Make WordPress Core

Changeset 28712


Ignore:
Timestamp:
06/10/2014 12:43:32 AM (10 years ago)
Author:
wonderboymusic
Message:

Replace all uses of like_escape() with $wpdb->esc_like().

Props miqrogroove.
See #10041.

Location:
trunk/src
Files:
19 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/class-wp-ms-sites-list-table.php

    r28493 r28712  
    3939        }
    4040
    41         $like_s = esc_sql( like_escape( $s ) );
    42 
    4341        // If the network is large and a search is not being performed, show only the latest blogs with no paging in order
    4442        // to avoid expensive count queries.
     
    5957                    preg_match( '/^[0-9]{1,3}\.$/', $s ) ) {
    6058            // IPv4 address
    61             $reg_blog_ids = $wpdb->get_col( "SELECT blog_id FROM {$wpdb->registration_log} WHERE {$wpdb->registration_log}.IP LIKE ( '{$like_s}$wild' )" );
     59            $sql = $wpdb->prepare( "SELECT blog_id FROM {$wpdb->registration_log} WHERE {$wpdb->registration_log}.IP LIKE %s", $wpdb->esc_like( $s ) . $wild );
     60            $reg_blog_ids = $wpdb->get_col( $sql );
    6261
    6362            if ( !$reg_blog_ids )
     
    7069        } else {
    7170            if ( is_numeric($s) && empty( $wild ) ) {
    72                 $query .= " AND ( {$wpdb->blogs}.blog_id = '{$like_s}' )";
     71                $query .= $wpdb->prepare( " AND ( {$wpdb->blogs}.blog_id = %s )", $s );
    7372            } elseif ( is_subdomain_install() ) {
    74                 $blog_s = str_replace( '.' . $current_site->domain, '', $like_s );
    75                 $blog_s .= $wild . '.' . $current_site->domain;
    76                 $query .= " AND ( {$wpdb->blogs}.domain LIKE '$blog_s' ) ";
     73                $blog_s = str_replace( '.' . $current_site->domain, '', $s );
     74                $blog_s = $wpdb->esc_like( $blog_s ) . $wild . $wpdb->esc_like( '.' . $current_site->domain );
     75                $query .= $wpdb->prepare( " AND ( {$wpdb->blogs}.domain LIKE %s ) ", $blog_s );
    7776            } else {
    78                 if ( $like_s != trim('/', $current_site->path) )
    79                     $blog_s = $current_site->path . $like_s . $wild . '/';
    80                 else
    81                     $blog_s = $like_s;
    82                 $query .= " AND  ( {$wpdb->blogs}.path LIKE '$blog_s' )";
     77                if ( $s != trim('/', $current_site->path) ) {
     78                    $blog_s = $wpdb->esc_like( $current_site->path . $s ) . $wild . $wpdb->esc_like( '/' );
     79                } else {
     80                    $blog_s = $wpdb->esc_like( $s );
     81                }
     82                $query .= $wpdb->prepare( " AND  ( {$wpdb->blogs}.path LIKE %s )", $blog_s );
    8383            }
    8484        }
  • trunk/src/wp-admin/includes/schema.php

    r28633 r28712  
    554554    // and the corresponding transient_timeout record from table b.
    555555    $time = time();
    556     $wpdb->query("DELETE a, b FROM $wpdb->options a, $wpdb->options b WHERE
    557             a.option_name LIKE '\_transient\_%' AND
    558             a.option_name NOT LIKE '\_transient\_timeout\_%' AND
    559             b.option_name = CONCAT( '_transient_timeout_', SUBSTRING( a.option_name, 12 ) )
    560             AND b.option_value < $time");
     556    $sql = "DELETE a, b FROM $wpdb->options a, $wpdb->options b
     557        WHERE a.option_name LIKE %s
     558        AND a.option_name NOT LIKE %s
     559        AND b.option_name = CONCAT( '_transient_timeout_', SUBSTRING( a.option_name, 12 ) )
     560        AND b.option_value < %d";
     561    $wpdb->query( $wpdb->prepare( $sql, $wpdb->esc_like( '_transient_' ) . '%', $wpdb->esc_like( '_transient_timeout_' ) . '%', $time ) );
    561562
    562563    if ( is_main_site() && is_main_network() ) {
    563         $wpdb->query("DELETE a, b FROM $wpdb->options a, $wpdb->options b WHERE
    564             a.option_name LIKE '\_site\_transient\_%' AND
    565             a.option_name NOT LIKE '\_site\_transient\_timeout\_%' AND
    566             b.option_name = CONCAT( '_site_transient_timeout_', SUBSTRING( a.option_name, 17 ) )
    567             AND b.option_value < $time");
    568     }
     564        $sql = "DELETE a, b FROM $wpdb->options a, $wpdb->options b
     565            WHERE a.option_name LIKE %s
     566            AND a.option_name NOT LIKE %s
     567            AND b.option_name = CONCAT( '_site_transient_timeout_', SUBSTRING( a.option_name, 17 ) )
     568            AND b.option_value < %d";
     569        $wpdb->query( $wpdb->prepare( $sql, $wpdb->esc_like( '_site_transient_' ) . '%', $wpdb->esc_like( '_site_transient_timeout_' ) . '%', $time ) );
     570    }
    569571}
    570572
  • trunk/src/wp-admin/includes/template.php

    r28681 r28712  
    633633     * @param int $limit Number of custom fields to retrieve. Default 30.
    634634     */
    635     $limit = (int) apply_filters( 'postmeta_form_limit', 30 );
    636     $keys = $wpdb->get_col( "
    637         SELECT meta_key
     635    $limit = apply_filters( 'postmeta_form_limit', 30 );
     636    $sql = "SELECT meta_key
    638637        FROM $wpdb->postmeta
    639638        GROUP BY meta_key
    640         HAVING meta_key NOT LIKE '\_%'
     639        HAVING meta_key NOT LIKE %s
    641640        ORDER BY meta_key
    642         LIMIT $limit" );
     641        LIMIT %d";
     642    $keys = $wpdb->get_col( $wpdb->prepare( $sql, $wpdb->esc_like( '_' ) . '%', $limit ) );
    643643    if ( $keys ) {
    644644        natcasesort( $keys );
  • trunk/src/wp-admin/includes/upgrade.php

    r28305 r28712  
    466466    }
    467467
    468     $wpdb->query("UPDATE $wpdb->options SET option_value = REPLACE(option_value, 'wp-links/links-images/', 'wp-images/links/')
    469     WHERE option_name LIKE 'links_rating_image%'
    470     AND option_value LIKE 'wp-links/links-images/%'");
     468    $sql = "UPDATE $wpdb->options
     469        SET option_value = REPLACE(option_value, 'wp-links/links-images/', 'wp-images/links/')
     470        WHERE option_name LIKE %s
     471        AND option_value LIKE %s";
     472    $wpdb->query( $wpdb->prepare( $sql, $wpdb->esc_like( 'links_rating_image' ) . '%', $wpdb->esc_like( 'wp-links/links-images/' ) . '%' ) );
    471473
    472474    $done_ids = $wpdb->get_results("SELECT DISTINCT post_id FROM $wpdb->post2cat");
     
    11011103    // 3.0 screen options key name changes.
    11021104    if ( is_main_site() && !defined('DO_NOT_UPGRADE_GLOBAL_TABLES') ) {
    1103         $prefix = like_escape($wpdb->base_prefix);
    1104         $wpdb->query( "DELETE FROM $wpdb->usermeta WHERE meta_key LIKE '{$prefix}%meta-box-hidden%' OR meta_key LIKE '{$prefix}%closedpostboxes%' OR meta_key LIKE '{$prefix}%manage-%-columns-hidden%' OR meta_key LIKE '{$prefix}%meta-box-order%' OR meta_key LIKE '{$prefix}%metaboxorder%' OR meta_key LIKE '{$prefix}%screen_layout%'
    1105                      OR meta_key = 'manageedittagscolumnshidden' OR meta_key='managecategoriescolumnshidden' OR meta_key = 'manageedit-tagscolumnshidden' OR meta_key = 'manageeditcolumnshidden' OR meta_key = 'categories_per_page' OR meta_key = 'edit_tags_per_page'" );
     1105        $sql = "DELETE FROM $wpdb->usermeta
     1106            WHERE meta_key LIKE %s
     1107            OR meta_key LIKE %s
     1108            OR meta_key LIKE %s
     1109            OR meta_key LIKE %s
     1110            OR meta_key LIKE %s
     1111            OR meta_key LIKE %s
     1112            OR meta_key = 'manageedittagscolumnshidden'
     1113            OR meta_key = 'managecategoriescolumnshidden'
     1114            OR meta_key = 'manageedit-tagscolumnshidden'
     1115            OR meta_key = 'manageeditcolumnshidden'
     1116            OR meta_key = 'categories_per_page'
     1117            OR meta_key = 'edit_tags_per_page'";
     1118        $prefix = $wpdb->esc_like( $wpdb->base_prefix );
     1119        $wpdb->query( $wpdb->prepare( $sql,
     1120            $prefix . '%' . $wpdb->esc_like( 'meta-box-hidden' ) . '%',
     1121            $prefix . '%' . $wpdb->esc_like( 'closedpostboxes' ) . '%',
     1122            $prefix . '%' . $wpdb->esc_like( 'manage-'     ) . '%' . $wpdb->esc_like( '-columns-hidden' ) . '%',
     1123            $prefix . '%' . $wpdb->esc_like( 'meta-box-order'  ) . '%',
     1124            $prefix . '%' . $wpdb->esc_like( 'metaboxorder'    ) . '%',
     1125            $prefix . '%' . $wpdb->esc_like( 'screen_layout'   ) . '%'
     1126        ) );
    11061127    }
    11071128
     
    12851306        // and the corresponding transient_timeout record from table b.
    12861307        $time = time();
    1287         $wpdb->query("DELETE a, b FROM $wpdb->sitemeta a, $wpdb->sitemeta b WHERE
    1288             a.meta_key LIKE '\_site\_transient\_%' AND
    1289             a.meta_key NOT LIKE '\_site\_transient\_timeout\_%' AND
    1290             b.meta_key = CONCAT( '_site_transient_timeout_', SUBSTRING( a.meta_key, 17 ) )
    1291             AND b.meta_value < $time");
     1308        $sql = "DELETE a, b FROM $wpdb->sitemeta a, $wpdb->sitemeta b
     1309            WHERE a.meta_key LIKE %s
     1310            AND a.meta_key NOT LIKE %s
     1311            AND b.meta_key = CONCAT( '_site_transient_timeout_', SUBSTRING( a.meta_key, 17 ) )
     1312            AND b.meta_value < %d";
     1313        $wpdb->query( $wpdb->prepare( $sql, $wpdb->esc_like( '_site_transient_' ) . '%', $wpdb->esc_like ( '_site_transient_timeout_' ) . '%', $time ) );
    12921314    }
    12931315
     
    13831405function maybe_create_table($table_name, $create_ddl) {
    13841406    global $wpdb;
    1385     if ( $wpdb->get_var("SHOW TABLES LIKE '$table_name'") == $table_name )
     1407   
     1408    $query = $wpdb->prepare( "SHOW TABLES LIKE %s", $wpdb->esc_like( $table_name ) );
     1409
     1410    if ( $wpdb->get_var( $query ) == $table_name ) {
    13861411        return true;
     1412    }
    13871413    //didn't find it try to create it.
    13881414    $wpdb->query($create_ddl);
    13891415    // we cannot directly tell that whether this succeeded!
    1390     if ( $wpdb->get_var("SHOW TABLES LIKE '$table_name'") == $table_name )
     1416    if ( $wpdb->get_var( $query ) == $table_name ) {
    13911417        return true;
     1418    }
    13921419    return false;
    13931420}
  • trunk/src/wp-admin/install.php

    r28396 r28712  
    7575function display_setup_form( $error = null ) {
    7676    global $wpdb;
    77     $user_table = ( $wpdb->get_var("SHOW TABLES LIKE '$wpdb->users'") != null );
     77
     78    $sql = $wpdb->prepare( "SHOW TABLES LIKE %s", $wpdb->esc_like( $wpdb->users ) );
     79    $user_table = ( $wpdb->get_var( $sql ) != null );
    7880
    7981    // Ensure that Blogs appear in search engines by default
  • trunk/src/wp-admin/maint/repair.php

    r27469 r28712  
    3737
    3838    // Sitecategories may not exist if global terms are disabled.
    39     if ( is_multisite() && ! $wpdb->get_var( "SHOW TABLES LIKE '$wpdb->sitecategories'" ) )
     39    $query = $wpdb->prepare( "SHOW TABLES LIKE %s", $wpdb->esc_like( $wpdb->sitecategories ) );
     40    if ( is_multisite() && ! $wpdb->get_var( $query ) ) {
    4041        unset( $tables['sitecategories'] );
     42    }
    4143
    4244    /**
  • trunk/src/wp-admin/network.php

    r28497 r28712  
    4040function network_domain_check() {
    4141    global $wpdb;
    42     if ( $wpdb->get_var( "SHOW TABLES LIKE '$wpdb->site'" ) )
     42
     43    $sql = $wpdb->prepare( "SHOW TABLES LIKE %s", $wpdb->esc_like( $wpdb->site ) );
     44    if ( $wpdb->get_var( $sql ) ) {
    4345        return $wpdb->get_var( "SELECT domain FROM $wpdb->site ORDER BY id ASC LIMIT 1" );
     46    }
    4447    return false;
    4548}
  • trunk/src/wp-admin/network/site-settings.php

    r27469 r28712  
    114114        <?php
    115115        $blog_prefix = $wpdb->get_blog_prefix( $id );
    116         $options = $wpdb->get_results( "SELECT * FROM {$blog_prefix}options WHERE option_name NOT LIKE '\_%' AND option_name NOT LIKE '%user_roles'" );
     116        $sql = "SELECT * FROM {$blog_prefix}options
     117            WHERE option_name NOT LIKE %s
     118            AND option_name NOT LIKE %s";
     119        $query = $wpdb->prepare( $sql,
     120            $wpdb->esc_like( '_' ) . '%',
     121            '%' . $wpdb->esc_like( 'user_roles' )
     122        );
     123        $options = $wpdb->get_results( $query );
    117124        foreach ( $options as $option ) {
    118125            if ( $option->option_name == 'default_role' )
  • trunk/src/wp-includes/bookmark.php

    r28403 r28712  
    209209    $search = '';
    210210    if ( ! empty( $r['search'] ) ) {
    211         $search = esc_sql( like_escape( $r['search'] ) );
    212         $search = " AND ( (link_url LIKE '%$search%') OR (link_name LIKE '%$search%') OR (link_description LIKE '%$search%') ) ";
     211        $like = '%' . $wpdb->esc_like( $r['search'] ) . '%';
     212        $search = $wpdb->prepare(" AND ( (link_url LIKE %s) OR (link_name LIKE %s) OR (link_description LIKE %s) ) ", $like, $like, $like );
    213213    }
    214214
  • trunk/src/wp-includes/canonical.php

    r28610 r28712  
    505505
    506506    if ( get_query_var('name') ) {
    507         $where = $wpdb->prepare("post_name LIKE %s", like_escape( get_query_var('name') ) . '%');
     507        $where = $wpdb->prepare("post_name LIKE %s", $wpdb->esc_like( get_query_var('name') ) . '%');
    508508
    509509        // if any of post_type, year, monthnum, or day are set, use them to refine the query
  • trunk/src/wp-includes/class-wp-xmlrpc-server.php

    r28636 r28712  
    57655765                // ...or a string #title, a little more complicated
    57665766                $title = preg_replace('/[^a-z0-9]/i', '.', $urltest['fragment']);
    5767                 $sql = $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title RLIKE %s", like_escape( $title ) );
     5767                $sql = $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title RLIKE %s", $title );
    57685768                if (! ($post_ID = $wpdb->get_var($sql)) ) {
    57695769                    // returning unknown error '0' is better than die()ing
  • trunk/src/wp-includes/comment.php

    r28672 r28712  
    482482     */
    483483    protected function get_search_sql( $string, $cols ) {
    484         $string = esc_sql( like_escape( $string ) );
     484        global $wpdb;
    485485
    486486        $searches = array();
    487487        foreach ( $cols as $col )
    488             $searches[] = "$col LIKE '%$string%'";
     488            $searches[] = $wpdb->prepare( "$col LIKE %s", $wpdb->esc_like( $string ) );
    489489
    490490        return ' AND (' . implode(' OR ', $searches) . ')';
  • trunk/src/wp-includes/functions.php

    r28709 r28712  
    480480    foreach ( $pung as $link_test ) {
    481481        if ( ! in_array( $link_test, $post_links_temp ) ) { // link no longer in post
    482             $mids = $wpdb->get_col( $wpdb->prepare("SELECT meta_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = 'enclosure' AND meta_value LIKE (%s)", $post_ID, like_escape( $link_test ) . '%') );
     482            $mids = $wpdb->get_col( $wpdb->prepare("SELECT meta_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = 'enclosure' AND meta_value LIKE %s", $post_ID, $wpdb->esc_like( $link_test ) . '%') );
    483483            foreach ( $mids as $mid )
    484484                delete_metadata_by_mid( 'post', $mid );
     
    499499
    500500    foreach ( (array) $post_links as $url ) {
    501         if ( $url != '' && !$wpdb->get_var( $wpdb->prepare( "SELECT post_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = 'enclosure' AND meta_value LIKE (%s)", $post_ID, like_escape( $url ) . '%' ) ) ) {
     501        if ( $url != '' && !$wpdb->get_var( $wpdb->prepare( "SELECT post_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = 'enclosure' AND meta_value LIKE %s", $post_ID, $wpdb->esc_like( $url ) . '%' ) ) ) {
    502502
    503503            if ( $headers = wp_get_http_headers( $url) ) {
  • trunk/src/wp-includes/meta.php

    r28665 r28712  
    10481048                $meta_value = array_slice( $meta_value, 0, 2 );
    10491049                $meta_compare_string = '%s AND %s';
    1050             } elseif ( 'LIKE' == substr( $meta_compare, -4 ) ) {
    1051                 $meta_value = '%' . like_escape( $meta_value ) . '%';
     1050            } elseif ( 'LIKE' == $meta_compare || 'NOT LIKE' == $meta_compare ) {
     1051                $meta_value = '%' . $wpdb->esc_like( $meta_value ) . '%';
    10521052                $meta_compare_string = '%s';
    10531053            } else {
  • trunk/src/wp-includes/ms-load.php

    r28573 r28712  
    398398    $title = __( 'Error establishing a database connection' );
    399399    $msg  = '<h1>' . $title . '</h1>';
    400     if ( ! is_admin() )
     400    if ( ! is_admin() ) {
    401401        die( $msg );
     402    }
    402403    $msg .= '<p>' . __( 'If your site does not display, please contact the owner of this network.' ) . '';
    403404    $msg .= ' ' . __( 'If you are the owner of this network please check that MySQL is running properly and all tables are error free.' ) . '</p>';
    404     if ( ! $wpdb->get_var( "SHOW TABLES LIKE '$wpdb->site'" ) )
     405    $query = $wpdb->prepare( "SHOW TABLES LIKE %s", $wpdb->esc_like( $wpdb->site ) );
     406    if ( ! $wpdb->get_var( $query ) ) {
    405407        $msg .= '<p>' . sprintf( __( '<strong>Database tables are missing.</strong> This means that MySQL is not running, WordPress was not installed properly, or someone deleted <code>%s</code>. You really should look at your database now.' ), $wpdb->site ) . '</p>';
    406     else
     408    } else {
    407409        $msg .= '<p>' . sprintf( __( '<strong>Could not find site <code>%1$s</code>.</strong> Searched for table <code>%2$s</code> in database <code>%3$s</code>. Is that right?' ), rtrim( $domain . $path, '/' ), $wpdb->blogs, DB_NAME ) . '</p>';
     410    }
    408411    $msg .= '<p><strong>' . __( 'What do I do now?' ) . '</strong> ';
    409412    $msg .= __( 'Read the <a target="_blank" href="http://codex.wordpress.org/Debugging_a_WordPress_Network">bug report</a> page. Some of the guidelines there may help you figure out what went wrong.' );
  • trunk/src/wp-includes/post.php

    r28677 r28712  
    47974797    if ( ! empty($meta['thumb']) ) {
    47984798        // Don't delete the thumb if another attachment uses it
    4799         if (! $wpdb->get_row( $wpdb->prepare( "SELECT meta_id FROM $wpdb->postmeta WHERE meta_key = '_wp_attachment_metadata' AND meta_value LIKE %s AND post_id <> %d", '%' . $meta['thumb'] . '%', $post_id)) ) {
     4799        if (! $wpdb->get_row( $wpdb->prepare( "SELECT meta_id FROM $wpdb->postmeta WHERE meta_key = '_wp_attachment_metadata' AND meta_value LIKE %s AND post_id <> %d", '%' . $wpdb->esc_like( $meta['thumb'] ) . '%', $post_id)) ) {
    48004800            $thumbfile = str_replace(basename($file), $meta['thumb'], $file);
    48014801            /** This filter is documented in wp-admin/custom-header.php */
  • trunk/src/wp-includes/query.php

    r28668 r28712  
    19841984        $q['search_orderby_title'] = array();
    19851985        foreach ( $q['search_terms'] as $term ) {
    1986             $term = like_escape( esc_sql( $term ) );
    1987             if ( $n )
    1988                 $q['search_orderby_title'][] = "$wpdb->posts.post_title LIKE '%$term%'";
    1989 
    1990             $search .= "{$searchand}(($wpdb->posts.post_title LIKE '{$n}{$term}{$n}') OR ($wpdb->posts.post_content LIKE '{$n}{$term}{$n}'))";
     1986            if ( $n ) {
     1987                $like = '%' . $wpdb->esc_like( $term ) . '%';
     1988                $q['search_orderby_title'][] = $wpdb->prepare( "$wpdb->posts.post_title LIKE %s", $like );
     1989            }
     1990
     1991            $like = $n . $wpdb->esc_like( $term ) . $n;
     1992            $search .= $wpdb->prepare( "{$searchand}(($wpdb->posts.post_title LIKE %s) OR ($wpdb->posts.post_content LIKE %s))", $like, $like );
    19911993            $searchand = ' AND ';
    19921994        }
     
    20872089        if ( $q['search_terms_count'] > 1 ) {
    20882090            $num_terms = count( $q['search_orderby_title'] );
    2089             $search_orderby_s = like_escape( esc_sql( $q['s'] ) );
     2091            $like = '%' . $wpdb->esc_like( $q['s'] ) . '%';
    20902092
    20912093            $search_orderby = '(CASE ';
    20922094            // sentence match in 'post_title'
    2093             $search_orderby .= "WHEN $wpdb->posts.post_title LIKE '%{$search_orderby_s}%' THEN 1 ";
     2095            $search_orderby .= $wpdb->prepare( "WHEN $wpdb->posts.post_title LIKE %s THEN 1 ", $like );
    20942096
    20952097            // sanity limit, sort as sentence when more than 6 terms
     
    21042106
    21052107            // sentence match in 'post_content'
    2106             $search_orderby .= "WHEN $wpdb->posts.post_content LIKE '%{$search_orderby_s}%' THEN 4 ";
     2108            $search_orderby .= $wpdb->prepare( "WHEN $wpdb->posts.post_content LIKE %s THEN 4 ", $like );
    21072109            $search_orderby .= 'ELSE 5 END)';
    21082110        } else {
  • trunk/src/wp-includes/taxonomy.php

    r28653 r28712  
    14811481
    14821482    if ( ! empty( $args['name__like'] ) ) {
    1483         $name__like = like_escape( $args['name__like'] );
    1484         $where .= $wpdb->prepare( " AND t.name LIKE %s", '%' . $name__like . '%' );
     1483        $where .= $wpdb->prepare( " AND t.name LIKE %s", '%' . $wpdb->esc_like( $args['name__like'] ) . '%' );
    14851484    }
    14861485
    14871486    if ( ! empty( $args['description__like'] ) ) {
    1488         $description__like = like_escape( $args['description__like'] );
    1489         $where .= $wpdb->prepare( " AND tt.description LIKE %s", '%' . $description__like . '%' );
     1487        $where .= $wpdb->prepare( " AND tt.description LIKE %s", '%' . $wpdb->esc_like( $args['description__like'] ) . '%' );
    14901488    }
    14911489
     
    15181516
    15191517    if ( ! empty( $args['search'] ) ) {
    1520         $search = like_escape( $args['search'] );
    1521         $where .= $wpdb->prepare( ' AND ((t.name LIKE %s) OR (t.slug LIKE %s))', '%' . $search . '%', '%' . $search . '%' );
     1518        $like = '%' . $wpdb->esc_like( $args['search'] ) . '%';
     1519        $where .= $wpdb->prepare( ' AND ((t.name LIKE %s) OR (t.slug LIKE %s))', $like, $like );
    15221520    }
    15231521
  • trunk/src/wp-includes/user.php

    r28570 r28712  
    798798     */
    799799    protected function get_search_sql( $string, $cols, $wild = false ) {
    800         $string = esc_sql( $string );
     800        global $wpdb;
    801801
    802802        $searches = array();
     
    805805        foreach ( $cols as $col ) {
    806806            if ( 'ID' == $col )
    807                 $searches[] = "$col = '$string'";
     807                $searches[] = $wpdb->prepare( "$col = %s", $string );
    808808            else
    809                 $searches[] = "$col LIKE '$leading_wild" . like_escape($string) . "$trailing_wild'";
     809                $searches[] = $wpdb->prepare( "$col LIKE %s", $leading_wild . $wpdb->esc_like( $string ) . $trailing_wild );
    810810        }
    811811
     
    11501150        $select_count = array();
    11511151        foreach ( $avail_roles as $this_role => $name ) {
    1152             $select_count[] = "COUNT(NULLIF(`meta_value` LIKE '%\"" . like_escape( $this_role ) . "\"%', false))";
     1152            $select_count[] = $wpdb->prepare( "COUNT(NULLIF(`meta_value` LIKE %s, false))", '%' . $wpdb->esc_like( '"' . $this_role . '"' ) . '%');
    11531153        }
    11541154        $select_count = implode(', ', $select_count);
Note: See TracChangeset for help on using the changeset viewer.