WordPress.org

Make WordPress Core

Changeset 28712


Ignore:
Timestamp:
06/10/14 00:43:32 (3 years ago)
Author:
wonderboymusic
Message:

Replace all uses of like_escape() with $wpdb->esc_like().

Props miqrogroove.
See #10041.

Location:
trunk/src
Files:
19 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/class-wp-ms-sites-list-table.php

    r28493 r28712  
    3939        } 
    4040 
    41         $like_s = esc_sql( like_escape( $s ) ); 
    42  
    4341        // If the network is large and a search is not being performed, show only the latest blogs with no paging in order 
    4442        // to avoid expensive count queries. 
     
    5957                    preg_match( '/^[0-9]{1,3}\.$/', $s ) ) { 
    6058            // IPv4 address 
    61             $reg_blog_ids = $wpdb->get_col( "SELECT blog_id FROM {$wpdb->registration_log} WHERE {$wpdb->registration_log}.IP LIKE ( '{$like_s}$wild' )" ); 
     59            $sql = $wpdb->prepare( "SELECT blog_id FROM {$wpdb->registration_log} WHERE {$wpdb->registration_log}.IP LIKE %s", $wpdb->esc_like( $s ) . $wild ); 
     60            $reg_blog_ids = $wpdb->get_col( $sql ); 
    6261 
    6362            if ( !$reg_blog_ids ) 
     
    7069        } else { 
    7170            if ( is_numeric($s) && empty( $wild ) ) { 
    72                 $query .= " AND ( {$wpdb->blogs}.blog_id = '{$like_s}' )"; 
     71                $query .= $wpdb->prepare( " AND ( {$wpdb->blogs}.blog_id = %s )", $s ); 
    7372            } elseif ( is_subdomain_install() ) { 
    74                 $blog_s = str_replace( '.' . $current_site->domain, '', $like_s ); 
    75                 $blog_s .= $wild . '.' . $current_site->domain; 
    76                 $query .= " AND ( {$wpdb->blogs}.domain LIKE '$blog_s' ) "; 
     73                $blog_s = str_replace( '.' . $current_site->domain, '', $s ); 
     74                $blog_s = $wpdb->esc_like( $blog_s ) . $wild . $wpdb->esc_like( '.' . $current_site->domain ); 
     75                $query .= $wpdb->prepare( " AND ( {$wpdb->blogs}.domain LIKE %s ) ", $blog_s ); 
    7776            } else { 
    78                 if ( $like_s != trim('/', $current_site->path) ) 
    79                     $blog_s = $current_site->path . $like_s . $wild . '/'; 
    80                 else 
    81                     $blog_s = $like_s; 
    82                 $query .= " AND  ( {$wpdb->blogs}.path LIKE '$blog_s' )"; 
     77                if ( $s != trim('/', $current_site->path) ) { 
     78                    $blog_s = $wpdb->esc_like( $current_site->path . $s ) . $wild . $wpdb->esc_like( '/' ); 
     79                } else { 
     80                    $blog_s = $wpdb->esc_like( $s ); 
     81                } 
     82                $query .= $wpdb->prepare( " AND  ( {$wpdb->blogs}.path LIKE %s )", $blog_s ); 
    8383            } 
    8484        } 
  • trunk/src/wp-admin/includes/schema.php

    r28633 r28712  
    554554    // and the corresponding transient_timeout record from table b. 
    555555    $time = time(); 
    556     $wpdb->query("DELETE a, b FROM $wpdb->options a, $wpdb->options b WHERE 
    557             a.option_name LIKE '\_transient\_%' AND 
    558             a.option_name NOT LIKE '\_transient\_timeout\_%' AND 
    559             b.option_name = CONCAT( '_transient_timeout_', SUBSTRING( a.option_name, 12 ) ) 
    560             AND b.option_value < $time"); 
     556    $sql = "DELETE a, b FROM $wpdb->options a, $wpdb->options b 
     557        WHERE a.option_name LIKE %s 
     558        AND a.option_name NOT LIKE %s 
     559        AND b.option_name = CONCAT( '_transient_timeout_', SUBSTRING( a.option_name, 12 ) ) 
     560        AND b.option_value < %d"; 
     561    $wpdb->query( $wpdb->prepare( $sql, $wpdb->esc_like( '_transient_' ) . '%', $wpdb->esc_like( '_transient_timeout_' ) . '%', $time ) ); 
    561562 
    562563    if ( is_main_site() && is_main_network() ) { 
    563         $wpdb->query("DELETE a, b FROM $wpdb->options a, $wpdb->options b WHERE 
    564             a.option_name LIKE '\_site\_transient\_%' AND 
    565             a.option_name NOT LIKE '\_site\_transient\_timeout\_%' AND 
    566             b.option_name = CONCAT( '_site_transient_timeout_', SUBSTRING( a.option_name, 17 ) ) 
    567             AND b.option_value < $time"); 
    568     } 
     564        $sql = "DELETE a, b FROM $wpdb->options a, $wpdb->options b 
     565            WHERE a.option_name LIKE %s 
     566            AND a.option_name NOT LIKE %s 
     567            AND b.option_name = CONCAT( '_site_transient_timeout_', SUBSTRING( a.option_name, 17 ) ) 
     568            AND b.option_value < %d"; 
     569        $wpdb->query( $wpdb->prepare( $sql, $wpdb->esc_like( '_site_transient_' ) . '%', $wpdb->esc_like( '_site_transient_timeout_' ) . '%', $time ) ); 
     570    } 
    569571} 
    570572 
  • trunk/src/wp-admin/includes/template.php

    r28681 r28712  
    633633     * @param int $limit Number of custom fields to retrieve. Default 30. 
    634634     */ 
    635     $limit = (int) apply_filters( 'postmeta_form_limit', 30 ); 
    636     $keys = $wpdb->get_col( " 
    637         SELECT meta_key 
     635    $limit = apply_filters( 'postmeta_form_limit', 30 ); 
     636    $sql = "SELECT meta_key 
    638637        FROM $wpdb->postmeta 
    639638        GROUP BY meta_key 
    640         HAVING meta_key NOT LIKE '\_%' 
     639        HAVING meta_key NOT LIKE %s 
    641640        ORDER BY meta_key 
    642         LIMIT $limit" ); 
     641        LIMIT %d"; 
     642    $keys = $wpdb->get_col( $wpdb->prepare( $sql, $wpdb->esc_like( '_' ) . '%', $limit ) ); 
    643643    if ( $keys ) { 
    644644        natcasesort( $keys ); 
  • trunk/src/wp-admin/includes/upgrade.php

    r28305 r28712  
    466466    } 
    467467 
    468     $wpdb->query("UPDATE $wpdb->options SET option_value = REPLACE(option_value, 'wp-links/links-images/', 'wp-images/links/') 
    469     WHERE option_name LIKE 'links_rating_image%' 
    470     AND option_value LIKE 'wp-links/links-images/%'"); 
     468    $sql = "UPDATE $wpdb->options 
     469        SET option_value = REPLACE(option_value, 'wp-links/links-images/', 'wp-images/links/') 
     470        WHERE option_name LIKE %s 
     471        AND option_value LIKE %s"; 
     472    $wpdb->query( $wpdb->prepare( $sql, $wpdb->esc_like( 'links_rating_image' ) . '%', $wpdb->esc_like( 'wp-links/links-images/' ) . '%' ) ); 
    471473 
    472474    $done_ids = $wpdb->get_results("SELECT DISTINCT post_id FROM $wpdb->post2cat"); 
     
    11011103    // 3.0 screen options key name changes. 
    11021104    if ( is_main_site() && !defined('DO_NOT_UPGRADE_GLOBAL_TABLES') ) { 
    1103         $prefix = like_escape($wpdb->base_prefix); 
    1104         $wpdb->query( "DELETE FROM $wpdb->usermeta WHERE meta_key LIKE '{$prefix}%meta-box-hidden%' OR meta_key LIKE '{$prefix}%closedpostboxes%' OR meta_key LIKE '{$prefix}%manage-%-columns-hidden%' OR meta_key LIKE '{$prefix}%meta-box-order%' OR meta_key LIKE '{$prefix}%metaboxorder%' OR meta_key LIKE '{$prefix}%screen_layout%' 
    1105                      OR meta_key = 'manageedittagscolumnshidden' OR meta_key='managecategoriescolumnshidden' OR meta_key = 'manageedit-tagscolumnshidden' OR meta_key = 'manageeditcolumnshidden' OR meta_key = 'categories_per_page' OR meta_key = 'edit_tags_per_page'" ); 
     1105        $sql = "DELETE FROM $wpdb->usermeta 
     1106            WHERE meta_key LIKE %s 
     1107            OR meta_key LIKE %s 
     1108            OR meta_key LIKE %s 
     1109            OR meta_key LIKE %s 
     1110            OR meta_key LIKE %s 
     1111            OR meta_key LIKE %s 
     1112            OR meta_key = 'manageedittagscolumnshidden' 
     1113            OR meta_key = 'managecategoriescolumnshidden' 
     1114            OR meta_key = 'manageedit-tagscolumnshidden' 
     1115            OR meta_key = 'manageeditcolumnshidden' 
     1116            OR meta_key = 'categories_per_page' 
     1117            OR meta_key = 'edit_tags_per_page'"; 
     1118        $prefix = $wpdb->esc_like( $wpdb->base_prefix ); 
     1119        $wpdb->query( $wpdb->prepare( $sql, 
     1120            $prefix . '%' . $wpdb->esc_like( 'meta-box-hidden' ) . '%', 
     1121            $prefix . '%' . $wpdb->esc_like( 'closedpostboxes' ) . '%', 
     1122            $prefix . '%' . $wpdb->esc_like( 'manage-'     ) . '%' . $wpdb->esc_like( '-columns-hidden' ) . '%', 
     1123            $prefix . '%' . $wpdb->esc_like( 'meta-box-order'  ) . '%', 
     1124            $prefix . '%' . $wpdb->esc_like( 'metaboxorder'    ) . '%', 
     1125            $prefix . '%' . $wpdb->esc_like( 'screen_layout'   ) . '%' 
     1126        ) ); 
    11061127    } 
    11071128 
     
    12851306        // and the corresponding transient_timeout record from table b. 
    12861307        $time = time(); 
    1287         $wpdb->query("DELETE a, b FROM $wpdb->sitemeta a, $wpdb->sitemeta b WHERE 
    1288             a.meta_key LIKE '\_site\_transient\_%' AND 
    1289             a.meta_key NOT LIKE '\_site\_transient\_timeout\_%' AND 
    1290             b.meta_key = CONCAT( '_site_transient_timeout_', SUBSTRING( a.meta_key, 17 ) ) 
    1291             AND b.meta_value < $time"); 
     1308        $sql = "DELETE a, b FROM $wpdb->sitemeta a, $wpdb->sitemeta b 
     1309            WHERE a.meta_key LIKE %s 
     1310            AND a.meta_key NOT LIKE %s 
     1311            AND b.meta_key = CONCAT( '_site_transient_timeout_', SUBSTRING( a.meta_key, 17 ) ) 
     1312            AND b.meta_value < %d"; 
     1313        $wpdb->query( $wpdb->prepare( $sql, $wpdb->esc_like( '_site_transient_' ) . '%', $wpdb->esc_like ( '_site_transient_timeout_' ) . '%', $time ) ); 
    12921314    } 
    12931315 
     
    13831405function maybe_create_table($table_name, $create_ddl) { 
    13841406    global $wpdb; 
    1385     if ( $wpdb->get_var("SHOW TABLES LIKE '$table_name'") == $table_name ) 
     1407     
     1408    $query = $wpdb->prepare( "SHOW TABLES LIKE %s", $wpdb->esc_like( $table_name ) ); 
     1409 
     1410    if ( $wpdb->get_var( $query ) == $table_name ) { 
    13861411        return true; 
     1412    } 
    13871413    //didn't find it try to create it. 
    13881414    $wpdb->query($create_ddl); 
    13891415    // we cannot directly tell that whether this succeeded! 
    1390     if ( $wpdb->get_var("SHOW TABLES LIKE '$table_name'") == $table_name ) 
     1416    if ( $wpdb->get_var( $query ) == $table_name ) { 
    13911417        return true; 
     1418    } 
    13921419    return false; 
    13931420} 
  • trunk/src/wp-admin/install.php

    r28396 r28712  
    7575function display_setup_form( $error = null ) { 
    7676    global $wpdb; 
    77     $user_table = ( $wpdb->get_var("SHOW TABLES LIKE '$wpdb->users'") != null ); 
     77 
     78    $sql = $wpdb->prepare( "SHOW TABLES LIKE %s", $wpdb->esc_like( $wpdb->users ) ); 
     79    $user_table = ( $wpdb->get_var( $sql ) != null ); 
    7880 
    7981    // Ensure that Blogs appear in search engines by default 
  • trunk/src/wp-admin/maint/repair.php

    r27469 r28712  
    3737 
    3838    // Sitecategories may not exist if global terms are disabled. 
    39     if ( is_multisite() && ! $wpdb->get_var( "SHOW TABLES LIKE '$wpdb->sitecategories'" ) ) 
     39    $query = $wpdb->prepare( "SHOW TABLES LIKE %s", $wpdb->esc_like( $wpdb->sitecategories ) ); 
     40    if ( is_multisite() && ! $wpdb->get_var( $query ) ) { 
    4041        unset( $tables['sitecategories'] ); 
     42    } 
    4143 
    4244    /** 
  • trunk/src/wp-admin/network.php

    r28497 r28712  
    4040function network_domain_check() { 
    4141    global $wpdb; 
    42     if ( $wpdb->get_var( "SHOW TABLES LIKE '$wpdb->site'" ) ) 
     42 
     43    $sql = $wpdb->prepare( "SHOW TABLES LIKE %s", $wpdb->esc_like( $wpdb->site ) ); 
     44    if ( $wpdb->get_var( $sql ) ) { 
    4345        return $wpdb->get_var( "SELECT domain FROM $wpdb->site ORDER BY id ASC LIMIT 1" ); 
     46    } 
    4447    return false; 
    4548} 
  • trunk/src/wp-admin/network/site-settings.php

    r27469 r28712  
    114114        <?php 
    115115        $blog_prefix = $wpdb->get_blog_prefix( $id ); 
    116         $options = $wpdb->get_results( "SELECT * FROM {$blog_prefix}options WHERE option_name NOT LIKE '\_%' AND option_name NOT LIKE '%user_roles'" ); 
     116        $sql = "SELECT * FROM {$blog_prefix}options 
     117            WHERE option_name NOT LIKE %s 
     118            AND option_name NOT LIKE %s"; 
     119        $query = $wpdb->prepare( $sql, 
     120            $wpdb->esc_like( '_' ) . '%', 
     121            '%' . $wpdb->esc_like( 'user_roles' ) 
     122        ); 
     123        $options = $wpdb->get_results( $query ); 
    117124        foreach ( $options as $option ) { 
    118125            if ( $option->option_name == 'default_role' ) 
  • trunk/src/wp-includes/bookmark.php

    r28403 r28712  
    209209    $search = ''; 
    210210    if ( ! empty( $r['search'] ) ) { 
    211         $search = esc_sql( like_escape( $r['search'] ) ); 
    212         $search = " AND ( (link_url LIKE '%$search%') OR (link_name LIKE '%$search%') OR (link_description LIKE '%$search%') ) "; 
     211        $like = '%' . $wpdb->esc_like( $r['search'] ) . '%'; 
     212        $search = $wpdb->prepare(" AND ( (link_url LIKE %s) OR (link_name LIKE %s) OR (link_description LIKE %s) ) ", $like, $like, $like ); 
    213213    } 
    214214 
  • trunk/src/wp-includes/canonical.php

    r28610 r28712  
    505505 
    506506    if ( get_query_var('name') ) { 
    507         $where = $wpdb->prepare("post_name LIKE %s", like_escape( get_query_var('name') ) . '%'); 
     507        $where = $wpdb->prepare("post_name LIKE %s", $wpdb->esc_like( get_query_var('name') ) . '%'); 
    508508 
    509509        // if any of post_type, year, monthnum, or day are set, use them to refine the query 
  • trunk/src/wp-includes/class-wp-xmlrpc-server.php

    r28636 r28712  
    57655765                // ...or a string #title, a little more complicated 
    57665766                $title = preg_replace('/[^a-z0-9]/i', '.', $urltest['fragment']); 
    5767                 $sql = $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title RLIKE %s", like_escape( $title ) ); 
     5767                $sql = $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title RLIKE %s", $title ); 
    57685768                if (! ($post_ID = $wpdb->get_var($sql)) ) { 
    57695769                    // returning unknown error '0' is better than die()ing 
  • trunk/src/wp-includes/comment.php

    r28672 r28712  
    482482     */ 
    483483    protected function get_search_sql( $string, $cols ) { 
    484         $string = esc_sql( like_escape( $string ) ); 
     484        global $wpdb; 
    485485 
    486486        $searches = array(); 
    487487        foreach ( $cols as $col ) 
    488             $searches[] = "$col LIKE '%$string%'"; 
     488            $searches[] = $wpdb->prepare( "$col LIKE %s", $wpdb->esc_like( $string ) ); 
    489489 
    490490        return ' AND (' . implode(' OR ', $searches) . ')'; 
  • trunk/src/wp-includes/functions.php

    r28709 r28712  
    480480    foreach ( $pung as $link_test ) { 
    481481        if ( ! in_array( $link_test, $post_links_temp ) ) { // link no longer in post 
    482             $mids = $wpdb->get_col( $wpdb->prepare("SELECT meta_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = 'enclosure' AND meta_value LIKE (%s)", $post_ID, like_escape( $link_test ) . '%') ); 
     482            $mids = $wpdb->get_col( $wpdb->prepare("SELECT meta_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = 'enclosure' AND meta_value LIKE %s", $post_ID, $wpdb->esc_like( $link_test ) . '%') ); 
    483483            foreach ( $mids as $mid ) 
    484484                delete_metadata_by_mid( 'post', $mid ); 
     
    499499 
    500500    foreach ( (array) $post_links as $url ) { 
    501         if ( $url != '' && !$wpdb->get_var( $wpdb->prepare( "SELECT post_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = 'enclosure' AND meta_value LIKE (%s)", $post_ID, like_escape( $url ) . '%' ) ) ) { 
     501        if ( $url != '' && !$wpdb->get_var( $wpdb->prepare( "SELECT post_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = 'enclosure' AND meta_value LIKE %s", $post_ID, $wpdb->esc_like( $url ) . '%' ) ) ) { 
    502502 
    503503            if ( $headers = wp_get_http_headers( $url) ) { 
  • trunk/src/wp-includes/meta.php

    r28665 r28712  
    10481048                $meta_value = array_slice( $meta_value, 0, 2 ); 
    10491049                $meta_compare_string = '%s AND %s'; 
    1050             } elseif ( 'LIKE' == substr( $meta_compare, -4 ) ) { 
    1051                 $meta_value = '%' . like_escape( $meta_value ) . '%'; 
     1050            } elseif ( 'LIKE' == $meta_compare || 'NOT LIKE' == $meta_compare ) { 
     1051                $meta_value = '%' . $wpdb->esc_like( $meta_value ) . '%'; 
    10521052                $meta_compare_string = '%s'; 
    10531053            } else { 
  • trunk/src/wp-includes/ms-load.php

    r28573 r28712  
    398398    $title = __( 'Error establishing a database connection' ); 
    399399    $msg  = '<h1>' . $title . '</h1>'; 
    400     if ( ! is_admin() ) 
     400    if ( ! is_admin() ) { 
    401401        die( $msg ); 
     402    } 
    402403    $msg .= '<p>' . __( 'If your site does not display, please contact the owner of this network.' ) . ''; 
    403404    $msg .= ' ' . __( 'If you are the owner of this network please check that MySQL is running properly and all tables are error free.' ) . '</p>'; 
    404     if ( ! $wpdb->get_var( "SHOW TABLES LIKE '$wpdb->site'" ) ) 
     405    $query = $wpdb->prepare( "SHOW TABLES LIKE %s", $wpdb->esc_like( $wpdb->site ) ); 
     406    if ( ! $wpdb->get_var( $query ) ) { 
    405407        $msg .= '<p>' . sprintf( __( '<strong>Database tables are missing.</strong> This means that MySQL is not running, WordPress was not installed properly, or someone deleted <code>%s</code>. You really should look at your database now.' ), $wpdb->site ) . '</p>'; 
    406     else 
     408    } else { 
    407409        $msg .= '<p>' . sprintf( __( '<strong>Could not find site <code>%1$s</code>.</strong> Searched for table <code>%2$s</code> in database <code>%3$s</code>. Is that right?' ), rtrim( $domain . $path, '/' ), $wpdb->blogs, DB_NAME ) . '</p>'; 
     410    } 
    408411    $msg .= '<p><strong>' . __( 'What do I do now?' ) . '</strong> '; 
    409412    $msg .= __( 'Read the <a target="_blank" href="http://codex.wordpress.org/Debugging_a_WordPress_Network">bug report</a> page. Some of the guidelines there may help you figure out what went wrong.' ); 
  • trunk/src/wp-includes/post.php

    r28677 r28712  
    47974797    if ( ! empty($meta['thumb']) ) { 
    47984798        // Don't delete the thumb if another attachment uses it 
    4799         if (! $wpdb->get_row( $wpdb->prepare( "SELECT meta_id FROM $wpdb->postmeta WHERE meta_key = '_wp_attachment_metadata' AND meta_value LIKE %s AND post_id <> %d", '%' . $meta['thumb'] . '%', $post_id)) ) { 
     4799        if (! $wpdb->get_row( $wpdb->prepare( "SELECT meta_id FROM $wpdb->postmeta WHERE meta_key = '_wp_attachment_metadata' AND meta_value LIKE %s AND post_id <> %d", '%' . $wpdb->esc_like( $meta['thumb'] ) . '%', $post_id)) ) { 
    48004800            $thumbfile = str_replace(basename($file), $meta['thumb'], $file); 
    48014801            /** This filter is documented in wp-admin/custom-header.php */ 
  • trunk/src/wp-includes/query.php

    r28668 r28712  
    19841984        $q['search_orderby_title'] = array(); 
    19851985        foreach ( $q['search_terms'] as $term ) { 
    1986             $term = like_escape( esc_sql( $term ) ); 
    1987             if ( $n ) 
    1988                 $q['search_orderby_title'][] = "$wpdb->posts.post_title LIKE '%$term%'"; 
    1989  
    1990             $search .= "{$searchand}(($wpdb->posts.post_title LIKE '{$n}{$term}{$n}') OR ($wpdb->posts.post_content LIKE '{$n}{$term}{$n}'))"; 
     1986            if ( $n ) { 
     1987                $like = '%' . $wpdb->esc_like( $term ) . '%'; 
     1988                $q['search_orderby_title'][] = $wpdb->prepare( "$wpdb->posts.post_title LIKE %s", $like ); 
     1989            } 
     1990 
     1991            $like = $n . $wpdb->esc_like( $term ) . $n; 
     1992            $search .= $wpdb->prepare( "{$searchand}(($wpdb->posts.post_title LIKE %s) OR ($wpdb->posts.post_content LIKE %s))", $like, $like ); 
    19911993            $searchand = ' AND '; 
    19921994        } 
     
    20872089        if ( $q['search_terms_count'] > 1 ) { 
    20882090            $num_terms = count( $q['search_orderby_title'] ); 
    2089             $search_orderby_s = like_escape( esc_sql( $q['s'] ) ); 
     2091            $like = '%' . $wpdb->esc_like( $q['s'] ) . '%'; 
    20902092 
    20912093            $search_orderby = '(CASE '; 
    20922094            // sentence match in 'post_title' 
    2093             $search_orderby .= "WHEN $wpdb->posts.post_title LIKE '%{$search_orderby_s}%' THEN 1 "; 
     2095            $search_orderby .= $wpdb->prepare( "WHEN $wpdb->posts.post_title LIKE %s THEN 1 ", $like ); 
    20942096 
    20952097            // sanity limit, sort as sentence when more than 6 terms 
     
    21042106 
    21052107            // sentence match in 'post_content' 
    2106             $search_orderby .= "WHEN $wpdb->posts.post_content LIKE '%{$search_orderby_s}%' THEN 4 "; 
     2108            $search_orderby .= $wpdb->prepare( "WHEN $wpdb->posts.post_content LIKE %s THEN 4 ", $like ); 
    21072109            $search_orderby .= 'ELSE 5 END)'; 
    21082110        } else { 
  • trunk/src/wp-includes/taxonomy.php

    r28653 r28712  
    14811481 
    14821482    if ( ! empty( $args['name__like'] ) ) { 
    1483         $name__like = like_escape( $args['name__like'] ); 
    1484         $where .= $wpdb->prepare( " AND t.name LIKE %s", '%' . $name__like . '%' ); 
     1483        $where .= $wpdb->prepare( " AND t.name LIKE %s", '%' . $wpdb->esc_like( $args['name__like'] ) . '%' ); 
    14851484    } 
    14861485 
    14871486    if ( ! empty( $args['description__like'] ) ) { 
    1488         $description__like = like_escape( $args['description__like'] ); 
    1489         $where .= $wpdb->prepare( " AND tt.description LIKE %s", '%' . $description__like . '%' ); 
     1487        $where .= $wpdb->prepare( " AND tt.description LIKE %s", '%' . $wpdb->esc_like( $args['description__like'] ) . '%' ); 
    14901488    } 
    14911489 
     
    15181516 
    15191517    if ( ! empty( $args['search'] ) ) { 
    1520         $search = like_escape( $args['search'] ); 
    1521         $where .= $wpdb->prepare( ' AND ((t.name LIKE %s) OR (t.slug LIKE %s))', '%' . $search . '%', '%' . $search . '%' ); 
     1518        $like = '%' . $wpdb->esc_like( $args['search'] ) . '%'; 
     1519        $where .= $wpdb->prepare( ' AND ((t.name LIKE %s) OR (t.slug LIKE %s))', $like, $like ); 
    15221520    } 
    15231521 
  • trunk/src/wp-includes/user.php

    r28570 r28712  
    798798     */ 
    799799    protected function get_search_sql( $string, $cols, $wild = false ) { 
    800         $string = esc_sql( $string ); 
     800        global $wpdb; 
    801801 
    802802        $searches = array(); 
     
    805805        foreach ( $cols as $col ) { 
    806806            if ( 'ID' == $col ) 
    807                 $searches[] = "$col = '$string'"; 
     807                $searches[] = $wpdb->prepare( "$col = %s", $string ); 
    808808            else 
    809                 $searches[] = "$col LIKE '$leading_wild" . like_escape($string) . "$trailing_wild'"; 
     809                $searches[] = $wpdb->prepare( "$col LIKE %s", $leading_wild . $wpdb->esc_like( $string ) . $trailing_wild ); 
    810810        } 
    811811 
     
    11501150        $select_count = array(); 
    11511151        foreach ( $avail_roles as $this_role => $name ) { 
    1152             $select_count[] = "COUNT(NULLIF(`meta_value` LIKE '%\"" . like_escape( $this_role ) . "\"%', false))"; 
     1152            $select_count[] = $wpdb->prepare( "COUNT(NULLIF(`meta_value` LIKE %s, false))", '%' . $wpdb->esc_like( '"' . $this_role . '"' ) . '%'); 
    11531153        } 
    11541154        $select_count = implode(', ', $select_count); 
Note: See TracChangeset for help on using the changeset viewer.