WordPress.org

Make WordPress Core

Changeset 7592


Ignore:
Timestamp:
04/03/2008 03:05:49 AM (10 years ago)
Author:
markjaquith
Message:

Fix gallery shortcode orderby param for all SQL setups. Sanitize orderby. fixes #6476 for trunk

Location:
trunk/wp-includes
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/formatting.php

    r7581 r7592  
    365365
    366366    return $title;
     367}
     368
     369// ensures a string is a valid SQL order by clause like: post_name ASC, ID DESC
     370// accepts one or more columns, with or without ASC/DESC, and also accepts RAND()
     371function sanitize_sql_orderby( $orderby ){
     372    preg_match('/^\s*([a-z0-9_]+(\s+(ASC|DESC))?(\s*,\s*|\s*$))+|^\s*RAND\(\s*\)\s*$/i', $orderby, $obmatches);
     373    if ( !$obmatches )
     374        return false;
     375    return $orderby;
    367376}
    368377
  • trunk/wp-includes/media.php

    r7575 r7592  
    340340    if ( $output != '' )
    341341        return $output;
    342        
     342
     343    // We're trusting author input, so let's at least make sure it looks like a valid orderby statement
     344    if ( isset( $attr['orderby'] ) ) {
     345        $attr['orderby'] = sanitize_sql_orderby( $attr['orderby'] );
     346        if ( !$attr['orderby'] )
     347            unset( $attr['orderby'] );
     348    }
     349
    343350    extract(shortcode_atts(array(
    344351        'orderby'    => 'menu_order ASC, ID ASC',
     
    352359
    353360    $id = intval($id);
    354     $orderby = addslashes($orderby);
    355     $attachments = get_children("post_parent=$id&post_type=attachment&post_mime_type=image&orderby=\"{$orderby}\"");
     361    $attachments = get_children("post_parent=$id&post_type=attachment&post_mime_type=image&orderby={$orderby}");
    356362
    357363    if ( empty($attachments) )
     
    427433    global $post;
    428434    $post = get_post($post);
    429     $attachments = array_values(get_children("post_parent=$post->post_parent&post_type=attachment&post_mime_type=image&orderby=\"menu_order ASC, ID ASC\""));
     435    $attachments = array_values(get_children("post_parent=$post->post_parent&post_type=attachment&post_mime_type=image&orderby=menu_order ASC, ID ASC"));
    430436
    431437    foreach ( $attachments as $k => $attachment )
  • trunk/wp-includes/post.php

    r7482 r7592  
    460460    if (!empty($exclusions))
    461461        $exclusions .= ')';
     462
     463    // orderby
     464    if ( preg_match( '/.+ +(ASC|DESC)/i', $orderby ) )
     465        $order = ''; // orderby has its own order, so we'll use that
    462466
    463467    $query  = "SELECT DISTINCT * FROM $wpdb->posts ";
Note: See TracChangeset for help on using the changeset viewer.