Index: src/wp-includes/class-wp-comment-query.php IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- src/wp-includes/class-wp-comment-query.php (revision b57b486d96bf75d569d7e86e9c844ec1f4b7a024) +++ src/wp-includes/class-wp-comment-query.php (date 1523624404000) @@ -429,7 +429,8 @@ // Fetch full comment objects from the primed cache. $_comments = array(); foreach ( $comment_ids as $comment_id ) { - if ( $_comment = get_comment( $comment_id ) ) { + $_comment = get_comment( $comment_id ); + if ( ! empty( $_comment ) ) { $_comments[] = $_comment; } } @@ -524,7 +525,6 @@ $include_unapproved = preg_split( '/[\s,]+/', $include_unapproved ); } - $unapproved_ids = $unapproved_emails = array(); foreach ( $include_unapproved as $unapproved_identifier ) { // Numeric values are assumed to be user ids. if ( is_numeric( $unapproved_identifier ) ) { @@ -557,7 +557,7 @@ preg_split( '/[,\s]/', $this->query_vars['orderby'] ); $orderby_array = array(); - $found_orderby_comment_ID = false; + $found_orderby_comment_id = false; foreach ( $ordersby as $_key => $_value ) { if ( ! $_value ) { continue; @@ -571,8 +571,8 @@ $_order = $_value; } - if ( ! $found_orderby_comment_ID && in_array( $_orderby, array( 'comment_ID', 'comment__in' ) ) ) { - $found_orderby_comment_ID = true; + if ( ! $found_orderby_comment_id && in_array( $_orderby, array( 'comment_ID', 'comment__in' ) ) ) { + $found_orderby_comment_id = true; } $parsed = $this->parse_orderby( $_orderby ); @@ -595,24 +595,24 @@ } // To ensure determinate sorting, always include a comment_ID clause. - if ( ! $found_orderby_comment_ID ) { - $comment_ID_order = ''; + if ( ! $found_orderby_comment_id ) { + $comment_id_order = ''; // Inherit order from comment_date or comment_date_gmt, if available. foreach ( $orderby_array as $orderby_clause ) { if ( preg_match( '/comment_date(?:_gmt)*\ (ASC|DESC)/', $orderby_clause, $match ) ) { - $comment_ID_order = $match[1]; + $comment_id_order = $match[1]; break; } } // If no date-related order is available, use the date from the first available clause. - if ( ! $comment_ID_order ) { + if ( ! $comment_id_order ) { foreach ( $orderby_array as $orderby_clause ) { if ( false !== strpos( 'ASC', $orderby_clause ) ) { - $comment_ID_order = 'ASC'; + $comment_id_order = 'ASC'; } else { - $comment_ID_order = 'DESC'; + $comment_id_order = 'DESC'; } break; @@ -620,11 +620,11 @@ } // Default to DESC. - if ( ! $comment_ID_order ) { - $comment_ID_order = 'DESC'; + if ( ! $comment_id_order ) { + $comment_id_order = 'DESC'; } - $orderby_array[] = "$wpdb->comments.comment_ID $comment_ID_order"; + $orderby_array[] = "$wpdb->comments.comment_ID $comment_id_order"; } $orderby = implode( ', ', $orderby_array ); @@ -657,31 +657,37 @@ // Parse comment IDs for an IN clause. if ( ! empty( $this->query_vars['comment__in'] ) ) { + // @todo Use wpdb->prepare on this statement. $this->sql_clauses['where']['comment__in'] = "$wpdb->comments.comment_ID IN ( " . implode( ',', wp_parse_id_list( $this->query_vars['comment__in'] ) ) . ' )'; } // Parse comment IDs for a NOT IN clause. if ( ! empty( $this->query_vars['comment__not_in'] ) ) { + // @todo Use wpdb->prepare on this statement. $this->sql_clauses['where']['comment__not_in'] = "$wpdb->comments.comment_ID NOT IN ( " . implode( ',', wp_parse_id_list( $this->query_vars['comment__not_in'] ) ) . ' )'; } // Parse comment parent IDs for an IN clause. if ( ! empty( $this->query_vars['parent__in'] ) ) { + // @todo Use wpdb->prepare on this statement. $this->sql_clauses['where']['parent__in'] = 'comment_parent IN ( ' . implode( ',', wp_parse_id_list( $this->query_vars['parent__in'] ) ) . ' )'; } // Parse comment parent IDs for a NOT IN clause. if ( ! empty( $this->query_vars['parent__not_in'] ) ) { + // @todo Use wpdb->prepare on this statement. $this->sql_clauses['where']['parent__not_in'] = 'comment_parent NOT IN ( ' . implode( ',', wp_parse_id_list( $this->query_vars['parent__not_in'] ) ) . ' )'; } // Parse comment post IDs for an IN clause. if ( ! empty( $this->query_vars['post__in'] ) ) { + // @todo Use wpdb->prepare on this statement. $this->sql_clauses['where']['post__in'] = 'comment_post_ID IN ( ' . implode( ',', wp_parse_id_list( $this->query_vars['post__in'] ) ) . ' )'; } // Parse comment post IDs for a NOT IN clause. if ( ! empty( $this->query_vars['post__not_in'] ) ) { + // @todo Use wpdb->prepare on this statement. $this->sql_clauses['where']['post__not_in'] = 'comment_post_ID NOT IN ( ' . implode( ',', wp_parse_id_list( $this->query_vars['post__not_in'] ) ) . ' )'; } @@ -732,6 +738,7 @@ if ( ! empty( $comment_types[ $operator ] ) ) { $types_sql = implode( ', ', $comment_types[ $operator ] ); + // @todo Use wpdb->prepare on this statement. $this->sql_clauses['where'][ 'comment_type__' . strtolower( str_replace( ' ', '_', $operator ) ) ] = "comment_type $operator ($types_sql)"; } } @@ -771,8 +778,13 @@ $join_posts_table = true; foreach ( $post_fields as $field_name => $field_value ) { // $field_value may be an array. - $esses = array_fill( 0, count( (array) $field_value ), '%s' ); - $this->sql_clauses['where'][ $field_name ] = $wpdb->prepare( " {$wpdb->posts}.{$field_name} IN (" . implode( ',', $esses ) . ')', $field_value ); + $esses = implode( ', ', array_fill( 0, count( (array) $field_value ), '%s' ) ); + $field_name_where = sprintf( " {$wpdb->posts}.{$field_name} IN ( %s )", $esses ); + + $this->sql_clauses['where'][ $field_name ] = $wpdb->prepare( + $field_name_where, // phpcs:ignore WordPress.WP.PreparedSQL.NotPrepared + $field_value + ); } } @@ -792,30 +804,39 @@ $join_posts_table = true; - $esses = array_fill( 0, count( $q_values ), '%s' ); - $this->sql_clauses['where'][ $field_name ] = $wpdb->prepare( " {$wpdb->posts}.{$field_name} IN (" . implode( ',', $esses ) . ')', $q_values ); + $esses = implode( ', ', array_fill( 0, count( $q_values ), '%s' ) ); + $field_name_where = sprintf( " {$wpdb->posts}.{$field_name} IN ( %s )", $esses ); + + $this->sql_clauses['where'][ $field_name ] = $wpdb->prepare( + $field_name_where, // phpcs:ignore WordPress.WP.PreparedSQL.NotPrepared + $q_values + ); } } // Comment author IDs for an IN clause. if ( ! empty( $this->query_vars['author__in'] ) ) { + // @todo Use wpdb->prepare on this statement. $this->sql_clauses['where']['author__in'] = 'user_id IN ( ' . implode( ',', wp_parse_id_list( $this->query_vars['author__in'] ) ) . ' )'; } // Comment author IDs for a NOT IN clause. if ( ! empty( $this->query_vars['author__not_in'] ) ) { + // @todo Use wpdb->prepare on this statement. $this->sql_clauses['where']['author__not_in'] = 'user_id NOT IN ( ' . implode( ',', wp_parse_id_list( $this->query_vars['author__not_in'] ) ) . ' )'; } // Post author IDs for an IN clause. if ( ! empty( $this->query_vars['post_author__in'] ) ) { - $join_posts_table = true; + $join_posts_table = true; + // @todo Use wpdb->prepare on this statement. $this->sql_clauses['where']['post_author__in'] = 'post_author IN ( ' . implode( ',', wp_parse_id_list( $this->query_vars['post_author__in'] ) ) . ' )'; } // Post author IDs for a NOT IN clause. if ( ! empty( $this->query_vars['post_author__not_in'] ) ) { - $join_posts_table = true; + $join_posts_table = true; + // @todo Use wpdb->prepare on this statement. $this->sql_clauses['where']['post_author__not_in'] = 'post_author NOT IN ( ' . implode( ',', wp_parse_id_list( $this->query_vars['post_author__not_in'] ) ) . ' )'; } @@ -888,12 +909,20 @@ $this->request = "{$this->sql_clauses['select']} {$this->sql_clauses['from']} {$where} {$this->sql_clauses['groupby']} {$this->sql_clauses['orderby']} {$this->sql_clauses['limits']}"; + /* + * The following ignores (WordPress.WP.PreparedSQL.NotPrepared) have been added because the query used is + * build up right above. There is no possibility it can be changed from the outside (even though it is a + * public class variable). + * + * It cannot be prepared at this location, the separate parts should be + * prepared instead. + */ if ( $this->query_vars['count'] ) { - return intval( $wpdb->get_var( $this->request ) ); - } else { - $comment_ids = $wpdb->get_col( $this->request ); - return array_map( 'intval', $comment_ids ); - } + return intval( $wpdb->get_var( $this->request ) ); // phpcs:ignore WordPress.WP.PreparedSQL.NotPrepared + } + + $comment_ids = $wpdb->get_col( $this->request ); // phpcs:ignore WordPress.WP.PreparedSQL.NotPrepared + return array_map( 'intval', $comment_ids ); } /** @@ -913,12 +942,12 @@ * * @since 4.4.0 * - * @param string $found_comments_query SQL query. Default 'SELECT FOUND_ROWS()'. + * @param string $found_comments_query SQL query. Default 'SELECT FOUND_ROWS()', should use wpdb->prepare. * @param WP_Comment_Query $comment_query The `WP_Comment_Query` instance. */ $found_comments_query = apply_filters( 'found_comments_query', 'SELECT FOUND_ROWS()', $this ); - $this->found_comments = (int) $wpdb->get_var( $found_comments_query ); + $this->found_comments = (int) $wpdb->get_var( $found_comments_query ); // phpcs:ignore WordPress.WP.PreparedSQL.NotPrepared } } @@ -950,7 +979,9 @@ $exclude_keys = array( 'parent', 'parent__in', 'parent__not_in' ); do { // Parent-child relationships may be cached. Only query for those that are not. - $child_ids = $uncached_parent_ids = array(); + $child_ids = array(); + $uncached_parent_ids = array(); + $_parent_ids = $levels[ $level ]; foreach ( $_parent_ids as $parent_id ) { $cache_key = "get_comment_child_ids:$parent_id:$key:$last_changed"; @@ -995,7 +1026,8 @@ // Prime comment caches for non-top-level comments. $descendant_ids = array(); - for ( $i = 1, $c = count( $levels ); $i < $c; $i++ ) { + $c = count( $levels ); + for ( $i = 1; $i < $c; $i ++ ) { $descendant_ids = array_merge( $descendant_ids, $levels[ $i ] ); } @@ -1009,7 +1041,9 @@ // If a threaded representation was requested, build the tree. if ( 'threaded' === $this->query_vars['hierarchical'] ) { - $threaded_comments = $ref = array(); + $threaded_comments = array(); + $ref = array(); + foreach ( $all_comments as $k => $c ) { $_c = get_comment( $c->comment_ID ); @@ -1046,9 +1080,9 @@ * * @global wpdb $wpdb WordPress database abstraction object. * - * @param string $string - * @param array $cols - * @return string + * @param string $string Search string. + * @param array $cols List of columns to search in. + * @return string Prepared database query. */ protected function get_search_sql( $string, $cols ) { global $wpdb; @@ -1057,7 +1091,12 @@ $searches = array(); foreach ( $cols as $col ) { - $searches[] = $wpdb->prepare( "$col LIKE %s", $like ); + /* + * The following ignore (WordPress.WP.PreparedSQL.NotPrepared) has been added because + * rewriting this code to have a more dynamic build-up of the query would make it + * less readable/usable. + */ + $searches[] = $wpdb->prepare( "$col LIKE %s", $like ); // phpcs:ignore WordPress.WP.PreparedSQL.NotPrepared } return ' AND (' . implode( ' OR ', $searches ) . ')'; @@ -1106,11 +1145,11 @@ } $parsed = false; - if ( $orderby == $this->query_vars['meta_key'] || $orderby == 'meta_value' ) { + if ( $orderby === $this->query_vars['meta_key'] || 'meta_value' === $orderby ) { $parsed = "$wpdb->commentmeta.meta_value"; - } elseif ( $orderby == 'meta_value_num' ) { + } elseif ( 'meta_value_num' === $orderby ) { $parsed = "$wpdb->commentmeta.meta_value+0"; - } elseif ( $orderby == 'comment__in' ) { + } elseif ( 'comment__in' === $orderby ) { $comment__in = implode( ',', array_map( 'absint', $this->query_vars['comment__in'] ) ); $parsed = "FIELD( {$wpdb->comments}.comment_ID, $comment__in )"; } elseif ( in_array( $orderby, $allowed_keys ) ) {