Make WordPress Core


Ignore:
Timestamp:
08/01/2007 07:14:10 PM (17 years ago)
Author:
markjaquith
Message:

add_option()/update_option() should pass the option name to get_option() pre-escaped. fixes #4690 for trunk

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/functions.php

    r5820 r5829  
    178178/* Options functions */
    179179
     180// expects $setting to already be SQL-escaped
    180181function get_option($setting) {
    181182    global $wpdb;
     
    277278}
    278279
     280// expects $option_name to NOT be SQL-escaped
    279281function update_option($option_name, $newvalue) {
    280282    global $wpdb;
     
    282284    wp_protect_special_option($option_name);
    283285
     286    $safe_option_name = $wpdb->escape($option_name);
    284287    $newvalue = sanitize_option($option_name, $newvalue);
    285288
     
    288291
    289292    // If the new and old values are the same, no need to update.
    290     $oldvalue = get_option($option_name);
     293    $oldvalue = get_option($safe_option_name);
    291294    if ( $newvalue === $oldvalue ) {
    292295        return false;
     
    326329
    327330// thx Alex Stapleton, http://alex.vort-x.net/blog/
     331// expects $name to NOT be SQL-escaped
    328332function add_option($name, $value = '', $description = '', $autoload = 'yes') {
    329333    global $wpdb;
    330334
    331335    wp_protect_special_option($name);
     336    $safe_name = $wpdb->escape($name);
    332337
    333338    // Make sure the option doesn't already exist. We can check the 'notoptions' cache before we ask for a db query
    334339    $notoptions = wp_cache_get('notoptions', 'options');
    335340    if ( !is_array($notoptions) || !isset($notoptions[$name]) )
    336         if ( false !== get_option($name) )
     341        if ( false !== get_option($safe_name) )
    337342            return;
    338343
Note: See TracChangeset for help on using the changeset viewer.