WordPress.org

Make WordPress Core

Changeset 6173


Ignore:
Timestamp:
09/27/07 07:34:15 (7 years ago)
Author:
markjaquith
Message:

prepare() for wp-includes/ bookmark.php, canonical.php, comment.php, comment-template.php. see #4553

Location:
trunk/wp-includes
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/bookmark.php

    r6026 r6173  
    44    global $wpdb; 
    55 
    6     $bookmark_id = (int) $bookmark_id; 
    7     $link = $wpdb->get_row("SELECT * FROM $wpdb->links WHERE link_id = '$bookmark_id' LIMIT 1"); 
     6    $link = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->links WHERE link_id = %d LIMIT 1", $bookmark_id)); 
    87    $link->link_category = array_unique( wp_get_object_terms($link_id, 'link_category', 'fields=ids') ); 
    98 
  • trunk/wp-includes/canonical.php

    r6143 r6173  
    181181        return false; 
    182182 
    183     $where = "post_name LIKE '" . $wpdb->escape(get_query_var('name')) . "%'"; 
     183    $where = $wpdb->prepare("post_name LIKE %s", get_query_var('name') . '%'); 
    184184 
    185185    // if any of year, monthnum, or day are set, use them to refine the query 
    186186    if ( get_query_var('year') ) 
    187         $where .= " AND YEAR(post_date) = '" . $wpdb->escape(get_query_var('year')) . "'"; 
     187        $where .= $wpdb->prepare(" AND YEAR(post_date) = %d", get_query_var('year')); 
    188188    if ( get_query_var('monthnum') ) 
    189         $where .= " AND MONTH(post_date) = '" . $wpdb->escape(get_query_var('monthnum')) . "'"; 
     189        $where .= $wpdb->prepare(" AND MONTH(post_date) = %d", get_query_var('monthnum')); 
    190190    if ( get_query_var('day') ) 
    191         $where .= " AND DAYOFMONTH(post_date) = '" . $wpdb->escape(get_query_var('day')) . "'"; 
     191        $where .= $wpdb->prepare(" AND DAYOFMONTH(post_date) = %d", get_query_var('day')); 
    192192 
    193193    $post_id = $wpdb->get_var("SELECT ID FROM $wpdb->posts WHERE $where AND post_status = 'publish'"); 
  • trunk/wp-includes/comment-template.php

    r6026 r6173  
    289289    // TODO: Use API instead of SELECTs. 
    290290    if ( $user_ID) { 
    291         $comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND (comment_approved = '1' OR ( user_id = '$user_ID' AND comment_approved = '0' ) )  ORDER BY comment_date"); 
     291        $comments = $wpdb->get_results($wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND (comment_approved = '1' OR ( user_id = %d AND comment_approved = '0' ) )  ORDER BY comment_date", $post->ID, $user_ID)); 
    292292    } else if ( empty($comment_author) ) { 
    293         $comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND comment_approved = '1' ORDER BY comment_date"); 
     293        $comments = $wpdb->get_results($wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_approved = '1' ORDER BY comment_date", $post->ID)); 
    294294    } else { 
    295         $author_db = $wpdb->escape($comment_author); 
    296         $email_db  = $wpdb->escape($comment_author_email); 
    297         $comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND ( comment_approved = '1' OR ( comment_author = '$author_db' AND comment_author_email = '$email_db' AND comment_approved = '0' ) ) ORDER BY comment_date"); 
     295        $comments = $wpdb->get_results($wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND ( comment_approved = '1' OR ( comment_author = %s AND comment_author_email = %s AND comment_approved = '0' ) ) ORDER BY comment_date", $post->ID, $comment_author, $comment_author_email)); 
    298296    } 
    299297 
  • trunk/wp-includes/comment.php

    r5975 r6173  
    4242            $uri = parse_url( get_option('home') ); 
    4343            $home_domain = $uri['host']; 
    44             if ( $wpdb->get_var("SELECT link_id FROM $wpdb->links WHERE link_url LIKE ('%$domain%') LIMIT 1") || $domain == $home_domain ) 
     44            if ( $wpdb->get_var($wpdb->prepare("SELECT link_id FROM $wpdb->links WHERE link_url LIKE (%s) LIMIT 1", '%'.$domain.'%')) || $domain == $home_domain ) 
    4545                return true; 
    4646            else 
    4747                return false; 
    4848        } elseif ( $author != '' && $email != '' ) { 
     49            // expected_slashed ($author, $email) 
    4950            $ok_to_comment = $wpdb->get_var("SELECT comment_approved FROM $wpdb->comments WHERE comment_author = '$author' AND comment_author_email = '$email' and comment_approved = '1' LIMIT 1"); 
    5051            if ( ( 1 == $ok_to_comment ) && 
     
    6364function get_approved_comments($post_id) { 
    6465    global $wpdb; 
    65  
    66     $post_id = (int) $post_id; 
    67     return $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post_id' AND comment_approved = '1' ORDER BY comment_date"); 
     66    return $wpdb->get_results($wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_approved = '1' ORDER BY comment_date", $post_id)); 
    6867} 
    6968 
     
    8382        $_comment = $comment; 
    8483    } else { 
    85         $comment = (int) $comment; 
    8684        if ( isset($GLOBALS['comment']) && ($GLOBALS['comment']->comment_ID == $comment) ) { 
    8785            $_comment = & $GLOBALS['comment']; 
    8886        } elseif ( ! $_comment = wp_cache_get($comment, 'comment') ) { 
    89             $_comment = $wpdb->get_row("SELECT * FROM $wpdb->comments WHERE comment_ID = '$comment' LIMIT 1"); 
     87            $_comment = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_ID = %d LIMIT 1", $comment)); 
    9088            wp_cache_add($_comment->comment_ID, $_comment, 'comment'); 
    9189        } 
     
    110108    global $postc, $id, $commentdata, $wpdb; 
    111109    if ( $no_cache ) { 
    112         $query = "SELECT * FROM $wpdb->comments WHERE comment_ID = '$comment_ID'"; 
     110        $query = $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_ID = %d", $comment_ID); 
    113111        if ( false == $include_unapproved ) 
    114112            $query .= " AND comment_approved = '1'"; 
     
    139137        switch ( strtolower($timezone)) { 
    140138            case 'gmt': 
    141                 $lastcommentmodified = $wpdb->get_var("SELECT comment_date_gmt FROM $wpdb->comments WHERE comment_date_gmt <= '$now' AND comment_approved = '1' ORDER BY comment_date_gmt DESC LIMIT 1"); 
     139                $lastcommentmodified = $wpdb->get_var($wpdb->prepare("SELECT comment_date_gmt FROM $wpdb->comments WHERE comment_date_gmt <= %s AND comment_approved = '1' ORDER BY comment_date_gmt DESC LIMIT 1", $now)); 
    142140                break; 
    143141            case 'blog': 
    144                 $lastcommentmodified = $wpdb->get_var("SELECT comment_date FROM $wpdb->comments WHERE comment_date_gmt <= '$now' AND comment_approved = '1' ORDER BY comment_date_gmt DESC LIMIT 1"); 
     142                $lastcommentmodified = $wpdb->get_var($wpdb->prepare("SELECT comment_date FROM $wpdb->comments WHERE comment_date_gmt <= %s AND comment_approved = '1' ORDER BY comment_date_gmt DESC LIMIT 1", $now)); 
    145143                break; 
    146144            case 'server': 
    147                 $lastcommentmodified = $wpdb->get_var("SELECT DATE_ADD(comment_date_gmt, INTERVAL '$add_seconds_server' SECOND) FROM $wpdb->comments WHERE comment_date_gmt <= '$now' AND comment_approved = '1' ORDER BY comment_date_gmt DESC LIMIT 1"); 
     145                $lastcommentmodified = $wpdb->get_var($wpdb->prepare("SELECT DATE_ADD(comment_date_gmt, INTERVAL %s SECOND) FROM $wpdb->comments WHERE comment_date_gmt <= %s AND comment_approved = '1' ORDER BY comment_date_gmt DESC LIMIT 1", $add_seconds_server, $now)); 
    148146                break; 
    149147        } 
     
    184182 
    185183    // Simple duplicate check 
     184    // expected_slashed ($comment_post_ID, $comment_author, $comment_author_email, $comment_content) 
    186185    $dupe = "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND ( comment_author = '$comment_author' "; 
    187186    if ( $comment_author_email ) 
     
    196195        $userdata = get_userdata($user_id); 
    197196        $user = new WP_User($user_id); 
    198         $post_author = $wpdb->get_var("SELECT post_author FROM $wpdb->posts WHERE ID = '$comment_post_ID' LIMIT 1"); 
     197        $post_author = $wpdb->get_var($wpdb->prepare("SELECT post_author FROM $wpdb->posts WHERE ID = %d LIMIT 1", $comment_post_ID)); 
    199198    } 
    200199 
Note: See TracChangeset for help on using the changeset viewer.