Make WordPress Core


Ignore:
Timestamp:
10/17/2014 01:19:03 AM (10 years ago)
Author:
boonebgorges
Message:

Use table aliases for columns in SQL generated by WP_Date_Query.

The use of non-aliased column names (eg 'post_date' instead of 'wp_posts.post_date')
in WP_Date_Query causes SQL notices and other failures when queries involve
table joins, such as date_query combined with tax_query or meta_query. This
changeset modifies WP_Date_Query::validate_column() to add the table alias when
it can be detected from the column name (ie, in the case of core columns).

A side effect of this change is that it is now possible to use WP_Date_Query
to build WHERE clauses across multiple tables, though there is currently no
core support for the automatic generation of the necessary JOIN clauses. See

Props ew_holmes, wonderboymusic, neoxx, Viper007Bond, boonebgorges.
Fixes #25775.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/date.php

    r29925 r29933  
    436436     * Validates a column name parameter.
    437437     *
     438     * Column names without a table prefix (like 'post_date') are checked against a whitelist of
     439     * known tables, and then, if found, have a table prefix (such as 'wp_posts.') prepended.
     440     * Prefixed column names (such as 'wp_posts.post_date') bypass this whitelist check,
     441     * and are only sanitized to remove illegal characters.
     442     *
    438443     * @since 3.7.0
    439444     * @access public
     
    443448     */
    444449    public function validate_column( $column ) {
     450        global $wpdb;
     451
    445452        $valid_columns = array(
    446453            'post_date', 'post_date_gmt', 'post_modified',
    447454            'post_modified_gmt', 'comment_date', 'comment_date_gmt'
    448455        );
    449         /**
    450          * Filter the list of valid date query columns.
    451          *
    452          * @since 3.7.0
    453          *
    454          * @param array $valid_columns An array of valid date query columns. Defaults are 'post_date', 'post_date_gmt',
    455          *                             'post_modified', 'post_modified_gmt', 'comment_date', 'comment_date_gmt'
    456          */
    457         if ( ! in_array( $column, apply_filters( 'date_query_valid_columns', $valid_columns ) ) )
    458             $column = 'post_date';
    459 
    460         return $column;
     456
     457        // Attempt to detect a table prefix.
     458        if ( false === strpos( $column, '.' ) ) {
     459            /**
     460             * Filter the list of valid date query columns.
     461             *
     462             * @since 3.7.0
     463             *
     464             * @param array $valid_columns An array of valid date query columns. Defaults
     465             *                 are 'post_date', 'post_date_gmt', 'post_modified',
     466             *                 'post_modified_gmt', 'comment_date', 'comment_date_gmt'
     467             */
     468            if ( ! in_array( $column, apply_filters( 'date_query_valid_columns', $valid_columns ) ) ) {
     469                $column = 'post_date';
     470            }
     471
     472            $known_columns = array(
     473                $wpdb->posts => array(
     474                    'post_date',
     475                    'post_date_gmt',
     476                    'post_modified',
     477                    'post_modified_gmt',
     478                ),
     479                $wpdb->comments => array(
     480                    'comment_date',
     481                    'comment_date_gmt',
     482                ),
     483            );
     484
     485            // If it's a known column name, add the appropriate table prefix.
     486            foreach ( $known_columns as $table_name => $table_columns ) {
     487                if ( in_array( $column, $table_columns ) ) {
     488                    $column = $table_name . '.' . $column;
     489                    break;
     490                }
     491            }
     492
     493        }
     494
     495        // Remove unsafe characters.
     496        return preg_replace( '/[^a-zA-Z0-9_$\.]/', '', $column );
    461497    }
    462498
Note: See TracChangeset for help on using the changeset viewer.