Changeset 7593
- Timestamp:
- 04/03/2008 03:06:01 AM (17 years ago)
- Location:
- branches/2.5/wp-includes
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/2.5/wp-includes/formatting.php
r7520 r7593 365 365 366 366 return $title; 367 } 368 369 // ensures a string is a valid SQL order by clause like: post_name ASC, ID DESC 370 // accepts one or more columns, with or without ASC/DESC, and also accepts RAND() 371 function sanitize_sql_orderby( $orderby ){ 372 preg_match('/^\s*([a-z0-9_]+(\s+(ASC|DESC))?(\s*,\s*|\s*$))+|^\s*RAND\(\s*\)\s*$/i', $orderby, $obmatches); 373 if ( !$obmatches ) 374 return false; 375 return $orderby; 367 376 } 368 377 -
branches/2.5/wp-includes/media.php
r7576 r7593 340 340 if ( $output != '' ) 341 341 return $output; 342 342 343 // We're trusting author input, so let's at least make sure it looks like a valid orderby statement 344 if ( isset( $attr['orderby'] ) ) { 345 $attr['orderby'] = sanitize_sql_orderby( $attr['orderby'] ); 346 if ( !$attr['orderby'] ) 347 unset( $attr['orderby'] ); 348 } 349 343 350 extract(shortcode_atts(array( 344 351 'orderby' => 'menu_order ASC, ID ASC', … … 352 359 353 360 $id = intval($id); 354 $orderby = addslashes($orderby); 355 $attachments = get_children("post_parent=$id&post_type=attachment&post_mime_type=image&orderby=\"{$orderby}\""); 361 $attachments = get_children("post_parent=$id&post_type=attachment&post_mime_type=image&orderby={$orderby}"); 356 362 357 363 if ( empty($attachments) ) … … 427 433 global $post; 428 434 $post = get_post($post); 429 $attachments = array_values(get_children("post_parent=$post->post_parent&post_type=attachment&post_mime_type=image&orderby= \"menu_order ASC, ID ASC\""));435 $attachments = array_values(get_children("post_parent=$post->post_parent&post_type=attachment&post_mime_type=image&orderby=menu_order ASC, ID ASC")); 430 436 431 437 foreach ( $attachments as $k => $attachment ) -
branches/2.5/wp-includes/post.php
r7482 r7593 460 460 if (!empty($exclusions)) 461 461 $exclusions .= ')'; 462 463 // orderby 464 if ( preg_match( '/.+ +(ASC|DESC)/i', $orderby ) ) 465 $order = ''; // orderby has its own order, so we'll use that 462 466 463 467 $query = "SELECT DISTINCT * FROM $wpdb->posts ";
Note: See TracChangeset
for help on using the changeset viewer.