WordPress.org

Make WordPress Core

Changeset 5831


Ignore:
Timestamp:
08/01/07 19:14:40 (7 years ago)
Author:
markjaquith
Message:

add_option()/update_option() should pass the option name to get_option() pre-escaped. fixes #4690 for 2.0.x

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.0/wp-includes/functions.php

    r5121 r5831  
    300300/* Options functions */ 
    301301 
     302// expects $setting to already be SQL-escaped 
    302303function get_settings($setting) { 
    303304    global $wpdb; 
     
    377378} 
    378379 
     380// expects $option_name to NOT be SQL-escaped 
    379381function update_option($option_name, $newvalue) { 
    380382    global $wpdb; 
    381383 
     384    $safe_option_name = $wpdb->escape($option_name); 
     385 
    382386    if ( is_string($newvalue) ) 
    383387        $newvalue = trim($newvalue); 
    384388 
    385389    // If the new and old values are the same, no need to update. 
    386     $oldvalue = get_option($option_name); 
     390    $oldvalue = get_option($safe_option_name); 
    387391    if ( $newvalue == $oldvalue ) { 
    388392        return false; 
     
    417421 
    418422// thx Alex Stapleton, http://alex.vort-x.net/blog/ 
     423// expects $name to NOT be SQL-escaped 
    419424function add_option($name, $value = '', $description = '', $autoload = 'yes') { 
    420425    global $wpdb; 
    421426 
     427    $safe_name = $wpdb->escape($name); 
     428 
    422429    // Make sure the option doesn't already exist 
    423     if ( false !== get_option($name) ) 
     430    if ( false !== get_option($safe_name) ) 
    424431        return; 
    425432 
Note: See TracChangeset for help on using the changeset viewer.