    148148$wpdb->query("INSERT INTO $wpdb->links (link_url, link_name, link_category, link_rss) VALUES ('http://blogs.linux.ie/xeer/', 'Donncha', 1, 'http://blogs.linux.ie/xeer/feed/');"); 
     
    155155 
    156156// Default category 
    157 $wpdb->query("INSERT INTO $wpdb->categories (cat_ID, cat_name, category_nicename) VALUES ('0', '".addslashes(__('Uncategorized'))."', '".sanitize_title(__('Uncategorized'))."')"); 
     157$wpdb->query("INSERT INTO $wpdb->categories (cat_ID, cat_name, category_nicename) VALUES ('0', '".$wpdb->escape(__('Uncategorized'))."', '".sanitize_title(__('Uncategorized'))."')"); 
    158158 
    159159// First post 
    160160$now = date('Y-m-d H:i:s'); 
    161161$now_gmt = gmdate('Y-m-d H:i:s'); 
    162 $wpdb->query("INSERT INTO $wpdb->posts (post_author, post_date, post_date_gmt, post_content, post_title, post_category, post_name, post_modified, post_modified_gmt) VALUES ('1', '$now', '$now_gmt', '".addslashes(__('Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!'))."', '".addslashes(__('Hello world!'))."', '0', '".addslashes(__('hello-world'))."', '$now', '$now_gmt')"); 
     162$wpdb->query("INSERT INTO $wpdb->posts (post_author, post_date, post_date_gmt, post_content, post_title, post_category, post_name, post_modified, post_modified_gmt) VALUES ('1', '$now', '$now_gmt', '".$wpdb->escape(__('Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!'))."', '".$wpdb->escape(__('Hello world!'))."', '0', '".$wpdb->escape(__('hello-world'))."', '$now', '$now_gmt')"); 
    163163 
    164164$wpdb->query( "INSERT INTO $wpdb->post2cat (`rel_id`, `post_id`, `category_id`) VALUES (1, 1, 1)" ); 
    165165 
    166166// Default comment 
    167 $wpdb->query("INSERT INTO $wpdb->comments (comment_post_ID, comment_author, comment_author_email, comment_author_url, comment_date, comment_date_gmt, comment_content) VALUES ('1', '".addslashes(__('Mr WordPress'))."', '', 'http://wordpress.org', '$now', '$now_gmt', '".addslashes(__('Hi, this is a comment.<br />To delete a comment, just log in, and view the posts\' comments, there you will have the option to edit or delete them.'))."')"); 
     167$wpdb->query("INSERT INTO $wpdb->comments (comment_post_ID, comment_author, comment_author_email, comment_author_url, comment_date, comment_date_gmt, comment_content) VALUES ('1', '".$wpdb->escape(__('Mr WordPress'))."', '', 'http://wordpress.org', '$now', '$now_gmt', '".$wpdb->escape(__('Hi, this is a comment.<br />To delete a comment, just log in, and view the posts\' comments, there you will have the option to edit or delete them.'))."')"); 
    168168 
    169169// First Page 
    170170 
    171 $wpdb->query("INSERT INTO $wpdb->posts (post_author, post_date, post_date_gmt, post_content, post_title, post_category, post_name, post_modified, post_modified_gmt, post_status) VALUES ('1', '$now', '$now_gmt', '".addslashes(__('This is an example of a WordPress page, you could edit this to put information about yourself or your site so readers know where you are coming from. You can create as many pages like this one or sub-pages as you like and manage all of your content inside of WordPress.'))."', '".addslashes(__('About'))."', '0', '".addslashes(__('about'))."', '$now', '$now_gmt', 'static')"); 
     171$wpdb->query("INSERT INTO $wpdb->posts (post_author, post_date, post_date_gmt, post_content, post_title, post_category, post_name, post_modified, post_modified_gmt, post_status) VALUES ('1', '$now', '$now_gmt', '".$wpdb->escape(__('This is an example of a WordPress page, you could edit this to put information about yourself or your site so readers know where you are coming from. You can create as many pages like this one or sub-pages as you like and manage all of your content inside of WordPress.'))."', '".$wpdb->escape(__('About'))."', '0', '".$wpdb->escape(__('about'))."', '$now', '$now_gmt', 'static')"); 
    172172 
    173173// Set up admin user 
  • trunk/wp-admin/link-categories.php

    r2445 r2699  
    6161          $sort_desc = 'N'; 
    6262      } 
    63       $text_before_link = addslashes($_POST['text_before_link']); 
    64       $text_after_link = addslashes($_POST['text_after_link']); 
    65       $text_after_all = addslashes($_POST['text_after_all']); 
     63      $text_before_link = $_POST['text_before_link']; 
     64      $text_after_link = $_POST['text_after_link']; 
     65      $text_after_all = $_POST['text_after_all']; 
    6666 
    6767      $list_limit = $_POST['list_limit']; 
     
    239239        $sort_desc = 'N'; 
    240240    } 
    241     $text_before_link = addslashes($_POST["text_before_link"]); 
    242     $text_after_link = addslashes($_POST["text_after_link"]); 
    243     $text_after_all = addslashes($_POST["text_after_all"]); 
     241    $text_before_link = $_POST["text_before_link"]; 
     242    $text_after_link = $_POST["text_after_link"]; 
     243    $text_after_all = $_POST["text_after_all"]; 
    244244 
    245245    $list_limit = $_POST["list_limit"]; 
  • trunk/wp-admin/link-import.php

    r2446 r2699  
    108108                            $titles[$i] = ''; 
    109109                        $query = "INSERT INTO $wpdb->links (link_url, link_name, link_target, link_category, link_description, link_owner, link_rss) 
    110                                 VALUES('{$urls[$i]}', '".addslashes($names[$i])."', '', $cat_id, '".addslashes($descriptions[$i])."', $user_ID, '{$feeds[$i]}')\n"; 
     110                                VALUES('{$urls[$i]}', '".$wpdb->escape($names[$i])."', '', $cat_id, '".$wpdb->escape($descriptions[$i])."', $user_ID, '{$feeds[$i]}')\n"; 
    111111                        $result = $wpdb->query($query); 
    112112                        echo sprintf(__("<p>Inserted <strong>%s</strong></p>"), $names[$i]); 
  • trunk/wp-admin/update-links.php

    r2495 r2699  
    3737     
    3838    foreach ($returns as $return) : 
    39         $time = addslashes( substr($return, 0, 19) ); 
    40         $uri = addslashes( preg_replace('/(.*?) | (.*?)/', '$2', $return) ); 
     39        $time = $wpdb->escape( substr($return, 0, 19) ); 
     40        $uri = $wpdb->escape( preg_replace('/(.*?) | (.*?)/', '$2', $return) ); 
    4141        $wpdb->query("UPDATE $wpdb->links SET link_updated = '$time' WHERE link_url = '$uri'"); 
    4242    endforeach; 
  • trunk/wp-admin/upgrade-functions.php

    r2643 r2699  
    222222    foreach ( $users as $user ) : 
    223223        if ( !empty( $user->user_firstname ) ) 
    224             update_usermeta( $user->ID, 'first_name', addslashes($user->user_firstname) ); 
     224            update_usermeta( $user->ID, 'first_name', $wpdb->escape($user->user_firstname) ); 
    225225        if ( !empty( $user->user_lastname ) ) 
    226             update_usermeta( $user->ID, 'last_name', addslashes($user->user_lastname) ); 
     226            update_usermeta( $user->ID, 'last_name', $wpdb->escape($user->user_lastname) ); 
    227227        if ( !empty( $user->user_nickname ) ) 
    228             update_usermeta( $user->ID, 'nickname', addslashes($user->user_nickname) ); 
     228            update_usermeta( $user->ID, 'nickname', $wpdb->escape($user->user_nickname) ); 
    229229        if ( !empty( $user->user_level ) ) 
    230230            update_usermeta( $user->ID, $table_prefix . 'user_level', $user->user_level ); 
    231231        if ( !empty( $user->user_icq ) ) 
    232             update_usermeta( $user->ID, 'icq', addslashes($user->user_icq) ); 
     232            update_usermeta( $user->ID, 'icq', $wpdb->escape($user->user_icq) ); 
    233233        if ( !empty( $user->user_aim ) ) 
    234             update_usermeta( $user->ID, 'aim', addslashes($user->user_aim) ); 
     234            update_usermeta( $user->ID, 'aim', $wpdb->escape($user->user_aim) ); 
    235235        if ( !empty( $user->user_msn ) ) 
    236             update_usermeta( $user->ID, 'msn', addslashes($user->user_msn) ); 
     236            update_usermeta( $user->ID, 'msn', $wpdb->escape($user->user_msn) ); 
    237237        if ( !empty( $user->user_yim ) ) 
    238             update_usermeta( $user->ID, 'yim', addslashes($user->user_icq) ); 
     238            update_usermeta( $user->ID, 'yim', $wpdb->escape($user->user_icq) ); 
    239239        if ( !empty( $user->user_description ) ) 
    240             update_usermeta( $user->ID, 'description', addslashes($user->user_description) ); 
     240            update_usermeta( $user->ID, 'description', $wpdb->escape($user->user_description) ); 
    241241 
    242242        if ( !isset( $user->user_idmode ) ): 
     
    249249            if ($idmode == 'namelf') $id = $user->user_lastname.' '.$user->user_firstname; 
    250250            if (!$idmode) $id = $user->user_nickname; 
    251             $id = addslashes( $id ); 
     251            $id = $wpdb->escape( $id ); 
    252252            $wpdb->query("UPDATE $wpdb->users SET display_name = '$id' WHERE ID = '$user->ID'"); 
    253253        endif; 
  • trunk/wp-comments-post.php

    r2623 r2699  
    2525get_currentuserinfo(); 
    2626if ( $user_ID ) : 
    27     $comment_author       = addslashes($user_identity); 
    28     $comment_author_email = addslashes($user_email); 
    29     $comment_author_url   = addslashes($user_url); 
     27    $comment_author       = $wpdb->escape($user_identity); 
     28    $comment_author_email = $wpdb->escape($user_email); 
     29    $comment_author_url   = $wpdb->escape($user_url); 
    3030else : 
    3131    if ( get_option('comment_registration') ) 
  • trunk/wp-includes/comment-functions.php

    r2685 r2699  
    1414        $comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND comment_approved = '1' ORDER BY comment_date"); 
    1515    } else { 
    16         $author_db = addslashes($comment_author); 
    17         $email_db  = addslashes($comment_author_email); 
     16        $author_db = $wpdb->escape($comment_author); 
     17        $email_db  = $wpdb->escape($comment_author_email); 
    1818        $comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND ( comment_approved = '1' OR ( comment_author = '$author_db' AND comment_author_email = '$email_db' AND comment_approved = '0' ) ) ORDER BY comment_date"); 
    1919    } 
  • trunk/wp-includes/functions-formatting.php

    r2689 r2699  
    524524 
    525525function addslashes_gpc($gpc) { 
    526     if (!get_magic_quotes_gpc()) { 
    527         $gpc = addslashes($gpc); 
    528     } 
    529     return $gpc; 
     526    global $wpdb; 
     527 
     528    if (get_magic_quotes_gpc()) { 
     529        $gpc = stripslashes($gpc); 
     530    } 
     531 
     532    return $wpdb->escape($gpc); 
    530533} 
    531534 
  • trunk/wp-includes/functions.php

    r2697 r2699  
    844844            if ( $headers = wp_get_http_headers( $url) ) { 
    845845                $len  = (int) $headers['content-length']; 
    846                 $type = addslashes( $headers['content-type'] ); 
     846                $type = $wpdb->escape( $headers['content-type'] ); 
    847847                $allowed_types = array( 'video', 'audio' ); 
    848848                if( in_array( substr( $type, 0, strpos( $type, "/" ) ), $allowed_types ) ) { 
     
    18831883 
    18841884function add_magic_quotes($array) { 
     1885    global $wpdb; 
     1886 
    18851887    foreach ($array as $k => $v) { 
    18861888        if (is_array($v)) { 
    18871889            $array[$k] = add_magic_quotes($v); 
    18881890        } else { 
    1889             $array[$k] = addslashes($v); 
     1891            $array[$k] = $wpdb->escape($v); 
    18901892        } 
    18911893    } 
  • trunk/wp-settings.php

    r2632 r2699  
    137137require_once(ABSPATH . WPINC . '/locale.php'); 
    138138 
    139 if ( !get_magic_quotes_gpc() ) { 
    140     $_GET    = add_magic_quotes($_GET   ); 
    141     $_POST   = add_magic_quotes($_POST  ); 
    142     $_COOKIE = add_magic_quotes($_COOKIE); 
    143     $_SERVER = add_magic_quotes($_SERVER); 
     139// If already slashed, strip. 
     140if ( get_magic_quotes_gpc() ) { 
     141    $_GET    = stripslashes($_GET   ); 
     142    $_POST   = stripslashes($_POST  ); 
     143    $_COOKIE = stripslashes($_COOKIE); 
     144    $_SERVER = stripslashes($_SERVER); 
    144145} 
     146 
     147// Escape with wpdb. 
     148$_GET    = add_magic_quotes($_GET   ); 
     149$_POST   = add_magic_quotes($_POST  ); 
     150$_COOKIE = add_magic_quotes($_COOKIE); 
     151$_SERVER = add_magic_quotes($_SERVER); 
    145152 
    146153function shutdown_action_hook() { 
  • trunk/xmlrpc.php

    r2694 r2699  
    12501250        $context = '[...] ' . wp_specialchars( $excerpt ) . ' [...]'; 
    12511251        $original_pagelinkedfrom = $pagelinkedfrom; 
    1252         $pagelinkedfrom = addslashes( $pagelinkedfrom ); 
     1252        $pagelinkedfrom = $wpdb->escape( $pagelinkedfrom ); 
    12531253        $original_title = $title; 
    12541254 
Note: See TracChangeset for help on using the changeset viewer.