WordPress.org

Make WordPress Core

Changeset 7592


Ignore:
Timestamp:
04/03/08 03:05:49 (7 years ago)
Author:
markjaquith
Message:

Fix gallery shortcode orderby param for all SQL setups. Sanitize orderby. fixes #6476 for trunk

Location:
trunk/wp-includes
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/formatting.php

    r7581 r7592  
    365365 
    366366    return $title; 
     367} 
     368 
     369// ensures a string is a valid SQL order by clause like: post_name ASC, ID DESC 
     370// accepts one or more columns, with or without ASC/DESC, and also accepts RAND() 
     371function sanitize_sql_orderby( $orderby ){ 
     372    preg_match('/^\s*([a-z0-9_]+(\s+(ASC|DESC))?(\s*,\s*|\s*$))+|^\s*RAND\(\s*\)\s*$/i', $orderby, $obmatches); 
     373    if ( !$obmatches ) 
     374        return false; 
     375    return $orderby; 
    367376} 
    368377 
  • trunk/wp-includes/media.php

    r7575 r7592  
    340340    if ( $output != '' ) 
    341341        return $output; 
    342          
     342 
     343    // We're trusting author input, so let's at least make sure it looks like a valid orderby statement 
     344    if ( isset( $attr['orderby'] ) ) { 
     345        $attr['orderby'] = sanitize_sql_orderby( $attr['orderby'] ); 
     346        if ( !$attr['orderby'] ) 
     347            unset( $attr['orderby'] ); 
     348    } 
     349 
    343350    extract(shortcode_atts(array( 
    344351        'orderby'    => 'menu_order ASC, ID ASC', 
     
    352359 
    353360    $id = intval($id); 
    354     $orderby = addslashes($orderby); 
    355     $attachments = get_children("post_parent=$id&post_type=attachment&post_mime_type=image&orderby=\"{$orderby}\""); 
     361    $attachments = get_children("post_parent=$id&post_type=attachment&post_mime_type=image&orderby={$orderby}"); 
    356362 
    357363    if ( empty($attachments) ) 
     
    427433    global $post; 
    428434    $post = get_post($post); 
    429     $attachments = array_values(get_children("post_parent=$post->post_parent&post_type=attachment&post_mime_type=image&orderby=\"menu_order ASC, ID ASC\"")); 
     435    $attachments = array_values(get_children("post_parent=$post->post_parent&post_type=attachment&post_mime_type=image&orderby=menu_order ASC, ID ASC")); 
    430436 
    431437    foreach ( $attachments as $k => $attachment ) 
  • trunk/wp-includes/post.php

    r7482 r7592  
    460460    if (!empty($exclusions)) 
    461461        $exclusions .= ')'; 
     462 
     463    // orderby 
     464    if ( preg_match( '/.+ +(ASC|DESC)/i', $orderby ) ) 
     465        $order = ''; // orderby has its own order, so we'll use that 
    462466 
    463467    $query  = "SELECT DISTINCT * FROM $wpdb->posts "; 
Note: See TracChangeset for help on using the changeset viewer.