Make WordPress Core


Ignore:
Timestamp:
09/27/2007 07:34:15 AM (17 years ago)
Author:
markjaquith
Message:

prepare() for wp-includes/ bookmark.php, canonical.php, comment.php, comment-template.php. see #4553

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/canonical.php

    r6143 r6173  
    181181        return false;
    182182
    183     $where = "post_name LIKE '" . $wpdb->escape(get_query_var('name')) . "%'";
     183    $where = $wpdb->prepare("post_name LIKE %s", get_query_var('name') . '%');
    184184
    185185    // if any of year, monthnum, or day are set, use them to refine the query
    186186    if ( get_query_var('year') )
    187         $where .= " AND YEAR(post_date) = '" . $wpdb->escape(get_query_var('year')) . "'";
     187        $where .= $wpdb->prepare(" AND YEAR(post_date) = %d", get_query_var('year'));
    188188    if ( get_query_var('monthnum') )
    189         $where .= " AND MONTH(post_date) = '" . $wpdb->escape(get_query_var('monthnum')) . "'";
     189        $where .= $wpdb->prepare(" AND MONTH(post_date) = %d", get_query_var('monthnum'));
    190190    if ( get_query_var('day') )
    191         $where .= " AND DAYOFMONTH(post_date) = '" . $wpdb->escape(get_query_var('day')) . "'";
     191        $where .= $wpdb->prepare(" AND DAYOFMONTH(post_date) = %d", get_query_var('day'));
    192192
    193193    $post_id = $wpdb->get_var("SELECT ID FROM $wpdb->posts WHERE $where AND post_status = 'publish'");
Note: See TracChangeset for help on using the changeset viewer.