Replace all uses of `like_escape()` with `$wpdb->esc_like()`.

Props miqrogroove.
See #10041.

Built from https://develop.svn.wordpress.org/trunk@28712


git-svn-id: http://core.svn.wordpress.org/trunk@28528 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Scott Taylor 2014-06-10 00:44:15 +00:00
parent 82bdc78500
commit 05eeb16e30
19 changed files with 122 additions and 76 deletions

View File

@ -38,8 +38,6 @@ class WP_MS_Sites_List_Table extends WP_List_Table {
$s = trim($s, '*'); $s = trim($s, '*');
} }
$like_s = esc_sql( like_escape( $s ) );
// If the network is large and a search is not being performed, show only the latest blogs with no paging in order // If the network is large and a search is not being performed, show only the latest blogs with no paging in order
// to avoid expensive count queries. // to avoid expensive count queries.
if ( !$s && wp_is_large_network() ) { if ( !$s && wp_is_large_network() ) {
@ -58,7 +56,8 @@ class WP_MS_Sites_List_Table extends WP_List_Table {
preg_match( '/^[0-9]{1,3}\.[0-9]{1,3}\.?$/', $s ) || preg_match( '/^[0-9]{1,3}\.[0-9]{1,3}\.?$/', $s ) ||
preg_match( '/^[0-9]{1,3}\.$/', $s ) ) { preg_match( '/^[0-9]{1,3}\.$/', $s ) ) {
// IPv4 address // IPv4 address
$reg_blog_ids = $wpdb->get_col( "SELECT blog_id FROM {$wpdb->registration_log} WHERE {$wpdb->registration_log}.IP LIKE ( '{$like_s}$wild' )" ); $sql = $wpdb->prepare( "SELECT blog_id FROM {$wpdb->registration_log} WHERE {$wpdb->registration_log}.IP LIKE %s", $wpdb->esc_like( $s ) . $wild );
$reg_blog_ids = $wpdb->get_col( $sql );
if ( !$reg_blog_ids ) if ( !$reg_blog_ids )
$reg_blog_ids = array( 0 ); $reg_blog_ids = array( 0 );
@ -69,17 +68,18 @@ class WP_MS_Sites_List_Table extends WP_List_Table {
AND {$wpdb->blogs}.blog_id IN (" . implode( ', ', $reg_blog_ids ) . ")"; AND {$wpdb->blogs}.blog_id IN (" . implode( ', ', $reg_blog_ids ) . ")";
} else { } else {
if ( is_numeric($s) && empty( $wild ) ) { if ( is_numeric($s) && empty( $wild ) ) {
$query .= " AND ( {$wpdb->blogs}.blog_id = '{$like_s}' )"; $query .= $wpdb->prepare( " AND ( {$wpdb->blogs}.blog_id = %s )", $s );
} elseif ( is_subdomain_install() ) { } elseif ( is_subdomain_install() ) {
$blog_s = str_replace( '.' . $current_site->domain, '', $like_s ); $blog_s = str_replace( '.' . $current_site->domain, '', $s );
$blog_s .= $wild . '.' . $current_site->domain; $blog_s = $wpdb->esc_like( $blog_s ) . $wild . $wpdb->esc_like( '.' . $current_site->domain );
$query .= " AND ( {$wpdb->blogs}.domain LIKE '$blog_s' ) "; $query .= $wpdb->prepare( " AND ( {$wpdb->blogs}.domain LIKE %s ) ", $blog_s );
} else { } else {
if ( $like_s != trim('/', $current_site->path) ) if ( $s != trim('/', $current_site->path) ) {
$blog_s = $current_site->path . $like_s . $wild . '/'; $blog_s = $wpdb->esc_like( $current_site->path . $s ) . $wild . $wpdb->esc_like( '/' );
else } else {
$blog_s = $like_s; $blog_s = $wpdb->esc_like( $s );
$query .= " AND ( {$wpdb->blogs}.path LIKE '$blog_s' )"; }
$query .= $wpdb->prepare( " AND ( {$wpdb->blogs}.path LIKE %s )", $blog_s );
} }
} }

View File

@ -553,18 +553,20 @@ function populate_options() {
// The multi-table delete syntax is used to delete the transient record from table a, // The multi-table delete syntax is used to delete the transient record from table a,
// and the corresponding transient_timeout record from table b. // and the corresponding transient_timeout record from table b.
$time = time(); $time = time();
$wpdb->query("DELETE a, b FROM $wpdb->options a, $wpdb->options b WHERE $sql = "DELETE a, b FROM $wpdb->options a, $wpdb->options b
a.option_name LIKE '\_transient\_%' AND WHERE a.option_name LIKE %s
a.option_name NOT LIKE '\_transient\_timeout\_%' AND AND a.option_name NOT LIKE %s
b.option_name = CONCAT( '_transient_timeout_', SUBSTRING( a.option_name, 12 ) ) AND b.option_name = CONCAT( '_transient_timeout_', SUBSTRING( a.option_name, 12 ) )
AND b.option_value < $time"); AND b.option_value < %d";
$wpdb->query( $wpdb->prepare( $sql, $wpdb->esc_like( '_transient_' ) . '%', $wpdb->esc_like( '_transient_timeout_' ) . '%', $time ) );
if ( is_main_site() && is_main_network() ) { if ( is_main_site() && is_main_network() ) {
$wpdb->query("DELETE a, b FROM $wpdb->options a, $wpdb->options b WHERE $sql = "DELETE a, b FROM $wpdb->options a, $wpdb->options b
a.option_name LIKE '\_site\_transient\_%' AND WHERE a.option_name LIKE %s
a.option_name NOT LIKE '\_site\_transient\_timeout\_%' AND AND a.option_name NOT LIKE %s
b.option_name = CONCAT( '_site_transient_timeout_', SUBSTRING( a.option_name, 17 ) ) AND b.option_name = CONCAT( '_site_transient_timeout_', SUBSTRING( a.option_name, 17 ) )
AND b.option_value < $time"); AND b.option_value < %d";
$wpdb->query( $wpdb->prepare( $sql, $wpdb->esc_like( '_site_transient_' ) . '%', $wpdb->esc_like( '_site_transient_timeout_' ) . '%', $time ) );
} }
} }

View File

@ -632,14 +632,14 @@ function meta_form( $post = null ) {
* *
* @param int $limit Number of custom fields to retrieve. Default 30. * @param int $limit Number of custom fields to retrieve. Default 30.
*/ */
$limit = (int) apply_filters( 'postmeta_form_limit', 30 ); $limit = apply_filters( 'postmeta_form_limit', 30 );
$keys = $wpdb->get_col( " $sql = "SELECT meta_key
SELECT meta_key
FROM $wpdb->postmeta FROM $wpdb->postmeta
GROUP BY meta_key GROUP BY meta_key
HAVING meta_key NOT LIKE '\_%' HAVING meta_key NOT LIKE %s
ORDER BY meta_key ORDER BY meta_key
LIMIT $limit" ); LIMIT %d";
$keys = $wpdb->get_col( $wpdb->prepare( $sql, $wpdb->esc_like( '_' ) . '%', $limit ) );
if ( $keys ) { if ( $keys ) {
natcasesort( $keys ); natcasesort( $keys );
$meta_key_input_id = 'metakeyselect'; $meta_key_input_id = 'metakeyselect';

View File

@ -465,9 +465,11 @@ function upgrade_100() {
} }
} }
$wpdb->query("UPDATE $wpdb->options SET option_value = REPLACE(option_value, 'wp-links/links-images/', 'wp-images/links/') $sql = "UPDATE $wpdb->options
WHERE option_name LIKE 'links_rating_image%' SET option_value = REPLACE(option_value, 'wp-links/links-images/', 'wp-images/links/')
AND option_value LIKE 'wp-links/links-images/%'"); WHERE option_name LIKE %s
AND option_value LIKE %s";
$wpdb->query( $wpdb->prepare( $sql, $wpdb->esc_like( 'links_rating_image' ) . '%', $wpdb->esc_like( 'wp-links/links-images/' ) . '%' ) );
$done_ids = $wpdb->get_results("SELECT DISTINCT post_id FROM $wpdb->post2cat"); $done_ids = $wpdb->get_results("SELECT DISTINCT post_id FROM $wpdb->post2cat");
if ($done_ids) : if ($done_ids) :
@ -1100,9 +1102,28 @@ function upgrade_300() {
// 3.0 screen options key name changes. // 3.0 screen options key name changes.
if ( is_main_site() && !defined('DO_NOT_UPGRADE_GLOBAL_TABLES') ) { if ( is_main_site() && !defined('DO_NOT_UPGRADE_GLOBAL_TABLES') ) {
$prefix = like_escape($wpdb->base_prefix); $sql = "DELETE FROM $wpdb->usermeta
$wpdb->query( "DELETE FROM $wpdb->usermeta WHERE meta_key LIKE '{$prefix}%meta-box-hidden%' OR meta_key LIKE '{$prefix}%closedpostboxes%' OR meta_key LIKE '{$prefix}%manage-%-columns-hidden%' OR meta_key LIKE '{$prefix}%meta-box-order%' OR meta_key LIKE '{$prefix}%metaboxorder%' OR meta_key LIKE '{$prefix}%screen_layout%' WHERE meta_key LIKE %s
OR meta_key = 'manageedittagscolumnshidden' OR meta_key='managecategoriescolumnshidden' OR meta_key = 'manageedit-tagscolumnshidden' OR meta_key = 'manageeditcolumnshidden' OR meta_key = 'categories_per_page' OR meta_key = 'edit_tags_per_page'" ); OR meta_key LIKE %s
OR meta_key LIKE %s
OR meta_key LIKE %s
OR meta_key LIKE %s
OR meta_key LIKE %s
OR meta_key = 'manageedittagscolumnshidden'
OR meta_key = 'managecategoriescolumnshidden'
OR meta_key = 'manageedit-tagscolumnshidden'
OR meta_key = 'manageeditcolumnshidden'
OR meta_key = 'categories_per_page'
OR meta_key = 'edit_tags_per_page'";
$prefix = $wpdb->esc_like( $wpdb->base_prefix );
$wpdb->query( $wpdb->prepare( $sql,
$prefix . '%' . $wpdb->esc_like( 'meta-box-hidden' ) . '%',
$prefix . '%' . $wpdb->esc_like( 'closedpostboxes' ) . '%',
$prefix . '%' . $wpdb->esc_like( 'manage-' ) . '%' . $wpdb->esc_like( '-columns-hidden' ) . '%',
$prefix . '%' . $wpdb->esc_like( 'meta-box-order' ) . '%',
$prefix . '%' . $wpdb->esc_like( 'metaboxorder' ) . '%',
$prefix . '%' . $wpdb->esc_like( 'screen_layout' ) . '%'
) );
} }
} }
@ -1284,11 +1305,12 @@ function upgrade_network() {
// The multi-table delete syntax is used to delete the transient record from table a, // The multi-table delete syntax is used to delete the transient record from table a,
// and the corresponding transient_timeout record from table b. // and the corresponding transient_timeout record from table b.
$time = time(); $time = time();
$wpdb->query("DELETE a, b FROM $wpdb->sitemeta a, $wpdb->sitemeta b WHERE $sql = "DELETE a, b FROM $wpdb->sitemeta a, $wpdb->sitemeta b
a.meta_key LIKE '\_site\_transient\_%' AND WHERE a.meta_key LIKE %s
a.meta_key NOT LIKE '\_site\_transient\_timeout\_%' AND AND a.meta_key NOT LIKE %s
b.meta_key = CONCAT( '_site_transient_timeout_', SUBSTRING( a.meta_key, 17 ) ) AND b.meta_key = CONCAT( '_site_transient_timeout_', SUBSTRING( a.meta_key, 17 ) )
AND b.meta_value < $time"); AND b.meta_value < %d";
$wpdb->query( $wpdb->prepare( $sql, $wpdb->esc_like( '_site_transient_' ) . '%', $wpdb->esc_like ( '_site_transient_timeout_' ) . '%', $time ) );
} }
// 2.8 // 2.8
@ -1382,13 +1404,18 @@ function upgrade_network() {
*/ */
function maybe_create_table($table_name, $create_ddl) { function maybe_create_table($table_name, $create_ddl) {
global $wpdb; global $wpdb;
if ( $wpdb->get_var("SHOW TABLES LIKE '$table_name'") == $table_name )
$query = $wpdb->prepare( "SHOW TABLES LIKE %s", $wpdb->esc_like( $table_name ) );
if ( $wpdb->get_var( $query ) == $table_name ) {
return true; return true;
}
//didn't find it try to create it. //didn't find it try to create it.
$wpdb->query($create_ddl); $wpdb->query($create_ddl);
// we cannot directly tell that whether this succeeded! // we cannot directly tell that whether this succeeded!
if ( $wpdb->get_var("SHOW TABLES LIKE '$table_name'") == $table_name ) if ( $wpdb->get_var( $query ) == $table_name ) {
return true; return true;
}
return false; return false;
} }

View File

@ -74,7 +74,9 @@ function display_header() {
*/ */
function display_setup_form( $error = null ) { function display_setup_form( $error = null ) {
global $wpdb; global $wpdb;
$user_table = ( $wpdb->get_var("SHOW TABLES LIKE '$wpdb->users'") != null );
$sql = $wpdb->prepare( "SHOW TABLES LIKE %s", $wpdb->esc_like( $wpdb->users ) );
$user_table = ( $wpdb->get_var( $sql ) != null );
// Ensure that Blogs appear in search engines by default // Ensure that Blogs appear in search engines by default
$blog_public = 1; $blog_public = 1;

View File

@ -36,8 +36,10 @@ if ( ! defined( 'WP_ALLOW_REPAIR' ) ) {
$tables = $wpdb->tables(); $tables = $wpdb->tables();
// Sitecategories may not exist if global terms are disabled. // Sitecategories may not exist if global terms are disabled.
if ( is_multisite() && ! $wpdb->get_var( "SHOW TABLES LIKE '$wpdb->sitecategories'" ) ) $query = $wpdb->prepare( "SHOW TABLES LIKE %s", $wpdb->esc_like( $wpdb->sitecategories ) );
if ( is_multisite() && ! $wpdb->get_var( $query ) ) {
unset( $tables['sitecategories'] ); unset( $tables['sitecategories'] );
}
/** /**
* Filter additional database tables to repair. * Filter additional database tables to repair.

View File

@ -39,8 +39,11 @@ foreach ( $wpdb->tables( 'ms_global' ) as $table => $prefixed_table )
*/ */
function network_domain_check() { function network_domain_check() {
global $wpdb; global $wpdb;
if ( $wpdb->get_var( "SHOW TABLES LIKE '$wpdb->site'" ) )
$sql = $wpdb->prepare( "SHOW TABLES LIKE %s", $wpdb->esc_like( $wpdb->site ) );
if ( $wpdb->get_var( $sql ) ) {
return $wpdb->get_var( "SELECT domain FROM $wpdb->site ORDER BY id ASC LIMIT 1" ); return $wpdb->get_var( "SELECT domain FROM $wpdb->site ORDER BY id ASC LIMIT 1" );
}
return false; return false;
} }

View File

@ -113,7 +113,14 @@ if ( ! empty( $messages ) ) {
<table class="form-table"> <table class="form-table">
<?php <?php
$blog_prefix = $wpdb->get_blog_prefix( $id ); $blog_prefix = $wpdb->get_blog_prefix( $id );
$options = $wpdb->get_results( "SELECT * FROM {$blog_prefix}options WHERE option_name NOT LIKE '\_%' AND option_name NOT LIKE '%user_roles'" ); $sql = "SELECT * FROM {$blog_prefix}options
WHERE option_name NOT LIKE %s
AND option_name NOT LIKE %s";
$query = $wpdb->prepare( $sql,
$wpdb->esc_like( '_' ) . '%',
'%' . $wpdb->esc_like( 'user_roles' )
);
$options = $wpdb->get_results( $query );
foreach ( $options as $option ) { foreach ( $options as $option ) {
if ( $option->option_name == 'default_role' ) if ( $option->option_name == 'default_role' )
$editblog_default_role = $option->option_value; $editblog_default_role = $option->option_value;

View File

@ -208,8 +208,8 @@ function get_bookmarks( $args = '' ) {
$search = ''; $search = '';
if ( ! empty( $r['search'] ) ) { if ( ! empty( $r['search'] ) ) {
$search = esc_sql( like_escape( $r['search'] ) ); $like = '%' . $wpdb->esc_like( $r['search'] ) . '%';
$search = " AND ( (link_url LIKE '%$search%') OR (link_name LIKE '%$search%') OR (link_description LIKE '%$search%') ) "; $search = $wpdb->prepare(" AND ( (link_url LIKE %s) OR (link_name LIKE %s) OR (link_description LIKE %s) ) ", $like, $like, $like );
} }
$category_query = ''; $category_query = '';

View File

@ -504,7 +504,7 @@ function redirect_guess_404_permalink() {
global $wpdb, $wp_rewrite; global $wpdb, $wp_rewrite;
if ( get_query_var('name') ) { if ( get_query_var('name') ) {
$where = $wpdb->prepare("post_name LIKE %s", like_escape( get_query_var('name') ) . '%'); $where = $wpdb->prepare("post_name LIKE %s", $wpdb->esc_like( get_query_var('name') ) . '%');
// if any of post_type, year, monthnum, or day are set, use them to refine the query // if any of post_type, year, monthnum, or day are set, use them to refine the query
if ( get_query_var('post_type') ) if ( get_query_var('post_type') )

View File

@ -5764,7 +5764,7 @@ class wp_xmlrpc_server extends IXR_Server {
} elseif ( is_string($urltest['fragment']) ) { } elseif ( is_string($urltest['fragment']) ) {
// ...or a string #title, a little more complicated // ...or a string #title, a little more complicated
$title = preg_replace('/[^a-z0-9]/i', '.', $urltest['fragment']); $title = preg_replace('/[^a-z0-9]/i', '.', $urltest['fragment']);
$sql = $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title RLIKE %s", like_escape( $title ) ); $sql = $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title RLIKE %s", $title );
if (! ($post_ID = $wpdb->get_var($sql)) ) { if (! ($post_ID = $wpdb->get_var($sql)) ) {
// returning unknown error '0' is better than die()ing // returning unknown error '0' is better than die()ing
return $this->pingback_error( 0, '' ); return $this->pingback_error( 0, '' );

View File

@ -481,11 +481,11 @@ class WP_Comment_Query {
* @return string * @return string
*/ */
protected function get_search_sql( $string, $cols ) { protected function get_search_sql( $string, $cols ) {
$string = esc_sql( like_escape( $string ) ); global $wpdb;
$searches = array(); $searches = array();
foreach ( $cols as $col ) foreach ( $cols as $col )
$searches[] = "$col LIKE '%$string%'"; $searches[] = $wpdb->prepare( "$col LIKE %s", $wpdb->esc_like( $string ) );
return ' AND (' . implode(' OR ', $searches) . ')'; return ' AND (' . implode(' OR ', $searches) . ')';
} }

View File

@ -479,7 +479,7 @@ function do_enclose( $content, $post_ID ) {
foreach ( $pung as $link_test ) { foreach ( $pung as $link_test ) {
if ( ! in_array( $link_test, $post_links_temp ) ) { // link no longer in post if ( ! in_array( $link_test, $post_links_temp ) ) { // link no longer in post
$mids = $wpdb->get_col( $wpdb->prepare("SELECT meta_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = 'enclosure' AND meta_value LIKE (%s)", $post_ID, like_escape( $link_test ) . '%') ); $mids = $wpdb->get_col( $wpdb->prepare("SELECT meta_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = 'enclosure' AND meta_value LIKE %s", $post_ID, $wpdb->esc_like( $link_test ) . '%') );
foreach ( $mids as $mid ) foreach ( $mids as $mid )
delete_metadata_by_mid( 'post', $mid ); delete_metadata_by_mid( 'post', $mid );
} }
@ -498,7 +498,7 @@ function do_enclose( $content, $post_ID ) {
} }
foreach ( (array) $post_links as $url ) { foreach ( (array) $post_links as $url ) {
if ( $url != '' && !$wpdb->get_var( $wpdb->prepare( "SELECT post_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = 'enclosure' AND meta_value LIKE (%s)", $post_ID, like_escape( $url ) . '%' ) ) ) { if ( $url != '' && !$wpdb->get_var( $wpdb->prepare( "SELECT post_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = 'enclosure' AND meta_value LIKE %s", $post_ID, $wpdb->esc_like( $url ) . '%' ) ) ) {
if ( $headers = wp_get_http_headers( $url) ) { if ( $headers = wp_get_http_headers( $url) ) {
$len = isset( $headers['content-length'] ) ? (int) $headers['content-length'] : 0; $len = isset( $headers['content-length'] ) ? (int) $headers['content-length'] : 0;

View File

@ -1047,8 +1047,8 @@ class WP_Meta_Query {
} elseif ( 'BETWEEN' == substr( $meta_compare, -7) ) { } elseif ( 'BETWEEN' == substr( $meta_compare, -7) ) {
$meta_value = array_slice( $meta_value, 0, 2 ); $meta_value = array_slice( $meta_value, 0, 2 );
$meta_compare_string = '%s AND %s'; $meta_compare_string = '%s AND %s';
} elseif ( 'LIKE' == substr( $meta_compare, -4 ) ) { } elseif ( 'LIKE' == $meta_compare || 'NOT LIKE' == $meta_compare ) {
$meta_value = '%' . like_escape( $meta_value ) . '%'; $meta_value = '%' . $wpdb->esc_like( $meta_value ) . '%';
$meta_compare_string = '%s'; $meta_compare_string = '%s';
} else { } else {
$meta_compare_string = '%s'; $meta_compare_string = '%s';

View File

@ -397,14 +397,17 @@ function ms_not_installed() {
$title = __( 'Error establishing a database connection' ); $title = __( 'Error establishing a database connection' );
$msg = '<h1>' . $title . '</h1>'; $msg = '<h1>' . $title . '</h1>';
if ( ! is_admin() ) if ( ! is_admin() ) {
die( $msg ); die( $msg );
}
$msg .= '<p>' . __( 'If your site does not display, please contact the owner of this network.' ) . ''; $msg .= '<p>' . __( 'If your site does not display, please contact the owner of this network.' ) . '';
$msg .= ' ' . __( 'If you are the owner of this network please check that MySQL is running properly and all tables are error free.' ) . '</p>'; $msg .= ' ' . __( 'If you are the owner of this network please check that MySQL is running properly and all tables are error free.' ) . '</p>';
if ( ! $wpdb->get_var( "SHOW TABLES LIKE '$wpdb->site'" ) ) $query = $wpdb->prepare( "SHOW TABLES LIKE %s", $wpdb->esc_like( $wpdb->site ) );
if ( ! $wpdb->get_var( $query ) ) {
$msg .= '<p>' . sprintf( __( '<strong>Database tables are missing.</strong> This means that MySQL is not running, WordPress was not installed properly, or someone deleted <code>%s</code>. You really should look at your database now.' ), $wpdb->site ) . '</p>'; $msg .= '<p>' . sprintf( __( '<strong>Database tables are missing.</strong> This means that MySQL is not running, WordPress was not installed properly, or someone deleted <code>%s</code>. You really should look at your database now.' ), $wpdb->site ) . '</p>';
else } else {
$msg .= '<p>' . sprintf( __( '<strong>Could not find site <code>%1$s</code>.</strong> Searched for table <code>%2$s</code> in database <code>%3$s</code>. Is that right?' ), rtrim( $domain . $path, '/' ), $wpdb->blogs, DB_NAME ) . '</p>'; $msg .= '<p>' . sprintf( __( '<strong>Could not find site <code>%1$s</code>.</strong> Searched for table <code>%2$s</code> in database <code>%3$s</code>. Is that right?' ), rtrim( $domain . $path, '/' ), $wpdb->blogs, DB_NAME ) . '</p>';
}
$msg .= '<p><strong>' . __( 'What do I do now?' ) . '</strong> '; $msg .= '<p><strong>' . __( 'What do I do now?' ) . '</strong> ';
$msg .= __( 'Read the <a target="_blank" href="http://codex.wordpress.org/Debugging_a_WordPress_Network">bug report</a> page. Some of the guidelines there may help you figure out what went wrong.' ); $msg .= __( 'Read the <a target="_blank" href="http://codex.wordpress.org/Debugging_a_WordPress_Network">bug report</a> page. Some of the guidelines there may help you figure out what went wrong.' );
$msg .= ' ' . __( 'If you&#8217;re still stuck with this message, then check that your database contains the following tables:' ) . '</p><ul>'; $msg .= ' ' . __( 'If you&#8217;re still stuck with this message, then check that your database contains the following tables:' ) . '</p><ul>';

View File

@ -4796,7 +4796,7 @@ function wp_delete_attachment( $post_id, $force_delete = false ) {
if ( ! empty($meta['thumb']) ) { if ( ! empty($meta['thumb']) ) {
// Don't delete the thumb if another attachment uses it // Don't delete the thumb if another attachment uses it
if (! $wpdb->get_row( $wpdb->prepare( "SELECT meta_id FROM $wpdb->postmeta WHERE meta_key = '_wp_attachment_metadata' AND meta_value LIKE %s AND post_id <> %d", '%' . $meta['thumb'] . '%', $post_id)) ) { if (! $wpdb->get_row( $wpdb->prepare( "SELECT meta_id FROM $wpdb->postmeta WHERE meta_key = '_wp_attachment_metadata' AND meta_value LIKE %s AND post_id <> %d", '%' . $wpdb->esc_like( $meta['thumb'] ) . '%', $post_id)) ) {
$thumbfile = str_replace(basename($file), $meta['thumb'], $file); $thumbfile = str_replace(basename($file), $meta['thumb'], $file);
/** This filter is documented in wp-admin/custom-header.php */ /** This filter is documented in wp-admin/custom-header.php */
$thumbfile = apply_filters( 'wp_delete_file', $thumbfile ); $thumbfile = apply_filters( 'wp_delete_file', $thumbfile );

View File

@ -1983,11 +1983,13 @@ class WP_Query {
$searchand = ''; $searchand = '';
$q['search_orderby_title'] = array(); $q['search_orderby_title'] = array();
foreach ( $q['search_terms'] as $term ) { foreach ( $q['search_terms'] as $term ) {
$term = like_escape( esc_sql( $term ) ); if ( $n ) {
if ( $n ) $like = '%' . $wpdb->esc_like( $term ) . '%';
$q['search_orderby_title'][] = "$wpdb->posts.post_title LIKE '%$term%'"; $q['search_orderby_title'][] = $wpdb->prepare( "$wpdb->posts.post_title LIKE %s", $like );
}
$search .= "{$searchand}(($wpdb->posts.post_title LIKE '{$n}{$term}{$n}') OR ($wpdb->posts.post_content LIKE '{$n}{$term}{$n}'))"; $like = $n . $wpdb->esc_like( $term ) . $n;
$search .= $wpdb->prepare( "{$searchand}(($wpdb->posts.post_title LIKE %s) OR ($wpdb->posts.post_content LIKE %s))", $like, $like );
$searchand = ' AND '; $searchand = ' AND ';
} }
@ -2086,11 +2088,11 @@ class WP_Query {
if ( $q['search_terms_count'] > 1 ) { if ( $q['search_terms_count'] > 1 ) {
$num_terms = count( $q['search_orderby_title'] ); $num_terms = count( $q['search_orderby_title'] );
$search_orderby_s = like_escape( esc_sql( $q['s'] ) ); $like = '%' . $wpdb->esc_like( $q['s'] ) . '%';
$search_orderby = '(CASE '; $search_orderby = '(CASE ';
// sentence match in 'post_title' // sentence match in 'post_title'
$search_orderby .= "WHEN $wpdb->posts.post_title LIKE '%{$search_orderby_s}%' THEN 1 "; $search_orderby .= $wpdb->prepare( "WHEN $wpdb->posts.post_title LIKE %s THEN 1 ", $like );
// sanity limit, sort as sentence when more than 6 terms // sanity limit, sort as sentence when more than 6 terms
// (few searches are longer than 6 terms and most titles are not) // (few searches are longer than 6 terms and most titles are not)
@ -2103,7 +2105,7 @@ class WP_Query {
} }
// sentence match in 'post_content' // sentence match in 'post_content'
$search_orderby .= "WHEN $wpdb->posts.post_content LIKE '%{$search_orderby_s}%' THEN 4 "; $search_orderby .= $wpdb->prepare( "WHEN $wpdb->posts.post_content LIKE %s THEN 4 ", $like );
$search_orderby .= 'ELSE 5 END)'; $search_orderby .= 'ELSE 5 END)';
} else { } else {
// single word or sentence search // single word or sentence search

View File

@ -1480,13 +1480,11 @@ function get_terms( $taxonomies, $args = '' ) {
} }
if ( ! empty( $args['name__like'] ) ) { if ( ! empty( $args['name__like'] ) ) {
$name__like = like_escape( $args['name__like'] ); $where .= $wpdb->prepare( " AND t.name LIKE %s", '%' . $wpdb->esc_like( $args['name__like'] ) . '%' );
$where .= $wpdb->prepare( " AND t.name LIKE %s", '%' . $name__like . '%' );
} }
if ( ! empty( $args['description__like'] ) ) { if ( ! empty( $args['description__like'] ) ) {
$description__like = like_escape( $args['description__like'] ); $where .= $wpdb->prepare( " AND tt.description LIKE %s", '%' . $wpdb->esc_like( $args['description__like'] ) . '%' );
$where .= $wpdb->prepare( " AND tt.description LIKE %s", '%' . $description__like . '%' );
} }
if ( '' !== $parent ) { if ( '' !== $parent ) {
@ -1517,8 +1515,8 @@ function get_terms( $taxonomies, $args = '' ) {
} }
if ( ! empty( $args['search'] ) ) { if ( ! empty( $args['search'] ) ) {
$search = like_escape( $args['search'] ); $like = '%' . $wpdb->esc_like( $args['search'] ) . '%';
$where .= $wpdb->prepare( ' AND ((t.name LIKE %s) OR (t.slug LIKE %s))', '%' . $search . '%', '%' . $search . '%' ); $where .= $wpdb->prepare( ' AND ((t.name LIKE %s) OR (t.slug LIKE %s))', $like, $like );
} }
$selects = array(); $selects = array();

View File

@ -797,16 +797,16 @@ class WP_User_Query {
* @return string * @return string
*/ */
protected function get_search_sql( $string, $cols, $wild = false ) { protected function get_search_sql( $string, $cols, $wild = false ) {
$string = esc_sql( $string ); global $wpdb;
$searches = array(); $searches = array();
$leading_wild = ( 'leading' == $wild || 'both' == $wild ) ? '%' : ''; $leading_wild = ( 'leading' == $wild || 'both' == $wild ) ? '%' : '';
$trailing_wild = ( 'trailing' == $wild || 'both' == $wild ) ? '%' : ''; $trailing_wild = ( 'trailing' == $wild || 'both' == $wild ) ? '%' : '';
foreach ( $cols as $col ) { foreach ( $cols as $col ) {
if ( 'ID' == $col ) if ( 'ID' == $col )
$searches[] = "$col = '$string'"; $searches[] = $wpdb->prepare( "$col = %s", $string );
else else
$searches[] = "$col LIKE '$leading_wild" . like_escape($string) . "$trailing_wild'"; $searches[] = $wpdb->prepare( "$col LIKE %s", $leading_wild . $wpdb->esc_like( $string ) . $trailing_wild );
} }
return ' AND (' . implode(' OR ', $searches) . ')'; return ' AND (' . implode(' OR ', $searches) . ')';
@ -1149,7 +1149,7 @@ function count_users($strategy = 'time') {
// Build a CPU-intensive query that will return concise information. // Build a CPU-intensive query that will return concise information.
$select_count = array(); $select_count = array();
foreach ( $avail_roles as $this_role => $name ) { foreach ( $avail_roles as $this_role => $name ) {
$select_count[] = "COUNT(NULLIF(`meta_value` LIKE '%\"" . like_escape( $this_role ) . "\"%', false))"; $select_count[] = $wpdb->prepare( "COUNT(NULLIF(`meta_value` LIKE %s, false))", '%' . $wpdb->esc_like( '"' . $this_role . '"' ) . '%');
} }
$select_count = implode(', ', $select_count); $select_count = implode(', ', $select_count);