Changeset 5831

Timestamp:

08/01/2007 07:14:40 PM (18 years ago)

Author:

markjaquith

Message:

add_option()/update_option() should pass the option name to get_option() pre-escaped. fixes #4690 for 2.0.x

File:

• branches/2.0/wp-includes/functions.php (modified) (3 diffs)

branches/2.0/wp-includes/functions.php

@@ -300 +300 @@
 /* Options functions */
 
+// expects $setting to already be SQL-escaped
 function get_settings($setting) {
     global $wpdb;
@@ -377 +378 @@
 }
 
+// expects $option_name to NOT be SQL-escaped
 function update_option($option_name, $newvalue) {
     global $wpdb;
 
+    $safe_option_name = $wpdb->escape($option_name);
+
     if ( is_string($newvalue) )
         $newvalue = trim($newvalue);
 
     // If the new and old values are the same, no need to update.
-    $oldvalue = get_option($option_name);
+    $oldvalue = get_option($safe_option_name);
     if ( $newvalue == $oldvalue ) {
         return false;
@@ -417 +421 @@
 
 // thx Alex Stapleton, http://alex.vort-x.net/blog/
+// expects $name to NOT be SQL-escaped
 function add_option($name, $value = '', $description = '', $autoload = 'yes') {
     global $wpdb;
 
+    $safe_name = $wpdb->escape($name);
+
     // Make sure the option doesn't already exist
-    if ( false !== get_option($name) )
+    if ( false !== get_option($safe_name) )
         return;