Fix escaping of post meta, props DD32, fixes #7768
git-svn-id: http://svn.automattic.com/wordpress/trunk@9116 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
f5d0646a92
commit
6ba8661a1f
|
@ -499,10 +499,9 @@ function add_meta( $post_ID ) {
|
||||||
|
|
||||||
$protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
|
$protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
|
||||||
|
|
||||||
$metakeyselect = $wpdb->escape( stripslashes( trim( $_POST['metakeyselect'] ) ) );
|
$metakeyselect = stripslashes( trim( $_POST['metakeyselect'] ) );
|
||||||
$metakeyinput = $wpdb->escape( stripslashes( trim( $_POST['metakeyinput'] ) ) );
|
$metakeyinput = stripslashes( trim( $_POST['metakeyinput'] ) );
|
||||||
$metavalue = maybe_serialize( stripslashes( (trim( $_POST['metavalue'] ) ) ));
|
$metavalue = maybe_serialize( stripslashes( trim( $_POST['metavalue'] ) ) );
|
||||||
$metavalue = $wpdb->escape( $metavalue );
|
|
||||||
|
|
||||||
if ( ('0' === $metavalue || !empty ( $metavalue ) ) && ((('#NONE#' != $metakeyselect) && !empty ( $metakeyselect) ) || !empty ( $metakeyinput) ) ) {
|
if ( ('0' === $metavalue || !empty ( $metavalue ) ) && ((('#NONE#' != $metakeyselect) && !empty ( $metakeyselect) ) || !empty ( $metakeyinput) ) ) {
|
||||||
// We have a key/value pair. If both the select and the
|
// We have a key/value pair. If both the select and the
|
||||||
|
@ -519,9 +518,7 @@ function add_meta( $post_ID ) {
|
||||||
|
|
||||||
wp_cache_delete($post_ID, 'post_meta');
|
wp_cache_delete($post_ID, 'post_meta');
|
||||||
|
|
||||||
$wpdb->query( $wpdb->prepare("INSERT INTO $wpdb->postmeta
|
$wpdb->query( $wpdb->prepare("INSERT INTO $wpdb->postmeta (post_id,meta_key,meta_value ) VALUES (%s, %s, %s)", $post_ID, $metakey, $metavalue) );
|
||||||
(post_id,meta_key,meta_value ) VALUES (%s, %s, %s)",
|
|
||||||
$post_ID, $metakey, $metavalue) );
|
|
||||||
return $wpdb->insert_id;
|
return $wpdb->insert_id;
|
||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
|
|
|
@ -519,6 +519,7 @@ function add_post_meta($post_id, $meta_key, $meta_value, $unique = false) {
|
||||||
|
|
||||||
// expected_slashed ($meta_key)
|
// expected_slashed ($meta_key)
|
||||||
$meta_key = stripslashes($meta_key);
|
$meta_key = stripslashes($meta_key);
|
||||||
|
$meta_value = stripslashes($meta_value);
|
||||||
|
|
||||||
if ( $unique && $wpdb->get_var( $wpdb->prepare( "SELECT meta_key FROM $wpdb->postmeta WHERE meta_key = %s AND post_id = %d", $meta_key, $post_id ) ) )
|
if ( $unique && $wpdb->get_var( $wpdb->prepare( "SELECT meta_key FROM $wpdb->postmeta WHERE meta_key = %s AND post_id = %d", $meta_key, $post_id ) ) )
|
||||||
return false;
|
return false;
|
||||||
|
@ -631,6 +632,7 @@ function update_post_meta($post_id, $meta_key, $meta_value, $prev_value = '') {
|
||||||
|
|
||||||
// expected_slashed ($meta_key)
|
// expected_slashed ($meta_key)
|
||||||
$meta_key = stripslashes($meta_key);
|
$meta_key = stripslashes($meta_key);
|
||||||
|
$meta_value = stripslashes($meta_value);
|
||||||
|
|
||||||
if ( ! $wpdb->get_var( $wpdb->prepare( "SELECT meta_key FROM $wpdb->postmeta WHERE meta_key = %s AND post_id = %d", $meta_key, $post_id ) ) ) {
|
if ( ! $wpdb->get_var( $wpdb->prepare( "SELECT meta_key FROM $wpdb->postmeta WHERE meta_key = %s AND post_id = %d", $meta_key, $post_id ) ) ) {
|
||||||
return add_post_meta($post_id, $meta_key, $meta_value);
|
return add_post_meta($post_id, $meta_key, $meta_value);
|
||||||
|
|
Loading…
Reference in New Issue