prepare() for wp-includes/ bookmark.php, canonical.php, comment.php, comment-template.php. see #4553

git-svn-id: http://svn.automattic.com/wordpress/trunk@6173 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
markjaquith 2007-09-27 07:34:15 +00:00
parent e87e2508f5
commit 47955b3fae
4 changed files with 18 additions and 22 deletions

View File

@ -3,8 +3,7 @@
function get_bookmark($bookmark_id, $output = OBJECT, $filter = 'raw') { function get_bookmark($bookmark_id, $output = OBJECT, $filter = 'raw') {
global $wpdb; global $wpdb;
$bookmark_id = (int) $bookmark_id; $link = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->links WHERE link_id = %d LIMIT 1", $bookmark_id));
$link = $wpdb->get_row("SELECT * FROM $wpdb->links WHERE link_id = '$bookmark_id' LIMIT 1");
$link->link_category = array_unique( wp_get_object_terms($link_id, 'link_category', 'fields=ids') ); $link->link_category = array_unique( wp_get_object_terms($link_id, 'link_category', 'fields=ids') );
$link = sanitize_bookmark($link, $filter); $link = sanitize_bookmark($link, $filter);

View File

@ -180,15 +180,15 @@ function redirect_guess_404_permalink() {
if ( !get_query_var('name') ) if ( !get_query_var('name') )
return false; return false;
$where = "post_name LIKE '" . $wpdb->escape(get_query_var('name')) . "%'"; $where = $wpdb->prepare("post_name LIKE %s", get_query_var('name') . '%');
// if any of year, monthnum, or day are set, use them to refine the query // if any of year, monthnum, or day are set, use them to refine the query
if ( get_query_var('year') ) if ( get_query_var('year') )
$where .= " AND YEAR(post_date) = '" . $wpdb->escape(get_query_var('year')) . "'"; $where .= $wpdb->prepare(" AND YEAR(post_date) = %d", get_query_var('year'));
if ( get_query_var('monthnum') ) if ( get_query_var('monthnum') )
$where .= " AND MONTH(post_date) = '" . $wpdb->escape(get_query_var('monthnum')) . "'"; $where .= $wpdb->prepare(" AND MONTH(post_date) = %d", get_query_var('monthnum'));
if ( get_query_var('day') ) if ( get_query_var('day') )
$where .= " AND DAYOFMONTH(post_date) = '" . $wpdb->escape(get_query_var('day')) . "'"; $where .= $wpdb->prepare(" AND DAYOFMONTH(post_date) = %d", get_query_var('day'));
$post_id = $wpdb->get_var("SELECT ID FROM $wpdb->posts WHERE $where AND post_status = 'publish'"); $post_id = $wpdb->get_var("SELECT ID FROM $wpdb->posts WHERE $where AND post_status = 'publish'");
if ( !$post_id ) if ( !$post_id )

View File

@ -288,13 +288,11 @@ function comments_template( $file = '/comments.php' ) {
// TODO: Use API instead of SELECTs. // TODO: Use API instead of SELECTs.
if ( $user_ID) { if ( $user_ID) {
$comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND (comment_approved = '1' OR ( user_id = '$user_ID' AND comment_approved = '0' ) ) ORDER BY comment_date"); $comments = $wpdb->get_results($wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND (comment_approved = '1' OR ( user_id = %d AND comment_approved = '0' ) ) ORDER BY comment_date", $post->ID, $user_ID));
} else if ( empty($comment_author) ) { } else if ( empty($comment_author) ) {
$comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND comment_approved = '1' ORDER BY comment_date"); $comments = $wpdb->get_results($wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_approved = '1' ORDER BY comment_date", $post->ID));
} else { } else {
$author_db = $wpdb->escape($comment_author); $comments = $wpdb->get_results($wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND ( comment_approved = '1' OR ( comment_author = %s AND comment_author_email = %s AND comment_approved = '0' ) ) ORDER BY comment_date", $post->ID, $comment_author, $comment_author_email));
$email_db = $wpdb->escape($comment_author_email);
$comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND ( comment_approved = '1' OR ( comment_author = '$author_db' AND comment_author_email = '$email_db' AND comment_approved = '0' ) ) ORDER BY comment_date");
} }
// keep $comments for legacy's sake (remember $table*? ;) ) // keep $comments for legacy's sake (remember $table*? ;) )

View File

@ -41,11 +41,12 @@ function check_comment($author, $email, $url, $comment, $user_ip, $user_agent, $
$domain = $uri['host']; $domain = $uri['host'];
$uri = parse_url( get_option('home') ); $uri = parse_url( get_option('home') );
$home_domain = $uri['host']; $home_domain = $uri['host'];
if ( $wpdb->get_var("SELECT link_id FROM $wpdb->links WHERE link_url LIKE ('%$domain%') LIMIT 1") || $domain == $home_domain ) if ( $wpdb->get_var($wpdb->prepare("SELECT link_id FROM $wpdb->links WHERE link_url LIKE (%s) LIMIT 1", '%'.$domain.'%')) || $domain == $home_domain )
return true; return true;
else else
return false; return false;
} elseif ( $author != '' && $email != '' ) { } elseif ( $author != '' && $email != '' ) {
// expected_slashed ($author, $email)
$ok_to_comment = $wpdb->get_var("SELECT comment_approved FROM $wpdb->comments WHERE comment_author = '$author' AND comment_author_email = '$email' and comment_approved = '1' LIMIT 1"); $ok_to_comment = $wpdb->get_var("SELECT comment_approved FROM $wpdb->comments WHERE comment_author = '$author' AND comment_author_email = '$email' and comment_approved = '1' LIMIT 1");
if ( ( 1 == $ok_to_comment ) && if ( ( 1 == $ok_to_comment ) &&
( empty($mod_keys) || false === strpos( $email, $mod_keys) ) ) ( empty($mod_keys) || false === strpos( $email, $mod_keys) ) )
@ -62,9 +63,7 @@ function check_comment($author, $email, $url, $comment, $user_ip, $user_agent, $
function get_approved_comments($post_id) { function get_approved_comments($post_id) {
global $wpdb; global $wpdb;
return $wpdb->get_results($wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_approved = '1' ORDER BY comment_date", $post_id));
$post_id = (int) $post_id;
return $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post_id' AND comment_approved = '1' ORDER BY comment_date");
} }
@ -82,11 +81,10 @@ function &get_comment(&$comment, $output = OBJECT) {
wp_cache_add($comment->comment_ID, $comment, 'comment'); wp_cache_add($comment->comment_ID, $comment, 'comment');
$_comment = $comment; $_comment = $comment;
} else { } else {
$comment = (int) $comment;
if ( isset($GLOBALS['comment']) && ($GLOBALS['comment']->comment_ID == $comment) ) { if ( isset($GLOBALS['comment']) && ($GLOBALS['comment']->comment_ID == $comment) ) {
$_comment = & $GLOBALS['comment']; $_comment = & $GLOBALS['comment'];
} elseif ( ! $_comment = wp_cache_get($comment, 'comment') ) { } elseif ( ! $_comment = wp_cache_get($comment, 'comment') ) {
$_comment = $wpdb->get_row("SELECT * FROM $wpdb->comments WHERE comment_ID = '$comment' LIMIT 1"); $_comment = $wpdb->get_row($wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_ID = %d LIMIT 1", $comment));
wp_cache_add($_comment->comment_ID, $_comment, 'comment'); wp_cache_add($_comment->comment_ID, $_comment, 'comment');
} }
} }
@ -109,7 +107,7 @@ function &get_comment(&$comment, $output = OBJECT) {
function get_commentdata( $comment_ID, $no_cache = 0, $include_unapproved = false ) { // less flexible, but saves DB queries function get_commentdata( $comment_ID, $no_cache = 0, $include_unapproved = false ) { // less flexible, but saves DB queries
global $postc, $id, $commentdata, $wpdb; global $postc, $id, $commentdata, $wpdb;
if ( $no_cache ) { if ( $no_cache ) {
$query = "SELECT * FROM $wpdb->comments WHERE comment_ID = '$comment_ID'"; $query = $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_ID = %d", $comment_ID);
if ( false == $include_unapproved ) if ( false == $include_unapproved )
$query .= " AND comment_approved = '1'"; $query .= " AND comment_approved = '1'";
$myrow = $wpdb->get_row($query, ARRAY_A); $myrow = $wpdb->get_row($query, ARRAY_A);
@ -138,13 +136,13 @@ function get_lastcommentmodified($timezone = 'server') {
if ( !isset($cache_lastcommentmodified[$timezone]) ) { if ( !isset($cache_lastcommentmodified[$timezone]) ) {
switch ( strtolower($timezone)) { switch ( strtolower($timezone)) {
case 'gmt': case 'gmt':
$lastcommentmodified = $wpdb->get_var("SELECT comment_date_gmt FROM $wpdb->comments WHERE comment_date_gmt <= '$now' AND comment_approved = '1' ORDER BY comment_date_gmt DESC LIMIT 1"); $lastcommentmodified = $wpdb->get_var($wpdb->prepare("SELECT comment_date_gmt FROM $wpdb->comments WHERE comment_date_gmt <= %s AND comment_approved = '1' ORDER BY comment_date_gmt DESC LIMIT 1", $now));
break; break;
case 'blog': case 'blog':
$lastcommentmodified = $wpdb->get_var("SELECT comment_date FROM $wpdb->comments WHERE comment_date_gmt <= '$now' AND comment_approved = '1' ORDER BY comment_date_gmt DESC LIMIT 1"); $lastcommentmodified = $wpdb->get_var($wpdb->prepare("SELECT comment_date FROM $wpdb->comments WHERE comment_date_gmt <= %s AND comment_approved = '1' ORDER BY comment_date_gmt DESC LIMIT 1", $now));
break; break;
case 'server': case 'server':
$lastcommentmodified = $wpdb->get_var("SELECT DATE_ADD(comment_date_gmt, INTERVAL '$add_seconds_server' SECOND) FROM $wpdb->comments WHERE comment_date_gmt <= '$now' AND comment_approved = '1' ORDER BY comment_date_gmt DESC LIMIT 1"); $lastcommentmodified = $wpdb->get_var($wpdb->prepare("SELECT DATE_ADD(comment_date_gmt, INTERVAL %s SECOND) FROM $wpdb->comments WHERE comment_date_gmt <= %s AND comment_approved = '1' ORDER BY comment_date_gmt DESC LIMIT 1", $add_seconds_server, $now));
break; break;
} }
$cache_lastcommentmodified[$timezone] = $lastcommentmodified; $cache_lastcommentmodified[$timezone] = $lastcommentmodified;
@ -183,6 +181,7 @@ function wp_allow_comment($commentdata) {
extract($commentdata, EXTR_SKIP); extract($commentdata, EXTR_SKIP);
// Simple duplicate check // Simple duplicate check
// expected_slashed ($comment_post_ID, $comment_author, $comment_author_email, $comment_content)
$dupe = "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND ( comment_author = '$comment_author' "; $dupe = "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND ( comment_author = '$comment_author' ";
if ( $comment_author_email ) if ( $comment_author_email )
$dupe .= "OR comment_author_email = '$comment_author_email' "; $dupe .= "OR comment_author_email = '$comment_author_email' ";
@ -195,7 +194,7 @@ function wp_allow_comment($commentdata) {
if ( $user_id ) { if ( $user_id ) {
$userdata = get_userdata($user_id); $userdata = get_userdata($user_id);
$user = new WP_User($user_id); $user = new WP_User($user_id);
$post_author = $wpdb->get_var("SELECT post_author FROM $wpdb->posts WHERE ID = '$comment_post_ID' LIMIT 1"); $post_author = $wpdb->get_var($wpdb->prepare("SELECT post_author FROM $wpdb->posts WHERE ID = %d LIMIT 1", $comment_post_ID));
} }
if ( $userdata && ( $user_id == $post_author || $user->has_cap('level_9') ) ) { if ( $userdata && ( $user_id == $post_author || $user->has_cap('level_9') ) ) {