Sanitize sort_column and sort_order in get_pages(). Escape search_term in WP_User_Search. Cast blog_id to int in get_blog_prefix(). Props duck_
git-svn-id: http://svn.automattic.com/wordpress/trunk@18350 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
06fd2002c5
commit
08b6aa116e
|
@ -454,7 +454,7 @@ class WP_User_Search {
|
||||||
function WP_User_Search ($search_term = '', $page = '', $role = '') {
|
function WP_User_Search ($search_term = '', $page = '', $role = '') {
|
||||||
_deprecated_function( __FUNCTION__, '3.1', 'WP_User_Query' );
|
_deprecated_function( __FUNCTION__, '3.1', 'WP_User_Query' );
|
||||||
|
|
||||||
$this->search_term = $search_term;
|
$this->search_term = stripslashes( $search_term );
|
||||||
$this->raw_page = ( '' == $page ) ? false : (int) $page;
|
$this->raw_page = ( '' == $page ) ? false : (int) $page;
|
||||||
$this->page = (int) ( '' == $page ) ? 1 : $page;
|
$this->page = (int) ( '' == $page ) ? 1 : $page;
|
||||||
$this->role = $role;
|
$this->role = $role;
|
||||||
|
@ -485,7 +485,7 @@ class WP_User_Search {
|
||||||
$searches = array();
|
$searches = array();
|
||||||
$search_sql = 'AND (';
|
$search_sql = 'AND (';
|
||||||
foreach ( array('user_login', 'user_nicename', 'user_email', 'user_url', 'display_name') as $col )
|
foreach ( array('user_login', 'user_nicename', 'user_email', 'user_url', 'display_name') as $col )
|
||||||
$searches[] = $col . " LIKE '%$this->search_term%'";
|
$searches[] = $wpdb->prepare( $col . ' LIKE %s', '%' . like_escape($this->search_term) . '%' );
|
||||||
$search_sql .= implode(' OR ', $searches);
|
$search_sql .= implode(' OR ', $searches);
|
||||||
$search_sql .= ')';
|
$search_sql .= ')';
|
||||||
}
|
}
|
||||||
|
@ -700,4 +700,4 @@ function get_others_pending($user_id) {
|
||||||
function wp_dashboard_quick_press_output() {
|
function wp_dashboard_quick_press_output() {
|
||||||
_deprecated_function( __FUNCTION__, '3.2', 'wp_dashboard_quick_press()' );
|
_deprecated_function( __FUNCTION__, '3.2', 'wp_dashboard_quick_press()' );
|
||||||
wp_dashboard_quick_press();
|
wp_dashboard_quick_press();
|
||||||
}
|
}
|
||||||
|
|
|
@ -3448,6 +3448,43 @@ function &get_pages($args = '') {
|
||||||
$where_post_type = $wpdb->prepare( "post_type = %s AND post_status IN ('$post_status')", $post_type );
|
$where_post_type = $wpdb->prepare( "post_type = %s AND post_status IN ('$post_status')", $post_type );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$orderby_array = array();
|
||||||
|
$allowed_keys = array('author', 'post_author', 'date', 'post_date', 'title', 'post_title', 'modified',
|
||||||
|
'post_modified', 'modified_gmt', 'post_modified_gmt', 'menu_order', 'parent', 'post_parent',
|
||||||
|
'ID', 'rand', 'comment_count');
|
||||||
|
foreach ( explode( ',', $sort_column ) as $orderby ) {
|
||||||
|
$orderby = trim( $orderby );
|
||||||
|
if ( !in_array( $orderby, $allowed_keys ) )
|
||||||
|
continue;
|
||||||
|
|
||||||
|
switch ( $orderby ) {
|
||||||
|
case 'menu_order':
|
||||||
|
break;
|
||||||
|
case 'ID':
|
||||||
|
$orderby = "$wpdb->posts.ID";
|
||||||
|
break;
|
||||||
|
case 'rand':
|
||||||
|
$orderby = 'RAND()';
|
||||||
|
break;
|
||||||
|
case 'comment_count':
|
||||||
|
$orderby = "$wpdb->posts.comment_count";
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
if ( 0 === strpos( $orderby, 'post_' ) )
|
||||||
|
$orderby = "$wpdb->posts." . $orderby;
|
||||||
|
else
|
||||||
|
$orderby = "$wpdb->posts.post_" . $orderby;
|
||||||
|
}
|
||||||
|
|
||||||
|
$orderby_array[] = $orderby;
|
||||||
|
|
||||||
|
}
|
||||||
|
$sort_column = ! empty( $orderby_array ) ? implode( ',', $orderby_array ) : "$wpdb->posts.post_title";
|
||||||
|
|
||||||
|
$sort_order = strtoupper( $sort_order );
|
||||||
|
if ( '' !== $sort_order && !in_array( $sort_order, array( 'ASC', 'DESC' ) ) )
|
||||||
|
$sort_order = 'ASC';
|
||||||
|
|
||||||
$query = "SELECT * FROM $wpdb->posts $join WHERE ($where_post_type) $where ";
|
$query = "SELECT * FROM $wpdb->posts $join WHERE ($where_post_type) $where ";
|
||||||
$query .= $author_query;
|
$query .= $author_query;
|
||||||
$query .= " ORDER BY " . $sort_column . " " . $sort_order ;
|
$query .= " ORDER BY " . $sort_column . " " . $sort_order ;
|
||||||
|
|
|
@ -626,6 +626,7 @@ class wpdb {
|
||||||
if ( is_multisite() ) {
|
if ( is_multisite() ) {
|
||||||
if ( null === $blog_id )
|
if ( null === $blog_id )
|
||||||
$blog_id = $this->blogid;
|
$blog_id = $this->blogid;
|
||||||
|
$blog_id = (int) $blog_id;
|
||||||
if ( defined( 'MULTISITE' ) && ( 0 == $blog_id || 1 == $blog_id ) )
|
if ( defined( 'MULTISITE' ) && ( 0 == $blog_id || 1 == $blog_id ) )
|
||||||
return $this->base_prefix;
|
return $this->base_prefix;
|
||||||
else
|
else
|
||||||
|
|
Loading…
Reference in New Issue