Skip to content

Commit

Permalink
Replace esc_html() with esc_sql(); See: wpsharks/comment-mail#268
Browse files Browse the repository at this point in the history
  • Loading branch information
kristineds committed Apr 22, 2016
1 parent 7bf6c7c commit 5180df3
Showing 1 changed file with 6 additions and 6 deletions.
12 changes: 6 additions & 6 deletions src/includes/classes/UtilsDb.php
View file
Expand Up @@ -268,7 +268,7 @@ public function totalUsers(array $args = [])
if (!is_null($total = &$this->cacheKey(__FUNCTION__, $cache_keys)) && !$no_cache) {
return $total; // Already cached this.
}
$sql = 'SELECT SQL_CALC_FOUND_ROWS `ID` FROM `'.esc_html($this->wp->users).'`'.
$sql = 'SELECT SQL_CALC_FOUND_ROWS `ID` FROM `'.esc_sql($this->wp->users).'`'.

' LIMIT 1'; // One to check.

Expand Down Expand Up @@ -313,7 +313,7 @@ public function allUsers(array $args = [])
return $users = []; // Fail when there are too many.
}
$sql = 'SELECT *'.// Everything please.
' FROM `'.esc_html($this->wp->users).'`'.
' FROM `'.esc_sql($this->wp->users).'`'.

($max !== PHP_INT_MAX ? ' LIMIT '.esc_sql($max) : '');

Expand Down Expand Up @@ -367,7 +367,7 @@ public function totalPosts(array $args = [])
$post_types = $include_post_types ? $include_post_types : get_post_types(['exclude_from_search' => false]);
$post_statuses = get_post_stati(['exclude_from_search' => false]);

$sql = 'SELECT SQL_CALC_FOUND_ROWS `ID` FROM `'.esc_html($this->wp->posts).'`'.
$sql = 'SELECT SQL_CALC_FOUND_ROWS `ID` FROM `'.esc_sql($this->wp->posts).'`'.

" WHERE `post_type` IN('".implode("','", array_map('esc_sql', $post_types))."')".
($exclude_post_types ? " AND `post_type` NOT IN('".implode("','", array_map('esc_sql', $exclude_post_types))."')" : '').
Expand Down Expand Up @@ -438,7 +438,7 @@ public function allPosts(array $args = [])
$post_statuses = get_post_stati(['exclude_from_search' => false]);

$sql = 'SELECT *'.// Everything please.
' FROM `'.esc_html($this->wp->posts).'`'.
' FROM `'.esc_sql($this->wp->posts).'`'.

" WHERE `post_type` IN('".implode("','", array_map('esc_sql', $post_types))."')".
($exclude_post_types ? " AND `post_type` NOT IN('".implode("','", array_map('esc_sql', $exclude_post_types))."')" : '').
Expand Down Expand Up @@ -541,7 +541,7 @@ public function totalComments($post_id, array $args = [])
if ($exclude_password_protected && $post->post_password) { // Has password?
return $total = 0; // Passwords excluded; automatic zero.
}
$sql = 'SELECT SQL_CALC_FOUND_ROWS `comment_ID` FROM `'.esc_html($this->wp->comments).'`'.
$sql = 'SELECT SQL_CALC_FOUND_ROWS `comment_ID` FROM `'.esc_sql($this->wp->comments).'`'.

" WHERE `comment_post_ID` = '".esc_sql($post_id)."'".
" AND (`comment_type` = '' OR `comment_type` = 'comment')".
Expand Down Expand Up @@ -621,7 +621,7 @@ public function allComments($post_id, array $args = [])
return $comments = []; // Fail when there are too many.
}
$sql = 'SELECT *'.// Everything please.
' FROM `'.esc_html($this->wp->comments).'`'.
' FROM `'.esc_sql($this->wp->comments).'`'.

" WHERE `comment_post_ID` = '".esc_sql($post_id)."'".
" AND (`comment_type` = '' OR `comment_type` = 'comment')".
Expand Down

0 comments on commit 5180df3

Please sign in to comment.