From f6e6b587259b46bff2061ba0ced7d819ab9d9bf5 Mon Sep 17 00:00:00 2001 From: Dominik Schilling Date: Thu, 26 Jan 2017 13:51:29 +0000 Subject: [PATCH] Query: Ensure that queries work correctly with post type names with special characters. Merge of [39952] to the 4.3 branch. Built from https://develop.svn.wordpress.org/branches/4.3@39960 git-svn-id: http://core.svn.wordpress.org/branches/4.3@39897 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/query.php | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/wp-includes/query.php b/wp-includes/query.php index 7cbac9db88..d337222a35 100644 --- a/wp-includes/query.php +++ b/wp-includes/query.php @@ -2941,14 +2941,15 @@ class WP_Query { if ( 'any' == $post_type ) { $in_search_post_types = get_post_types( array('exclude_from_search' => false) ); - if ( empty( $in_search_post_types ) ) + if ( empty( $in_search_post_types ) ) { $where .= ' AND 1=0 '; - else - $where .= " AND $wpdb->posts.post_type IN ('" . join("', '", $in_search_post_types ) . "')"; + } else { + $where .= " AND {$wpdb->posts}.post_type IN ('" . join( "', '", array_map( 'esc_sql', $in_search_post_types ) ) . "')"; + } } elseif ( !empty( $post_type ) && is_array( $post_type ) ) { - $where .= " AND $wpdb->posts.post_type IN ('" . join("', '", $post_type) . "')"; + $where .= " AND {$wpdb->posts}.post_type IN ('" . join("', '", esc_sql( $post_type ) ) . "')"; } elseif ( ! empty( $post_type ) ) { - $where .= " AND $wpdb->posts.post_type = '$post_type'"; + $where .= $wpdb->prepare( " AND {$wpdb->posts}.post_type = %s", $post_type ); $post_type_object = get_post_type_object ( $post_type ); } elseif ( $this->is_attachment ) { $where .= " AND $wpdb->posts.post_type = 'attachment'";