Make WordPress Core


Ignore:
Timestamp:
06/11/2024 02:29:14 AM (6 months ago)
Author:
peterwilsoncc
Message:

Options, Meta APIs: Add SQL escaping to query loading 'all options'.

Escapes the return value of wp_autoload_values_to_autoload() for use in the database query loading 'all options'. This is a hardening fix to protect against future changes to the options API which may allow developers to further customize the return value of the wp_autoload_values_to_autoload filter.

Follow up to [57920].

Props peterwilsoncc, joemcgill.
Fixes #42441.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/option.php

    r58230 r58380  
    607607    if ( ! $alloptions ) {
    608608        $suppress      = $wpdb->suppress_errors();
    609         $alloptions_db = $wpdb->get_results( "SELECT option_name, option_value FROM $wpdb->options WHERE autoload IN ( '" . implode( "', '", wp_autoload_values_to_autoload() ) . "' )" );
     609        $alloptions_db = $wpdb->get_results( "SELECT option_name, option_value FROM $wpdb->options WHERE autoload IN ( '" . implode( "', '", esc_sql( wp_autoload_values_to_autoload() ) ) . "' )" );
    610610
    611611        if ( ! $alloptions_db ) {
Note: See TracChangeset for help on using the changeset viewer.