Changeset 7906 for trunk/wp-includes/query.php

Timestamp:

05/08/2008 05:17:27 AM (18 years ago)

Author:

ryan

Message:

Query cleanups. Use absint, concat where instead of overwrite, make post_parent independent, sanitize postin and postnot_in. Props mdawaffe. see #6772

File:

• trunk/wp-includes/query.php (modified) (15 diffs)

trunk/wp-includes/query.php

@@ -516 +516 @@
             $this->is_robots = true;
 
-        $qv['p'] =  (int) $qv['p'];
-        $qv['page_id'] =  (int) $qv['page_id'];
-        $qv['year'] = (int) $qv['year'];
-        $qv['monthnum'] = (int) $qv['monthnum'];
-        $qv['day'] = (int) $qv['day'];
-        $qv['w'] = (int) $qv['w'];
-        $qv['m'] =  (int) $qv['m'];
+        $qv['p'] =  absint($qv['p']);
+        $qv['page_id'] =  absint($qv['page_id']);
+        $qv['year'] = absint($qv['year']);
+        $qv['monthnum'] = absint($qv['monthnum']);
+        $qv['day'] = absint($qv['day']);
+        $qv['w'] = absint($qv['w']);
+        $qv['m'] = absint($qv['m']);
         $qv['cat'] = preg_replace( '|[^0-9,-]|', '', $qv['cat'] ); // comma separated list of positive or negative integers
-        if ( '' !== $qv['hour'] ) $qv['hour'] = (int) $qv['hour'];
-        if ( '' !== $qv['minute'] ) $qv['minute'] = (int) $qv['minute'];
-        if ( '' !== $qv['second'] ) $qv['second'] = (int) $qv['second'];
+        if ( '' !== $qv['hour'] ) $qv['hour'] = absint($qv['hour']);
+        if ( '' !== $qv['minute'] ) $qv['minute'] = absint($qv['minute']);
+        if ( '' !== $qv['second'] ) $qv['second'] = absint($qv['second']);
 
         // Compat.  Map subpost to attachment.
@@ -534 +534 @@
             $qv['attachment_id'] = $qv['subpost_id'];
 
-        $qv['attachment_id'] = (int) $qv['attachment_id'];
+        $qv['attachment_id'] = absint($qv['attachment_id']);
 
         if ( ('' != $qv['attachment']) || !empty($qv['attachment_id']) ) {
@@ -625 +625 @@
                 $qv['category__in'] = array();
             } else {
-                $qv['category__in'] = array_map('intval', $qv['category__in']);
+                $qv['category__in'] = array_map('absint', $qv['category__in']);
                 $this->is_category = true;
             }
@@ -632 +632 @@
                 $qv['category__not_in'] = array();
             } else {
-                $qv['category__not_in'] = array_map('intval', $qv['category__not_in']);
+                $qv['category__not_in'] = array_map('absint', $qv['category__not_in']);
             }
 
@@ -638 +638 @@
                 $qv['category__and'] = array();
             } else {
-                $qv['category__and'] = array_map('intval', $qv['category__and']);
+                $qv['category__and'] = array_map('absint', $qv['category__and']);
                 $this->is_category = true;
             }
@@ -645 +645 @@
                 $this->is_tag = true;
 
-            $qv['tag_id'] = (int) $qv['tag_id'];
+            $qv['tag_id'] = absint($qv['tag_id']);
             if (  !empty($qv['tag_id']) )
                 $this->is_tag = true;
@@ -652 +652 @@
                 $qv['tag__in'] = array();
             } else {
-                $qv['tag__in'] = array_map('intval', $qv['tag__in']);
+                $qv['tag__in'] = array_map('absint', $qv['tag__in']);
                 $this->is_tag = true;
             }
@@ -659 +659 @@
                 $qv['tag__not_in'] = array();
             } else {
-                $qv['tag__not_in'] = array_map('intval', $qv['tag__not_in']);
+                $qv['tag__not_in'] = array_map('absint', $qv['tag__not_in']);
             }
 
@@ -665 +665 @@
                 $qv['tag__and'] = array();
             } else {
-                $qv['tag__and'] = array_map('intval', $qv['tag__and']);
+                $qv['tag__and'] = array_map('absint', $qv['tag__and']);
                 $this->is_category = true;
             }
@@ -872 +872 @@
         if (isset($q['page'])) {
             $q['page'] = trim($q['page'], '/');
-            $q['page'] = (int) $q['page'];
-            $q['page'] = abs($q['page']);
+            $q['page'] = absint($q['page']);
         }
 
@@ -950 +949 @@
 
         if ( intval($q['comments_popup']) )
-            $q['p'] = intval($q['comments_popup']);
+            $q['p'] = absint($q['comments_popup']);
 
         // If an attachment is requested by number, let it supercede any post number.
         if ( $q['attachment_id'] )
-            $q['p'] = $q['attachment_id'];
+            $q['p'] = absint($q['attachment_id']);
 
         // If a post number is specified, load that post
-        if ( $q['p'] )
-            $where = " AND {$wpdb->posts}.ID = " . $q['p'];
-        elseif ( $q['post_parent'] ) 
-            $where = $wpdb->prepare("AND $wpdb->posts.post_parent = %d ", $q['post_parent']);
-        elseif ( $q['post__in'] ) {
-            $post__in = "'" . implode("', '", $q['post__in']) . "'";
-            $where = " AND {$wpdb->posts}.ID IN ($post__in)";
+        if ( $q['p'] ) {
+            $where .= " AND {$wpdb->posts}.ID = " . $q['p'];
+        } elseif ( $q['post__in'] ) {
+            $post__in = implode(',', array_map( 'absint', $q['post__in'] ));
+            $where .= " AND {$wpdb->posts}.ID IN ($post__in)";
         } elseif ( $q['post__not_in'] ) {
-            $post__not_in = "'" . implode("', '", $q['post__not_in']) . "'";
-            $where = " AND {$wpdb->posts}.ID NOT IN ($post__not_in)";
-        }
+            $post__not_in = implode(',',  array_map( 'absint', $q['post__not_in'] ));
+            $where .= " AND {$wpdb->posts}.ID NOT IN ($post__not_in)";
+        }
+
+        if ( $q['post_parent'] )
+            $where .= $wpdb->prepare( " AND $wpdb->posts.post_parent = %d ", $q['post_parent'] );
 
         if ( $q['page_id'] ) {
@@ -1208 +1208 @@
                 $andor = 'AND';
                 $q['author'] = explode('-', $q['author']);
-                $q['author'] = ''.intval($q['author'][1]);
+                $q['author'] = '' . absint($q['author'][1]);
             } else {
                 $eq = '=';
@@ -1214 +1214 @@
             }
             $author_array = preg_split('/[,\s]+/', $q['author']);
-            $whichauthor .= " AND ($wpdb->posts.post_author ".$eq.' '.intval($author_array[0]);
+            $whichauthor .= " AND ($wpdb->posts.post_author ".$eq.' '.absint($author_array[0]);
             for ($i = 1; $i < (count($author_array)); $i = $i + 1) {
-                $whichauthor .= ' '.$andor." $wpdb->posts.post_author ".$eq.' '.intval($author_array[$i]);
+                $whichauthor .= ' '.$andor." $wpdb->posts.post_author ".$eq.' '.absint($author_array[$i]);
             }
             $whichauthor .= ')';
@@ -1234 +1234 @@
             $q['author_name'] = sanitize_title($q['author_name']);
             $q['author'] = $wpdb->get_var("SELECT ID FROM $wpdb->users WHERE user_nicename='".$q['author_name']."'");
-            $whichauthor .= " AND ($wpdb->posts.post_author = ".intval($q['author']).')';
+            $whichauthor .= " AND ($wpdb->posts.post_author = ".absint($q['author']).')';
         }
 
@@ -1374 +1374 @@
             if ( empty($q['offset']) ) {
                 $pgstrt = '';
-                $pgstrt = (intval($page) -1) * $q['posts_per_page'] . ', ';
+                $pgstrt = ($page - 1) * $q['posts_per_page'] . ', ';
                 $limits = 'LIMIT '.$pgstrt.$q['posts_per_page'];
             } else { // we're ignoring $page and using 'offset'