Changeset 42068 for branches/3.7/src/wp-includes/post.php

Timestamp:

10/31/2017 01:01:54 PM (7 years ago)

Author:

pento

Message:

Database: Restore numbered placeholders in wpdb::prepare().

[41496] removed support for numbered placeholders in queries send through wpdb::prepare(), which, despite being undocumented, were quite commonly used.

This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to wpdb::prepare(), given the number of placeholders.

Merges [41662], [42056] to the 3.7 branch.
See #41925.

Location:

branches/3.7

Files:

• . (modified) (1 prop)
• src (modified) (1 prop)
• src/wp-includes/post.php (modified) (1 diff)

branches/3.7/src/wp-includes/post.php

@@ -3495 +3495 @@
     $page_path = str_replace('%20', ' ', $page_path);
     $parts = explode( '/', trim( $page_path, '/' ) );
-    $parts = esc_sql( $parts );
     $parts = array_map( 'sanitize_title_for_query', $parts );
-
-    $in_string = "'". implode( "','", $parts ) . "'";
+    $escaped_parts = esc_sql( $parts );
+
+    $in_string = "'". implode( "','", $escaped_parts ) . "'";
     $post_type_sql = esc_sql( $post_type );
     $pages = $wpdb->get_results( "SELECT ID, post_name, post_parent, post_type FROM $wpdb->posts WHERE post_name IN ($in_string) AND (post_type = '$post_type_sql' OR post_type = 'attachment')", OBJECT_K );