golem
/
twentyGOLEM
9
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Query cleanups. Use absint, concat where instead of overwrite, make post_parent independent, sanitize post__in and post__not_in. Props mdawaffe. see #6772 

git-svn-id: http://svn.automattic.com/wordpress/trunk@7906 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2008-05-08 05:17:27 +00:00
parent c25a6fe381
commit 7a0f94ffa3
1 changed files with 36 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
wp-includes/query.php
View File

@ -515,17 +515,17 @@ class WP_Query {
if ( ! empty($qv['robots']) ) if ( ! empty($qv['robots']) )
$this->is_robots = true; $this->is_robots = true;
$qv['p'] = (int) $qv['p']; $qv['p'] = absint($qv['p']);
$qv['page_id'] = (int) $qv['page_id']; $qv['page_id'] = absint($qv['page_id']);
$qv['year'] = (int) $qv['year']; $qv['year'] = absint($qv['year']);
$qv['monthnum'] = (int) $qv['monthnum']; $qv['monthnum'] = absint($qv['monthnum']);
$qv['day'] = (int) $qv['day']; $qv['day'] = absint($qv['day']);
$qv['w'] = (int) $qv['w']; $qv['w'] = absint($qv['w']);
$qv['m'] = (int) $qv['m']; $qv['m'] = absint($qv['m']);
$qv['cat'] = preg_replace( '|[^0-9,-]|', '', $qv['cat'] ); // comma separated list of positive or negative integers $qv['cat'] = preg_replace( '|[^0-9,-]|', '', $qv['cat'] ); // comma separated list of positive or negative integers
if ( '' !== $qv['hour'] ) $qv['hour'] = (int) $qv['hour']; if ( '' !== $qv['hour'] ) $qv['hour'] = absint($qv['hour']);
if ( '' !== $qv['minute'] ) $qv['minute'] = (int) $qv['minute']; if ( '' !== $qv['minute'] ) $qv['minute'] = absint($qv['minute']);
if ( '' !== $qv['second'] ) $qv['second'] = (int) $qv['second']; if ( '' !== $qv['second'] ) $qv['second'] = absint($qv['second']);
// Compat. Map subpost to attachment. // Compat. Map subpost to attachment.
if ( '' != $qv['subpost'] ) if ( '' != $qv['subpost'] )
@ -533,7 +533,7 @@ class WP_Query {
if ( '' != $qv['subpost_id'] ) if ( '' != $qv['subpost_id'] )
$qv['attachment_id'] = $qv['subpost_id']; $qv['attachment_id'] = $qv['subpost_id'];
$qv['attachment_id'] = (int) $qv['attachment_id']; $qv['attachment_id'] = absint($qv['attachment_id']);
if ( ('' != $qv['attachment']) || !empty($qv['attachment_id']) ) { if ( ('' != $qv['attachment']) || !empty($qv['attachment_id']) ) {
$this->is_single = true; $this->is_single = true;
@ -624,47 +624,47 @@ class WP_Query {
if ( !is_array($qv['category__in']) || empty($qv['category__in']) ) { if ( !is_array($qv['category__in']) || empty($qv['category__in']) ) {
$qv['category__in'] = array(); $qv['category__in'] = array();
} else { } else {
$qv['category__in'] = array_map('intval', $qv['category__in']); $qv['category__in'] = array_map('absint', $qv['category__in']);
$this->is_category = true; $this->is_category = true;
} }
if ( !is_array($qv['category__not_in']) || empty($qv['category__not_in']) ) { if ( !is_array($qv['category__not_in']) || empty($qv['category__not_in']) ) {
$qv['category__not_in'] = array(); $qv['category__not_in'] = array();
} else { } else {
$qv['category__not_in'] = array_map('intval', $qv['category__not_in']); $qv['category__not_in'] = array_map('absint', $qv['category__not_in']);
} }
if ( !is_array($qv['category__and']) || empty($qv['category__and']) ) { if ( !is_array($qv['category__and']) || empty($qv['category__and']) ) {
$qv['category__and'] = array(); $qv['category__and'] = array();
} else { } else {
$qv['category__and'] = array_map('intval', $qv['category__and']); $qv['category__and'] = array_map('absint', $qv['category__and']);
$this->is_category = true; $this->is_category = true;
} }
if ( '' != $qv['tag'] ) if ( '' != $qv['tag'] )
$this->is_tag = true; $this->is_tag = true;
$qv['tag_id'] = (int) $qv['tag_id']; $qv['tag_id'] = absint($qv['tag_id']);
if ( !empty($qv['tag_id']) ) if ( !empty($qv['tag_id']) )
$this->is_tag = true; $this->is_tag = true;
if ( !is_array($qv['tag__in']) || empty($qv['tag__in']) ) { if ( !is_array($qv['tag__in']) || empty($qv['tag__in']) ) {
$qv['tag__in'] = array(); $qv['tag__in'] = array();
} else { } else {
$qv['tag__in'] = array_map('intval', $qv['tag__in']); $qv['tag__in'] = array_map('absint', $qv['tag__in']);
$this->is_tag = true; $this->is_tag = true;
} }
if ( !is_array($qv['tag__not_in']) || empty($qv['tag__not_in']) ) { if ( !is_array($qv['tag__not_in']) || empty($qv['tag__not_in']) ) {
$qv['tag__not_in'] = array(); $qv['tag__not_in'] = array();
} else { } else {
$qv['tag__not_in'] = array_map('intval', $qv['tag__not_in']); $qv['tag__not_in'] = array_map('absint', $qv['tag__not_in']);
} }
if ( !is_array($qv['tag__and']) || empty($qv['tag__and']) ) { if ( !is_array($qv['tag__and']) || empty($qv['tag__and']) ) {
$qv['tag__and'] = array(); $qv['tag__and'] = array();
} else { } else {
$qv['tag__and'] = array_map('intval', $qv['tag__and']); $qv['tag__and'] = array_map('absint', $qv['tag__and']);
$this->is_category = true; $this->is_category = true;
} }
@ -871,8 +871,7 @@ class WP_Query {
if (isset($q['page'])) { if (isset($q['page'])) {
$q['page'] = trim($q['page'], '/'); $q['page'] = trim($q['page'], '/');
$q['page'] = (int) $q['page']; $q['page'] = absint($q['page']);
$q['page'] = abs($q['page']);
} }
// If a month is specified in the querystring, load that month // If a month is specified in the querystring, load that month
@ -949,25 +948,26 @@ class WP_Query {
$where .= " AND WEEK($wpdb->posts.post_date, 1)='" . $q['w'] . "'"; $where .= " AND WEEK($wpdb->posts.post_date, 1)='" . $q['w'] . "'";
if ( intval($q['comments_popup']) ) if ( intval($q['comments_popup']) )
$q['p'] = intval($q['comments_popup']); $q['p'] = absint($q['comments_popup']);
// If an attachment is requested by number, let it supercede any post number. // If an attachment is requested by number, let it supercede any post number.
if ( $q['attachment_id'] ) if ( $q['attachment_id'] )
$q['p'] = $q['attachment_id']; $q['p'] = absint($q['attachment_id']);
// If a post number is specified, load that post // If a post number is specified, load that post
if ( $q['p'] ) if ( $q['p'] ) {
$where = " AND {$wpdb->posts}.ID = " . $q['p']; $where .= " AND {$wpdb->posts}.ID = " . $q['p'];
elseif ( $q['post_parent'] ) } elseif ( $q['post__in'] ) {
$where = $wpdb->prepare("AND $wpdb->posts.post_parent = %d ", $q['post_parent']); $post__in = implode(',', array_map( 'absint', $q['post__in'] ));
elseif ( $q['post__in'] ) { $where .= " AND {$wpdb->posts}.ID IN ($post__in)";
$post__in = "'" . implode("', '", $q['post__in']) . "'";
$where = " AND {$wpdb->posts}.ID IN ($post__in)";
} elseif ( $q['post__not_in'] ) { } elseif ( $q['post__not_in'] ) {
$post__not_in = "'" . implode("', '", $q['post__not_in']) . "'"; $post__not_in = implode(',', array_map( 'absint', $q['post__not_in'] ));
$where = " AND {$wpdb->posts}.ID NOT IN ($post__not_in)"; $where .= " AND {$wpdb->posts}.ID NOT IN ($post__not_in)";
} }
if ( $q['post_parent'] )
$where .= $wpdb->prepare( " AND $wpdb->posts.post_parent = %d ", $q['post_parent'] );
if ( $q['page_id'] ) { if ( $q['page_id'] ) {
if ( ('page' != get_option('show_on_front') ) || ( $q['page_id'] != get_option('page_for_posts') ) ) { if ( ('page' != get_option('show_on_front') ) || ( $q['page_id'] != get_option('page_for_posts') ) ) {
$q['p'] = $q['page_id']; $q['p'] = $q['page_id'];
@ -1207,15 +1207,15 @@ class WP_Query {
$eq = '!='; $eq = '!=';
$andor = 'AND'; $andor = 'AND';
$q['author'] = explode('-', $q['author']); $q['author'] = explode('-', $q['author']);
$q['author'] = ''.intval($q['author'][1]); $q['author'] = '' . absint($q['author'][1]);
} else { } else {
$eq = '='; $eq = '=';
$andor = 'OR'; $andor = 'OR';
} }
$author_array = preg_split('/[,\s]+/', $q['author']); $author_array = preg_split('/[,\s]+/', $q['author']);
$whichauthor .= " AND ($wpdb->posts.post_author ".$eq.' '.intval($author_array[0]); $whichauthor .= " AND ($wpdb->posts.post_author ".$eq.' '.absint($author_array[0]);
for ($i = 1; $i < (count($author_array)); $i = $i + 1) { for ($i = 1; $i < (count($author_array)); $i = $i + 1) {
$whichauthor .= ' '.$andor." $wpdb->posts.post_author ".$eq.' '.intval($author_array[$i]); $whichauthor .= ' '.$andor." $wpdb->posts.post_author ".$eq.' '.absint($author_array[$i]);
} }
$whichauthor .= ')'; $whichauthor .= ')';
} }
@ -1233,7 +1233,7 @@ class WP_Query {
} }
$q['author_name'] = sanitize_title($q['author_name']); $q['author_name'] = sanitize_title($q['author_name']);
$q['author'] = $wpdb->get_var("SELECT ID FROM $wpdb->users WHERE user_nicename='".$q['author_name']."'"); $q['author'] = $wpdb->get_var("SELECT ID FROM $wpdb->users WHERE user_nicename='".$q['author_name']."'");
$whichauthor .= " AND ($wpdb->posts.post_author = ".intval($q['author']).')'; $whichauthor .= " AND ($wpdb->posts.post_author = ".absint($q['author']).')';
} }
// MIME-Type stuff for attachment browsing // MIME-Type stuff for attachment browsing
@ -1373,7 +1373,7 @@ class WP_Query {
if ( empty($q['offset']) ) { if ( empty($q['offset']) ) {
$pgstrt = ''; $pgstrt = '';
$pgstrt = (intval($page) -1) * $q['posts_per_page'] . ', '; $pgstrt = ($page - 1) * $q['posts_per_page'] . ', ';
$limits = 'LIMIT '.$pgstrt.$q['posts_per_page']; $limits = 'LIMIT '.$pgstrt.$q['posts_per_page'];
} else { // we're ignoring $page and using 'offset' } else { // we're ignoring $page and using 'offset'
$q['offset'] = absint($q['offset']); $q['offset'] = absint($q['offset']);