Changeset 4332 for trunk/wp-admin/options.php

Timestamp:

10/04/2006 12:18:28 PM (19 years ago)

Author:

markjaquith

Message:

Prevent non-option form elements from sneaking in to the options table. fixes #2595

File:

• trunk/wp-admin/options.php (modified) (2 diffs)

trunk/wp-admin/options.php

@@ -89 +89 @@
     check_admin_referer('update-options');
 
-    if (!$_POST['page_options']) {
-        foreach ($_POST as $key => $value) {
-            $options[] = $key;
+    if ( !$_POST['page_options'] ) {
+        foreach ( (array) $_POST as $key => $value) {
+            if ( !in_array($key, array('_wpnonce', '_wp_http_referer')) )
+                $options[] = $key;
         }
     } else {
@@ -123 +124 @@
 <?php
 $options = $wpdb->get_results("SELECT * FROM $wpdb->options ORDER BY option_name");
+foreach ( (array) $options as $option )
+    $options_to_update[] = $option->option_name;
+$options_to_update = implode(',', $options_to_update);
+?>
 
-foreach ($options as $option) :
+<input type="hidden" name="page_options" value="<?php echo $options_to_update; ?>" /> 
+
+<?php
+foreach ( (array) $options as $option) :
     $value = wp_specialchars($option->option_value, 'single');
     echo "