Permalink
Browse files

WP 3.6 compatibility fixes with slashing, fixes #1584 and #1585

Fixes LIKE escaping to use pods_sanitize_like, fixes calls to
addslashes/stripslashes to use pods_slash/pods_unslash, changed
pods_sanitize to use wp_slash for WP 3.6 compatibility until we get
Pods core properly fixed to support the 3.6 changes to esc_sql now
using a real escape vs weak escape
  • Loading branch information...
sc0ttkclark committed Aug 3, 2013
1 parent 34a6c52 commit 49683db31247bec8eef84388b1577da9cf872849
View
@@ -612,7 +612,7 @@ public function rename_wp_object_type ( $object_type, $old_name, $new_name ) {
) );
}
elseif ( 'settings' == $object_type ) {
- pods_query( "UPDATE `{$wpdb->options}` SET `option_name` = REPLACE( `option_name`, %s, %s ) WHERE `option_name` LIKE '" . like_escape( $old_name ) . "_%'", array(
+ pods_query( "UPDATE `{$wpdb->options}` SET `option_name` = REPLACE( `option_name`, %s, %s ) WHERE `option_name` LIKE '" . pods_sanitize_like( $old_name ) . "_%'", array(
$new_name . '_',
$old_name . '_'
) );
@@ -1796,7 +1796,8 @@ public function save_pod ( $params, $sanitized = false, $db = true ) {
$field[ 'id_required' ] = true;
$field_data = $field;
- $field = $this->save_field( $field_data, $field_table_operation, $sanitized, $db );
+
+ $field = $this->save_field( $field_data, $field_table_operation, true, $db );
if ( true !== $db ) {
$pod[ 'fields' ][ $k ] = $field;
@@ -7287,7 +7288,7 @@ public function process_form ( $params, $obj = null, $fields = null, $thank_you
if ( 0 < $id && !empty( $thank_you ) ) {
$thank_you = str_replace( 'X_ID_X', $id, $thank_you );
- die( '<script type="text/javascript">document.location = \'' . addslashes( $thank_you ) . '\';</script>' );
+ die( '<script type="text/javascript">document.location = \'' . pods_sanitize( $thank_you ) . '\';</script>' );
}
return $id;
View
@@ -2180,7 +2180,7 @@ public function admin_ajax () {
}
// Sanitize input
- $params = stripslashes_deep( (array) $_POST );
+ $params = pods_unslash( (array) $_POST );
foreach ( $params as $key => $value ) {
if ( 'action' == $key )
@@ -535,7 +535,7 @@ public function admin_ajax () {
}
// Sanitize input
- $params = stripslashes_deep( (array) $_POST );
+ $params = pods_unslash( (array) $_POST );
foreach ( $params as $key => $value ) {
if ( 'action' == $key )
View
@@ -983,9 +983,9 @@ public function build ( $params ) {
$fieldfield = $attributes[ 'real_name' ];
if ( isset( $attributes[ 'group_related' ] ) && false !== $attributes[ 'group_related' ] )
- $having[] = "{$fieldfield} LIKE '%" . pods_sanitize( $params->search_query ) . "%'";
+ $having[] = "{$fieldfield} LIKE '%" . pods_sanitize_like( $params->search_query ) . "%'";
else
- $where[] = "{$fieldfield} LIKE '%" . pods_sanitize( $params->search_query ) . "%'";
+ $where[] = "{$fieldfield} LIKE '%" . pods_sanitize_like( $params->search_query ) . "%'";
}
}
elseif ( !empty( $params->index ) ) {
@@ -1006,9 +1006,9 @@ public function build ( $params ) {
$fieldfield = $attributes[ 'real_name' ];
if ( isset( $attributes[ 'group_related' ] ) && false !== $attributes[ 'group_related' ] )
- $having[] = "{$fieldfield} LIKE '%" . pods_sanitize( $params->search_query ) . "%'";
+ $having[] = "{$fieldfield} LIKE '%" . pods_sanitize_like( $params->search_query ) . "%'";
else
- $where[] = "{$fieldfield} LIKE '%" . pods_sanitize( $params->search_query ) . "%'";
+ $where[] = "{$fieldfield} LIKE '%" . pods_sanitize_like( $params->search_query ) . "%'";
}
if ( !empty( $where ) )
@@ -1059,7 +1059,7 @@ public function build ( $params ) {
$filterfield = $attributes[ 'real_name' ];
if ( 'pick' == $attributes[ 'type' ] ) {
- $filter_value = pods_var( 'filter_' . $field, 'get' );
+ $filter_value = pods_var_raw( 'filter_' . $field, 'get' );
if ( !is_array( $filter_value ) )
$filter_value = (array) $filter_value;
@@ -1070,12 +1070,12 @@ public function build ( $params ) {
continue;
if ( isset( $attributes[ 'group_related' ] ) && false !== $attributes[ 'group_related' ] ) {
- $having[] = "( {$filterfield} = '" . $filter_v . "'"
- . " OR {$filterfield} LIKE '%\"" . $filter_v . "\"%' )";
+ $having[] = "( {$filterfield} = '" . pods_sanitize( $filter_v ) . "'"
+ . " OR {$filterfield} LIKE '%\"" . pods_sanitize_like( $filter_v ) . "\"%' )";
}
else {
- $where[] = "( {$filterfield} = '" . $filter_v . "'"
- . " OR {$filterfield} LIKE '%\"" . $filter_v . "\"%' )";
+ $where[] = "( {$filterfield} = '" . pods_sanitize( $filter_v ) . "'"
+ . " OR {$filterfield} LIKE '%\"" . pods_sanitize_like( $filter_v ) . "\"%' )";
}
}
else {
@@ -1128,15 +1128,15 @@ public function build ( $params ) {
}
}
else {
- $filter_value = pods_var( 'filter_' . $field, 'get', '' );
+ $filter_value = pods_var_raw( 'filter_' . $field, 'get', '' );
if ( strlen( $filter_value ) < 1 )
continue;
if ( isset( $attributes[ 'group_related' ] ) && false !== $attributes[ 'group_related' ] )
- $having[] = "{$filterfield} LIKE '%" . $filter_value . "%'";
+ $having[] = "{$filterfield} LIKE '%" . pods_sanitize_like( $filter_value ) . "%'";
else
- $where[] = "{$filterfield} LIKE '%" . $filter_value . "%'";
+ $where[] = "{$filterfield} LIKE '%" . pods_sanitize_like( $filter_value ) . "%'";
}
if ( !empty( $where ) )
@@ -1847,7 +1847,7 @@ public function fetch ( $row = null, $explicit_set = true ) {
);
if ( 'slug' == $mode && !empty( $this->field_slug ) ) {
- $id = esc_sql( $id );
+ $id = pods_sanitize( $id );
$params[ 'where' ] = "`t`.`{$this->field_slug}` = '{$id}'";
}
@@ -2349,7 +2349,7 @@ public static function query_field ( $field, $q, $pod = null ) {
if ( in_array( $field_compare, array( '=', '!=', '>', '>=', '<', '<=' ) ) )
$field_query = $wpdb->prepare( $field . ' ' . $field_compare . ' ' . $field_string, $field_value );
elseif ( in_array( $field_compare, array( 'LIKE', 'NOT LIKE' ) ) )
- $field_query = $wpdb->prepare( $field . ' ' . $field_compare . ' ' . $field_string, $field_value );
+ $field_query = $field . ' ' . $field_compare . ' "%' . pods_sanitize_like( $field_value ) . '%"';
elseif ( in_array( $field_compare, array( 'IN', 'NOT IN' ) ) )
$field_query = $wpdb->prepare( $field . ' ' . $field_compare . ' ( ' . substr( str_repeat( ', ' . $field_string, count( $field_value ) ), 1 ) . ' )', $field_value );
elseif ( in_array( $field_compare, array( 'BETWEEN', 'NOT BETWEEN' ) ) )
@@ -2598,7 +2598,7 @@ function traverse_recurse ( $traverse_recurse ) {
$search = "`{$field_joined}`.`{$traverse[ 'name' ]}` = '{$val}'";
}
elseif ( 'text_like' == $this->search_mode ) {
- $val = pods_sanitize( like_escape( pods_var_raw( 'filter_' . $field_joined ) ) );
+ $val = pods_sanitize( pods_sanitize_like( pods_var_raw( 'filter_' . $field_joined ) ) );
$search = "`{$field_joined}`.`{$traverse[ 'name' ]}` LIKE '%{$val}%'";
}
View
@@ -936,7 +936,7 @@ public function save_post ( $post_id, $post, $update = null ) {
if ( !empty( $pod ) ) {
// Fix for Pods doing it's own sanitization
- $data = stripslashes_deep( $data );
+ $data = pods_unslash( (array) $data );
$pod->save( $data, null, null, array( 'is_new_item' => $is_new_item ) );
}
@@ -1069,7 +1069,7 @@ public function save_media ( $post, $attachment ) {
if ( !empty( $pod ) ) {
// Fix for Pods doing it's own sanitization
- $data = stripslashes_deep( $data );
+ $data = pods_unslash( (array) $data );
$pod->save( $data );
}
@@ -1235,7 +1235,7 @@ public function save_taxonomy ( $term_id, $term_taxonomy_id, $taxonomy ) {
if ( !empty( $pod ) ) {
// Fix for Pods doing it's own sanitization
- $data = stripslashes_deep( $data );
+ $data = pods_unslash( (array) $data );
$pod->save( $data );
}
@@ -1365,7 +1365,7 @@ public function save_user ( $user_id ) {
if ( !empty( $pod ) ) {
// Fix for Pods doing it's own sanitization
- $data = stripslashes_deep( $data );
+ $data = pods_unslash( (array) $data );
$pod->save( $data );
}
@@ -1695,7 +1695,7 @@ public function save_comment ( $comment_id ) {
if ( !empty( $pod ) ) {
// Fix for Pods doing it's own sanitization
- $data = stripslashes_deep( $data );
+ $data = pods_unslash( (array) $data );
$pod->save( $data );
}
View
@@ -255,7 +255,7 @@ public static function clear ( $key = true, $cache_mode = null, $group = '' ) {
if ( 'transient' == $cache_mode ) {
if ( true === $key ) {
- $group_key = like_escape( $group_key );
+ $group_key = pods_sanitize_like( $group_key );
$wpdb->query( "DELETE FROM `{$wpdb->options}` WHERE option_name LIKE '_transient_{$group_key}%'" );
@@ -267,7 +267,7 @@ public static function clear ( $key = true, $cache_mode = null, $group = '' ) {
}
elseif ( 'site-transient' == $cache_mode ) {
if ( true === $key ) {
- $group_key = like_escape( $group_key );
+ $group_key = pods_sanitize_like( $group_key );
$wpdb->query( "DELETE FROM `{$wpdb->options}` WHERE option_name LIKE '_site_transient_{$group_key}%'" );
View
@@ -521,7 +521,7 @@ public function admin_ajax_upload () {
}
// Sanitize input
- $params = stripslashes_deep( (array) $_POST );
+ $params = pods_unslash( (array) $_POST );
foreach ( $params as $key => $value ) {
if ( 'action' == $key )
View
@@ -1303,29 +1303,29 @@ private function get_object_data ( $object_params = null ) {
if ( 'admin_ajax_relationship' == $context ) {
$lookup_where = array(
- $search_data->field_index => "`t`.`{$search_data->field_index}` LIKE '%" . like_escape( $data_params[ 'query' ] ) . "%'"
+ $search_data->field_index => "`t`.`{$search_data->field_index}` LIKE '%" . pods_sanitize_like( $data_params[ 'query' ] ) . "%'"
);
// @todo Hook into WPML for each table
if ( $wpdb->users == $search_data->table ) {
- $lookup_where[ 'display_name' ] = "`t`.`display_name` LIKE '%" . like_escape( $data_params[ 'query' ] ) . "%'";
- $lookup_where[ 'user_login' ] = "`t`.`user_login` LIKE '%" . like_escape( $data_params[ 'query' ] ) . "%'";
- $lookup_where[ 'user_email' ] = "`t`.`user_email` LIKE '%" . like_escape( $data_params[ 'query' ] ) . "%'";
+ $lookup_where[ 'display_name' ] = "`t`.`display_name` LIKE '%" . pods_sanitize_like( $data_params[ 'query' ] ) . "%'";
+ $lookup_where[ 'user_login' ] = "`t`.`user_login` LIKE '%" . pods_sanitize_like( $data_params[ 'query' ] ) . "%'";
+ $lookup_where[ 'user_email' ] = "`t`.`user_email` LIKE '%" . pods_sanitize_like( $data_params[ 'query' ] ) . "%'";
}
elseif ( $wpdb->posts == $search_data->table ) {
- $lookup_where[ 'post_title' ] = "`t`.`post_title` LIKE '%" . like_escape( $data_params[ 'query' ] ) . "%'";
- $lookup_where[ 'post_name' ] = "`t`.`post_name` LIKE '%" . like_escape( $data_params[ 'query' ] ) . "%'";
- $lookup_where[ 'post_content' ] = "`t`.`post_content` LIKE '%" . like_escape( $data_params[ 'query' ] ) . "%'";
- $lookup_where[ 'post_excerpt' ] = "`t`.`post_excerpt` LIKE '%" . like_escape( $data_params[ 'query' ] ) . "%'";
+ $lookup_where[ 'post_title' ] = "`t`.`post_title` LIKE '%" . pods_sanitize_like( $data_params[ 'query' ] ) . "%'";
+ $lookup_where[ 'post_name' ] = "`t`.`post_name` LIKE '%" . pods_sanitize_like( $data_params[ 'query' ] ) . "%'";
+ $lookup_where[ 'post_content' ] = "`t`.`post_content` LIKE '%" . pods_sanitize_like( $data_params[ 'query' ] ) . "%'";
+ $lookup_where[ 'post_excerpt' ] = "`t`.`post_excerpt` LIKE '%" . pods_sanitize_like( $data_params[ 'query' ] ) . "%'";
}
elseif ( $wpdb->terms == $search_data->table ) {
- $lookup_where[ 'name' ] = "`t`.`name` LIKE '%" . like_escape( $data_params[ 'query' ] ) . "%'";
- $lookup_where[ 'slug' ] = "`t`.`slug` LIKE '%" . like_escape( $data_params[ 'query' ] ) . "%'";
+ $lookup_where[ 'name' ] = "`t`.`name` LIKE '%" . pods_sanitize_like( $data_params[ 'query' ] ) . "%'";
+ $lookup_where[ 'slug' ] = "`t`.`slug` LIKE '%" . pods_sanitize_like( $data_params[ 'query' ] ) . "%'";
}
elseif ( $wpdb->comments == $search_data->table ) {
- $lookup_where[ 'comment_content' ] = "`t`.`comment_content` LIKE '%" . like_escape( $data_params[ 'query' ] ) . "%'";
- $lookup_where[ 'comment_author' ] = "`t`.`comment_author` LIKE '%" . like_escape( $data_params[ 'query' ] ) . "%'";
- $lookup_where[ 'comment_author_email' ] = "`t`.`comment_author_email` LIKE '%" . like_escape( $data_params[ 'query' ] ) . "%'";
+ $lookup_where[ 'comment_content' ] = "`t`.`comment_content` LIKE '%" . pods_sanitize_like( $data_params[ 'query' ] ) . "%'";
+ $lookup_where[ 'comment_author' ] = "`t`.`comment_author` LIKE '%" . pods_sanitize_like( $data_params[ 'query' ] ) . "%'";
+ $lookup_where[ 'comment_author_email' ] = "`t`.`comment_author_email` LIKE '%" . pods_sanitize_like( $data_params[ 'query' ] ) . "%'";
}
$lookup_where = apply_filters( 'pods_form_ui_field_pick_autocomplete_lookup', $lookup_where, $data_params[ 'query' ], $name, $value, $options, $pod, $id, $object_params, $search_data );
@@ -1334,7 +1334,7 @@ private function get_object_data ( $object_params = null ) {
$params[ 'where' ][] = implode( ' OR ', $lookup_where );
$orderby = array();
- $orderby[] = "(`t`.`{$search_data->field_index}` LIKE '%" . like_escape( $data_params[ 'query' ] ) . "%' ) DESC";
+ $orderby[] = "(`t`.`{$search_data->field_index}` LIKE '%" . pods_sanitize_like( $data_params[ 'query' ] ) . "%' ) DESC";
$pick_orderby = pods_var_raw( 'pick_orderby', $options, null, null, true );
@@ -1369,7 +1369,7 @@ private function get_object_data ( $object_params = null ) {
if ( empty( $role ) || ( pods_clean_name( $role ) != $role && sanitize_title( $role ) != $role ) )
continue;
- $where[] = 'wp_' . ( ( is_multisite() && !is_main_site() ) ? get_current_blog_id() . '_' : '' ) . 'capabilities.meta_value LIKE "%\"' . $role . '\"%"';
+ $where[] = 'wp_' . ( ( is_multisite() && !is_main_site() ) ? get_current_blog_id() . '_' : '' ) . 'capabilities.meta_value LIKE "%\"' . pods_sanitize_like( $role ) . '\"%"';
}
if ( !empty( $where ) ) {
@@ -1569,7 +1569,7 @@ public function admin_ajax_relationship () {
}
// Sanitize input
- $params = stripslashes_deep( (array) $_POST );
+ $params = pods_unslash( (array) $_POST );
foreach ( $params as $key => $value ) {
if ( 'action' == $key )
View
@@ -324,7 +324,7 @@ public function save_meta ( $_null, $post_ID = null, $meta_key = null, $meta_val
if ( is_object( $post ) && $this->object_type == $post->post_type ) {
$postdata = array(
'ID' => $post_ID,
- 'post_content' => pods_sanitize( $meta_value )
+ 'post_content' => $meta_value
);
remove_filter( current_filter(), array( $this, __FUNCTION__ ), 10 );
@@ -126,7 +126,7 @@ public static function import ( $data, $replace = false ) {
$json_data = @json_decode( $data, true );
if ( !is_array( $json_data ) )
- $json_data = @json_decode( stripslashes( $data ), true );
+ $json_data = @json_decode( pods_unslash( $data ), true );
$data = $json_data;
}
View
@@ -528,7 +528,7 @@ public function save_meta ( $_null, $post_ID = null, $meta_key = null, $meta_val
if ( is_object( $post ) && $this->object_type == $post->post_type ) {
$postdata = array(
'ID' => $post_ID,
- 'post_content' => pods_sanitize( $meta_value )
+ 'post_content' => $meta_value
);
remove_filter( current_filter(), array( $this, __FUNCTION__ ), 10 );
View
@@ -344,7 +344,7 @@ public function save_meta ( $_null, $post_ID = null, $meta_key = null, $meta_val
if ( is_object( $post ) && $this->object_type == $post->post_type ) {
$postdata = array(
'ID' => $post_ID,
- 'post_content' => pods_sanitize( $meta_value )
+ 'post_content' => $meta_value
);
remove_filter( current_filter(), array( $this, __FUNCTION__ ), 10 );
@@ -80,7 +80,7 @@
}
}
// Display the search box and submit button
-$search = empty($_GET[$this->search_var]) ? '' : stripslashes($_GET[$this->search_var]);
+$search = empty($_GET[$this->search_var]) ? '' : pods_unslash($_GET[$this->search_var]);
if (false !== $show_textbox) {
?>
<input type="text" class="pod_search" name="<?php echo esc_attr($this->search_var); ?>" value="<?php echo esc_attr($search); ?>" />
Oops, something went wrong.

0 comments on commit 49683db

Please sign in to comment.