Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Use wpdb->escape instead of addslashes to prepare DB bound data.

git-svn-id: http://svn.automattic.com/wordpress/trunk@2699 1a063a9b-81f0-0310-95a4-ce76da25c4cd
  • Loading branch information...
commit 91efba11adb82de4e22dbed3da8b89936c4e4a73 1 parent a79476f
ryan authored
View
2  wp-admin/admin-functions.php
@@ -448,7 +448,7 @@ function cat_rows($parent = 0, $level = 0, $categories = 0) {
$count = $wpdb->get_var("SELECT COUNT(post_id) FROM $wpdb->post2cat WHERE category_id = $category->cat_ID");
$pad = str_repeat('— ', $level);
if ( $user_level > 3 )
- $edit = "<a href='categories.php?action=edit&amp;cat_ID=$category->cat_ID' class='edit'>" . __('Edit') . "</a></td><td><a href='categories.php?action=delete&amp;cat_ID=$category->cat_ID' onclick=\"return confirm('". sprintf(__("You are about to delete the category \'%s\'. All of its posts will go to the default category.\\n \'OK\' to delete, \'Cancel\' to stop."), addslashes($category->cat_name)) . "')\" class='delete'>" . __('Delete') . "</a>";
+ $edit = "<a href='categories.php?action=edit&amp;cat_ID=$category->cat_ID' class='edit'>" . __('Edit') . "</a></td><td><a href='categories.php?action=delete&amp;cat_ID=$category->cat_ID' onclick=\"return confirm('". sprintf(__("You are about to delete the category \'%s\'. All of its posts will go to the default category.\\n \'OK\' to delete, \'Cancel\' to stop."), $wpdb->escape($category->cat_name)) . "')\" class='delete'>" . __('Delete') . "</a>";
else
$edit = '';
View
2  wp-admin/edit-page-form.php
@@ -132,7 +132,7 @@ function focusit() {
<tr>
<th scope="row"><?php _e('Delete'); ?>:</th>
<td><?php if ('edit' == $action) : ?>
- <input name="deletepost" class="delete" type="submit" id="deletepost" tabindex="10" value="<?php _e('Delete this page') ?>" <?php echo "onclick=\"return confirm('" . sprintf(__("You are about to delete this page \'%s\'\\n \'Cancel\' to stop, \'OK\' to delete."), addslashes($post->post_title) ) . "')\""; ?> />
+ <input name="deletepost" class="delete" type="submit" id="deletepost" tabindex="10" value="<?php _e('Delete this page') ?>" <?php echo "onclick=\"return confirm('" . sprintf(__("You are about to delete this page \'%s\'\\n \'Cancel\' to stop, \'OK\' to delete."), $wpdb->escape($post->post_title) ) . "')\""; ?> />
<?php endif; ?></td>
</tr>
</table>
View
16 wp-admin/import-blogger.php
@@ -62,16 +62,16 @@
//$post_number = $postinfo[3];
$post_title = $postinfo[4];
- $post_author = trim(addslashes($postinfo[1]));
+ $post_author = trim($wpdb->escape($postinfo[1]));
// we'll check the author is registered already
$user = $wpdb->get_row("SELECT * FROM $wpdb->users WHERE user_login = '$post_author'");
if (!$user) { // seems s/he's not, so let's register
$user_joindate = '1979-06-06 00:41:00'; // that's my birthdate (gmt+1) - I could choose any other date. You could change the date too. Just remember the year must be >=1970 or the world would just randomly fall on your head (everything might look fine, and then blam! major headache!)
- $user_login = addslashes($post_author);
- $pass1 = addslashes('password');
- $user_email = addslashes('user@wordpress.org');
- $user_url = addslashes('');
- $user_joindate = addslashes($user_joindate);
+ $user_login = $wpdb->escape($post_author);
+ $pass1 = $wpdb->escape('password');
+ $user_email = $wpdb->escape('user@wordpress.org');
+ $user_url = $wpdb->escape('');
+ $user_joindate = $wpdb->escape($user_joindate);
$result = $wpdb->query("
INSERT INTO $wpdb->users (
user_login,
@@ -111,10 +111,10 @@
$post_date = "$postyear-$postmonth-$postday $posthour:$postminute:$postsecond";
- $post_content = addslashes($post_content);
+ $post_content = $wpdb->escape($post_content);
$post_content = str_replace('<br>', '<br />', $post_content); // the XHTML touch... ;)
- $post_title = addslashes($post_title);
+ $post_title = $wpdb->escape($post_title);
// Quick-n-dirty check for dups:
$dupcheck = $wpdb->get_results("SELECT ID,post_date,post_title FROM $wpdb->posts WHERE post_date='$post_date' AND post_title='$post_title' LIMIT 1",ARRAY_A);
View
40 wp-admin/import-greymatter.php
@@ -90,12 +90,12 @@ function gm2autobr($string) { // transforms GM's |*| into wp's <br />\n
$s=$userdata[4];
$user_joindate=substr($s,6,4)."-".substr($s,0,2)."-".substr($s,3,2)." 00:00:00";
- $user_login=addslashes($userdata[0]);
- $pass1=addslashes($userdata[1]);
- $user_nickname=addslashes($userdata[0]);
- $user_email=addslashes($userdata[2]);
- $user_url=addslashes($userdata[3]);
- $user_joindate=addslashes($user_joindate);
+ $user_login=$wpdb->escape($userdata[0]);
+ $pass1=$wpdb->escape($userdata[1]);
+ $user_nickname=$wpdb->escape($userdata[0]);
+ $user_email=$wpdb->escape($userdata[2]);
+ $user_url=$wpdb->escape($userdata[3]);
+ $user_joindate=$wpdb->escape($user_joindate);
$loginthere = $wpdb->get_var("SELECT user_login FROM $wpdb->users WHERE user_login = '$user_login'");
if ($loginthere) {
@@ -147,18 +147,18 @@ function gm2autobr($string) { // transforms GM's |*| into wp's <br />\n
$postmaincontent=gm2autobr($entry[2]);
$postmorecontent=gm2autobr($entry[3]);
- $post_author=trim(addslashes($postinfo[1]));
+ $post_author=trim($wpdb->escape($postinfo[1]));
// we'll check the author is registered, or if it's a deleted author
$sql = "SELECT * FROM $wpdb->users WHERE user_login = '$post_author'";
$result = $wpdb->query($sql);
if (! $result) { // if deleted from GM, we register the author as a level 0 user in wp
$user_joindate="1979-06-06 00:41:00";
- $user_login=addslashes($post_author);
- $pass1=addslashes("password");
- $user_nickname=addslashes($post_author);
- $user_email=addslashes("user@deleted.com");
- $user_url=addslashes("");
- $user_joindate=addslashes($user_joindate);
+ $user_login=$wpdb->escape($post_author);
+ $pass1=$wpdb->escape("password");
+ $user_nickname=$wpdb->escape($post_author);
+ $user_email=$wpdb->escape("user@deleted.com");
+ $user_url=$wpdb->escape("");
+ $user_joindate=$wpdb->escape($user_joindate);
$query = "INSERT INTO $wpdb->users (user_login,user_pass,user_email,user_url,user_registered,user_level) VALUES ('$user_login','$pass1','$user_email','$user_url','$user_joindate','0')";
$result = $wpdb->query($query);
if ($result==false) {
@@ -171,7 +171,7 @@ function gm2autobr($string) { // transforms GM's |*| into wp's <br />\n
$post_author_ID = $wpdb->get_var($sql);
$post_title=gm2autobr($postinfo[2]);
- $post_title=addslashes($post_title);
+ $post_title=$wpdb->escape($post_title);
$postyear=$postinfo[6];
$postmonth=zeroise($postinfo[4],2);
@@ -188,7 +188,7 @@ function gm2autobr($string) { // transforms GM's |*| into wp's <br />\n
$post_content=$postmaincontent;
if (strlen($postmorecontent)>3)
$post_content .= "<!--more--><br /><br />".$postmorecontent;
- $post_content=addslashes($post_content);
+ $post_content=$wpdb->escape($post_content);
$post_karma=$postinfo[12];
@@ -222,10 +222,10 @@ function gm2autobr($string) { // transforms GM's |*| into wp's <br />\n
$entry[$j]=gm2autobr($entry[$j]);
$commentinfo=explode("|",$entry[$j]);
$comment_post_ID=$post_ID;
- $comment_author=addslashes($commentinfo[0]);
- $comment_author_email=addslashes($commentinfo[2]);
- $comment_author_url=addslashes($commentinfo[3]);
- $comment_author_IP=addslashes($commentinfo[1]);
+ $comment_author=$wpdb->escape($commentinfo[0]);
+ $comment_author_email=$wpdb->escape($commentinfo[2]);
+ $comment_author_url=$wpdb->escape($commentinfo[3]);
+ $comment_author_IP=$wpdb->escape($commentinfo[1]);
$commentyear=$commentinfo[7];
$commentmonth=zeroise($commentinfo[5],2);
@@ -237,7 +237,7 @@ function gm2autobr($string) { // transforms GM's |*| into wp's <br />\n
$commenthour=$commenthour+12;
$comment_date="$commentyear-$commentmonth-$commentday $commenthour:$commentminute:$commentsecond";
- $comment_content=addslashes($commentinfo[12]);
+ $comment_content=$wpdb->escape($commentinfo[12]);
$sql3 = "INSERT INTO $wpdb->comments (comment_post_ID,comment_author,comment_author_email,comment_author_url,comment_author_IP,comment_date,comment_content) VALUES ('$comment_post_ID','$comment_author','$comment_author_email','$comment_author_url','$comment_author_IP','$comment_date','$comment_content')";
$result3 = $wpdb->query($sql3);
View
4 wp-admin/import-livejournal.php
@@ -82,7 +82,7 @@
echo "<li>Importing post... ";
preg_match('|<subject>(.*?)</subject>|is', $post, $title);
-$title = addslashes( trim($title[1]) );
+$title = $wpdb->escape( trim($title[1]) );
$post_name = sanitize_title($title);
preg_match('|<eventtime>(.*?)</eventtime>|is', $post, $date);
@@ -92,7 +92,7 @@
preg_match('|<event>(.*?)</event>|is', $post, $content);
-$content = str_replace( array('<![CDATA[', ']]>'), '', addslashes( trim($content[1]) ) );
+$content = str_replace( array('<![CDATA[', ']]>'), '', $wpdb->escape( trim($content[1]) ) );
// Now lets put it in the DB
if ($wpdb->get_var("SELECT ID FROM $wpdb->posts WHERE post_title = '$title' AND post_date = '$post_date'")) :
View
26 wp-admin/import-mt.php
@@ -206,7 +206,7 @@ function checkauthor($author) {
// We want the excerpt
preg_match("|-----\nEXCERPT:(.*)|s", $post, $excerpt);
- $excerpt = addslashes(trim($excerpt[1]));
+ $excerpt = $wpdb->escape(trim($excerpt[1]));
$post = preg_replace("|(-----\nEXCERPT:.*)|s", '', $post);
// We're going to put extended body into main body with a more tag
@@ -218,7 +218,7 @@ function checkauthor($author) {
// Now for the main body
preg_match("|-----\nBODY:(.*)|s", $post, $body);
$body = trim($body[1]);
- $post_content = addslashes($body . $extended);
+ $post_content = $wpdb->escape($body . $extended);
$post = preg_replace("|(-----\nBODY:.*)|s", '', $post);
// Grab the metadata from what's left
@@ -235,7 +235,7 @@ function checkauthor($author) {
$post_author = $value;
break;
case 'TITLE':
- $post_title = addslashes($value);
+ $post_title = $wpdb->escape($value);
echo '<i>'.stripslashes($post_title).'</i>... ';
$post_name = sanitize_title($post_title);
break;
@@ -264,10 +264,10 @@ function checkauthor($author) {
}
break;
case 'PRIMARY CATEGORY':
- $post_categories[] = addslashes($value);
+ $post_categories[] = $wpdb->escape($value);
break;
case 'CATEGORY':
- $post_categories[] = addslashes($value);
+ $post_categories[] = $wpdb->escape($value);
break;
case 'DATE':
$post_date = strtotime($value);
@@ -323,11 +323,11 @@ function checkauthor($author) {
if ('' != trim($comment)) {
// Author
preg_match("|AUTHOR:(.*)|", $comment, $comment_author);
- $comment_author = addslashes(trim($comment_author[1]));
+ $comment_author = $wpdb->escape(trim($comment_author[1]));
$comment = preg_replace('|(\n?AUTHOR:.*)|', '', $comment);
preg_match("|EMAIL:(.*)|", $comment, $comment_email);
- $comment_email = addslashes(trim($comment_email[1]));
+ $comment_email = $wpdb->escape(trim($comment_email[1]));
$comment = preg_replace('|(\n?EMAIL:.*)|', '', $comment);
preg_match("|IP:(.*)|", $comment, $comment_ip);
@@ -335,7 +335,7 @@ function checkauthor($author) {
$comment = preg_replace('|(\n?IP:.*)|', '', $comment);
preg_match("|URL:(.*)|", $comment, $comment_url);
- $comment_url = addslashes(trim($comment_url[1]));
+ $comment_url = $wpdb->escape(trim($comment_url[1]));
$comment = preg_replace('|(\n?URL:.*)|', '', $comment);
preg_match("|DATE:(.*)|", $comment, $comment_date);
@@ -343,7 +343,7 @@ function checkauthor($author) {
$comment_date = date('Y-m-d H:i:s', strtotime($comment_date));
$comment = preg_replace('|(\n?DATE:.*)|', '', $comment);
- $comment_content = addslashes(trim($comment));
+ $comment_content = $wpdb->escape(trim($comment));
$comment_content = str_replace('-----', '', $comment_content);
// Check if it's already there
@@ -364,7 +364,7 @@ function checkauthor($author) {
if ('' != trim($ping)) {
// 'Author'
preg_match("|BLOG NAME:(.*)|", $ping, $comment_author);
- $comment_author = addslashes(trim($comment_author[1]));
+ $comment_author = $wpdb->escape(trim($comment_author[1]));
$ping = preg_replace('|(\n?BLOG NAME:.*)|', '', $ping);
$comment_email = '';
@@ -374,7 +374,7 @@ function checkauthor($author) {
$ping = preg_replace('|(\n?IP:.*)|', '', $ping);
preg_match("|URL:(.*)|", $ping, $comment_url);
- $comment_url = addslashes(trim($comment_url[1]));
+ $comment_url = $wpdb->escape(trim($comment_url[1]));
$ping = preg_replace('|(\n?URL:.*)|', '', $ping);
preg_match("|DATE:(.*)|", $ping, $comment_date);
@@ -383,10 +383,10 @@ function checkauthor($author) {
$ping = preg_replace('|(\n?DATE:.*)|', '', $ping);
preg_match("|TITLE:(.*)|", $ping, $ping_title);
- $ping_title = addslashes(trim($ping_title[1]));
+ $ping_title = $wpdb->escape(trim($ping_title[1]));
$ping = preg_replace('|(\n?TITLE:.*)|', '', $ping);
- $comment_content = addslashes(trim($ping));
+ $comment_content = $wpdb->escape(trim($ping));
$comment_content = str_replace('-----', '', $comment_content);
$comment_content = "<strong>$ping_title</strong>\n\n$comment_content";
View
6 wp-admin/import-rss.php
@@ -87,7 +87,7 @@ function unhtmlentities($string) { // From php.net for < 4.3 compat
echo "<li>Importing post... ";
preg_match('|<title>(.*?)</title>|is', $post, $title);
-$title = addslashes( trim($title[1]) );
+$title = $wpdb->escape( trim($title[1]) );
$post_name = sanitize_title($title);
preg_match('|<pubdate>(.*?)</pubdate>|is', $post, $date);
@@ -112,11 +112,11 @@ function unhtmlentities($string) { // From php.net for < 4.3 compat
endif;
preg_match('|<guid.+?>(.*?)</guid>|is', $post, $guid);
-if ($guid) $guid = addslashes( trim($guid[1]) );
+if ($guid) $guid = $wpdb->escape( trim($guid[1]) );
else $guid = '';
preg_match('|<content:encoded>(.*?)</content:encoded>|is', $post, $content);
-$content = str_replace( array('<![CDATA[', ']]>'), '', addslashes( trim($content[1]) ) );
+$content = str_replace( array('<![CDATA[', ']]>'), '', $wpdb->escape( trim($content[1]) ) );
if (!$content) : // This is for feeds that put content in description
preg_match('|<description>(.*?)</description>|is', $post, $content);
View
4 wp-admin/import-textpattern.php
@@ -98,8 +98,8 @@
$timestamp = mktime($hour, $minute, $second, $month, $day, $year);
$posted = date('Y-m-d H:i:s', $timestamp);
- $content = addslashes($post['Body_html']);
- $title = addslashes($post['Title']);
+ $content = $wpdb->escape($post['Body_html']);
+ $title = $wpdb->escape($post['Title']);
$post_name = sanitize_title($title);
$wpdb->query("INSERT INTO $wpdb->posts
View
10 wp-admin/install.php
@@ -143,7 +143,7 @@
$wpdb->query("UPDATE $wpdb->options SET option_value = '$admin_email' WHERE option_name = 'admin_email'");
// Now drop in some default links
-$wpdb->query("INSERT INTO $wpdb->linkcategories (cat_id, cat_name) VALUES (1, '".addslashes(__('Blogroll'))."')");
+$wpdb->query("INSERT INTO $wpdb->linkcategories (cat_id, cat_name) VALUES (1, '".$wpdb->escape(__('Blogroll'))."')");
$wpdb->query("INSERT INTO $wpdb->links (link_url, link_name, link_category, link_rss) VALUES ('http://blog.carthik.net/index.php', 'Carthik', 1, 'http://blog.carthik.net/feed/');");
$wpdb->query("INSERT INTO $wpdb->links (link_url, link_name, link_category, link_rss) VALUES ('http://blogs.linux.ie/xeer/', 'Donncha', 1, 'http://blogs.linux.ie/xeer/feed/');");
$wpdb->query("INSERT INTO $wpdb->links (link_url, link_name, link_category, link_rss) VALUES ('http://zengun.org/weblog/', 'Michel', 1, 'http://zengun.org/weblog/feed/');");
@@ -154,21 +154,21 @@
$wpdb->query("INSERT INTO $wpdb->links (link_url, link_name, link_category, link_rss) VALUES ('http://dougal.gunters.org/', 'Dougal', 1, 'http://dougal.gunters.org/feed/');");
// Default category
-$wpdb->query("INSERT INTO $wpdb->categories (cat_ID, cat_name, category_nicename) VALUES ('0', '".addslashes(__('Uncategorized'))."', '".sanitize_title(__('Uncategorized'))."')");
+$wpdb->query("INSERT INTO $wpdb->categories (cat_ID, cat_name, category_nicename) VALUES ('0', '".$wpdb->escape(__('Uncategorized'))."', '".sanitize_title(__('Uncategorized'))."')");
// First post
$now = date('Y-m-d H:i:s');
$now_gmt = gmdate('Y-m-d H:i:s');
-$wpdb->query("INSERT INTO $wpdb->posts (post_author, post_date, post_date_gmt, post_content, post_title, post_category, post_name, post_modified, post_modified_gmt) VALUES ('1', '$now', '$now_gmt', '".addslashes(__('Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!'))."', '".addslashes(__('Hello world!'))."', '0', '".addslashes(__('hello-world'))."', '$now', '$now_gmt')");
+$wpdb->query("INSERT INTO $wpdb->posts (post_author, post_date, post_date_gmt, post_content, post_title, post_category, post_name, post_modified, post_modified_gmt) VALUES ('1', '$now', '$now_gmt', '".$wpdb->escape(__('Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!'))."', '".$wpdb->escape(__('Hello world!'))."', '0', '".$wpdb->escape(__('hello-world'))."', '$now', '$now_gmt')");
$wpdb->query( "INSERT INTO $wpdb->post2cat (`rel_id`, `post_id`, `category_id`) VALUES (1, 1, 1)" );
// Default comment
-$wpdb->query("INSERT INTO $wpdb->comments (comment_post_ID, comment_author, comment_author_email, comment_author_url, comment_date, comment_date_gmt, comment_content) VALUES ('1', '".addslashes(__('Mr WordPress'))."', '', 'http://wordpress.org', '$now', '$now_gmt', '".addslashes(__('Hi, this is a comment.<br />To delete a comment, just log in, and view the posts\' comments, there you will have the option to edit or delete them.'))."')");
+$wpdb->query("INSERT INTO $wpdb->comments (comment_post_ID, comment_author, comment_author_email, comment_author_url, comment_date, comment_date_gmt, comment_content) VALUES ('1', '".$wpdb->escape(__('Mr WordPress'))."', '', 'http://wordpress.org', '$now', '$now_gmt', '".$wpdb->escape(__('Hi, this is a comment.<br />To delete a comment, just log in, and view the posts\' comments, there you will have the option to edit or delete them.'))."')");
// First Page
-$wpdb->query("INSERT INTO $wpdb->posts (post_author, post_date, post_date_gmt, post_content, post_title, post_category, post_name, post_modified, post_modified_gmt, post_status) VALUES ('1', '$now', '$now_gmt', '".addslashes(__('This is an example of a WordPress page, you could edit this to put information about yourself or your site so readers know where you are coming from. You can create as many pages like this one or sub-pages as you like and manage all of your content inside of WordPress.'))."', '".addslashes(__('About'))."', '0', '".addslashes(__('about'))."', '$now', '$now_gmt', 'static')");
+$wpdb->query("INSERT INTO $wpdb->posts (post_author, post_date, post_date_gmt, post_content, post_title, post_category, post_name, post_modified, post_modified_gmt, post_status) VALUES ('1', '$now', '$now_gmt', '".$wpdb->escape(__('This is an example of a WordPress page, you could edit this to put information about yourself or your site so readers know where you are coming from. You can create as many pages like this one or sub-pages as you like and manage all of your content inside of WordPress.'))."', '".$wpdb->escape(__('About'))."', '0', '".$wpdb->escape(__('about'))."', '$now', '$now_gmt', 'static')");
// Set up admin user
$random_password = substr(md5(uniqid(microtime())), 0, 6);
View
12 wp-admin/link-categories.php
@@ -60,9 +60,9 @@
if ($sort_desc != 'Y') {
$sort_desc = 'N';
}
- $text_before_link = addslashes($_POST['text_before_link']);
- $text_after_link = addslashes($_POST['text_after_link']);
- $text_after_all = addslashes($_POST['text_after_all']);
+ $text_before_link = $_POST['text_before_link'];
+ $text_after_link = $_POST['text_after_link'];
+ $text_after_all = $_POST['text_after_all'];
$list_limit = $_POST['list_limit'];
if ($list_limit == '')
@@ -238,9 +238,9 @@
if ($sort_desc != 'Y') {
$sort_desc = 'N';
}
- $text_before_link = addslashes($_POST["text_before_link"]);
- $text_after_link = addslashes($_POST["text_after_link"]);
- $text_after_all = addslashes($_POST["text_after_all"]);
+ $text_before_link = $_POST["text_before_link"];
+ $text_after_link = $_POST["text_after_link"];
+ $text_after_all = $_POST["text_after_all"];
$list_limit = $_POST["list_limit"];
if ($list_limit == '')
View
2  wp-admin/link-import.php
@@ -107,7 +107,7 @@
if ('http' == substr($titles[$i], 0, 4))
$titles[$i] = '';
$query = "INSERT INTO $wpdb->links (link_url, link_name, link_target, link_category, link_description, link_owner, link_rss)
- VALUES('{$urls[$i]}', '".addslashes($names[$i])."', '', $cat_id, '".addslashes($descriptions[$i])."', $user_ID, '{$feeds[$i]}')\n";
+ VALUES('{$urls[$i]}', '".$wpdb->escape($names[$i])."', '', $cat_id, '".$wpdb->escape($descriptions[$i])."', $user_ID, '{$feeds[$i]}')\n";
$result = $wpdb->query($query);
echo sprintf(__("<p>Inserted <strong>%s</strong></p>"), $names[$i]);
}
View
4 wp-admin/update-links.php
@@ -36,8 +36,8 @@
$returns = explode("\n", $body);
foreach ($returns as $return) :
- $time = addslashes( substr($return, 0, 19) );
- $uri = addslashes( preg_replace('/(.*?) | (.*?)/', '$2', $return) );
+ $time = $wpdb->escape( substr($return, 0, 19) );
+ $uri = $wpdb->escape( preg_replace('/(.*?) | (.*?)/', '$2', $return) );
$wpdb->query("UPDATE $wpdb->links SET link_updated = '$time' WHERE link_url = '$uri'");
endforeach;
}
View
18 wp-admin/upgrade-functions.php
@@ -221,23 +221,23 @@ function upgrade_160() {
$users = $wpdb->get_results("SELECT * FROM $wpdb->users");
foreach ( $users as $user ) :
if ( !empty( $user->user_firstname ) )
- update_usermeta( $user->ID, 'first_name', addslashes($user->user_firstname) );
+ update_usermeta( $user->ID, 'first_name', $wpdb->escape($user->user_firstname) );
if ( !empty( $user->user_lastname ) )
- update_usermeta( $user->ID, 'last_name', addslashes($user->user_lastname) );
+ update_usermeta( $user->ID, 'last_name', $wpdb->escape($user->user_lastname) );
if ( !empty( $user->user_nickname ) )
- update_usermeta( $user->ID, 'nickname', addslashes($user->user_nickname) );
+ update_usermeta( $user->ID, 'nickname', $wpdb->escape($user->user_nickname) );
if ( !empty( $user->user_level ) )
update_usermeta( $user->ID, $table_prefix . 'user_level', $user->user_level );
if ( !empty( $user->user_icq ) )
- update_usermeta( $user->ID, 'icq', addslashes($user->user_icq) );
+ update_usermeta( $user->ID, 'icq', $wpdb->escape($user->user_icq) );
if ( !empty( $user->user_aim ) )
- update_usermeta( $user->ID, 'aim', addslashes($user->user_aim) );
+ update_usermeta( $user->ID, 'aim', $wpdb->escape($user->user_aim) );
if ( !empty( $user->user_msn ) )
- update_usermeta( $user->ID, 'msn', addslashes($user->user_msn) );
+ update_usermeta( $user->ID, 'msn', $wpdb->escape($user->user_msn) );
if ( !empty( $user->user_yim ) )
- update_usermeta( $user->ID, 'yim', addslashes($user->user_icq) );
+ update_usermeta( $user->ID, 'yim', $wpdb->escape($user->user_icq) );
if ( !empty( $user->user_description ) )
- update_usermeta( $user->ID, 'description', addslashes($user->user_description) );
+ update_usermeta( $user->ID, 'description', $wpdb->escape($user->user_description) );
if ( !isset( $user->user_idmode ) ):
$idmode = $user->user_idmode;
@@ -248,7 +248,7 @@ function upgrade_160() {
if ($idmode == 'namefl') $id = $user->user_firstname.' '.$user->user_lastname;
if ($idmode == 'namelf') $id = $user->user_lastname.' '.$user->user_firstname;
if (!$idmode) $id = $user->user_nickname;
- $id = addslashes( $id );
+ $id = $wpdb->escape( $id );
$wpdb->query("UPDATE $wpdb->users SET display_name = '$id' WHERE ID = '$user->ID'");
endif;
endforeach;
View
6 wp-comments-post.php
@@ -24,9 +24,9 @@
// If the user is logged in
get_currentuserinfo();
if ( $user_ID ) :
- $comment_author = addslashes($user_identity);
- $comment_author_email = addslashes($user_email);
- $comment_author_url = addslashes($user_url);
+ $comment_author = $wpdb->escape($user_identity);
+ $comment_author_email = $wpdb->escape($user_email);
+ $comment_author_url = $wpdb->escape($user_url);
else :
if ( get_option('comment_registration') )
die( __('Sorry, you must be logged in to post a comment.') );
View
4 wp-includes/comment-functions.php
@@ -13,8 +13,8 @@ function comments_template( $file = '/comments.php' ) {
if ( empty($comment_author) ) {
$comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND comment_approved = '1' ORDER BY comment_date");
} else {
- $author_db = addslashes($comment_author);
- $email_db = addslashes($comment_author_email);
+ $author_db = $wpdb->escape($comment_author);
+ $email_db = $wpdb->escape($comment_author_email);
$comments = $wpdb->get_results("SELECT * FROM $wpdb->comments WHERE comment_post_ID = '$post->ID' AND ( comment_approved = '1' OR ( comment_author = '$author_db' AND comment_author_email = '$email_db' AND comment_approved = '0' ) ) ORDER BY comment_date");
}
View
9 wp-includes/functions-formatting.php
@@ -523,10 +523,13 @@ function trailingslashit($string) {
}
function addslashes_gpc($gpc) {
- if (!get_magic_quotes_gpc()) {
- $gpc = addslashes($gpc);
+ global $wpdb;
+
+ if (get_magic_quotes_gpc()) {
+ $gpc = stripslashes($gpc);
}
- return $gpc;
+
+ return $wpdb->escape($gpc);
}
function antispambot($emailaddy, $mailto=0) {
View
6 wp-includes/functions.php
@@ -843,7 +843,7 @@ function do_enclose( $content, $post_ID ) {
if ( $url != '' && !$wpdb->get_var("SELECT post_id FROM $wpdb->postmeta WHERE post_id = '$post_ID' AND meta_key = 'enclosure' AND meta_value LIKE ('$url%')") ) {
if ( $headers = wp_get_http_headers( $url) ) {
$len = (int) $headers['content-length'];
- $type = addslashes( $headers['content-type'] );
+ $type = $wpdb->escape( $headers['content-type'] );
$allowed_types = array( 'video', 'audio' );
if( in_array( substr( $type, 0, strpos( $type, "/" ) ), $allowed_types ) ) {
$meta_value = "$url\n$len\n$type\n";
@@ -1882,11 +1882,13 @@ function load_template($file) {
}
function add_magic_quotes($array) {
+ global $wpdb;
+
foreach ($array as $k => $v) {
if (is_array($v)) {
$array[$k] = add_magic_quotes($v);
} else {
- $array[$k] = addslashes($v);
+ $array[$k] = $wpdb->escape($v);
}
}
return $array;
View
17 wp-settings.php
@@ -136,13 +136,20 @@ function timer_start() {
// Pull in locale data after loading text domain.
require_once(ABSPATH . WPINC . '/locale.php');
-if ( !get_magic_quotes_gpc() ) {
- $_GET = add_magic_quotes($_GET );
- $_POST = add_magic_quotes($_POST );
- $_COOKIE = add_magic_quotes($_COOKIE);
- $_SERVER = add_magic_quotes($_SERVER);
+// If already slashed, strip.
+if ( get_magic_quotes_gpc() ) {
+ $_GET = stripslashes($_GET );
+ $_POST = stripslashes($_POST );
+ $_COOKIE = stripslashes($_COOKIE);
+ $_SERVER = stripslashes($_SERVER);
}
+// Escape with wpdb.
+$_GET = add_magic_quotes($_GET );
+$_POST = add_magic_quotes($_POST );
+$_COOKIE = add_magic_quotes($_COOKIE);
+$_SERVER = add_magic_quotes($_SERVER);
+
function shutdown_action_hook() {
do_action('shutdown');
}
View
2  xmlrpc.php
@@ -1249,7 +1249,7 @@ function pingback_ping($args) {
$context = '[...] ' . wp_specialchars( $excerpt ) . ' [...]';
$original_pagelinkedfrom = $pagelinkedfrom;
- $pagelinkedfrom = addslashes( $pagelinkedfrom );
+ $pagelinkedfrom = $wpdb->escape( $pagelinkedfrom );
$original_title = $title;
$comment_post_ID = $post_ID;
Please sign in to comment.
Something went wrong with that request. Please try again.