<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[28712] trunk/src: Replace all uses of `like_escape()` with `$wpdb->esc_like()`.</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://core.trac.wordpress.org/changeset/28712">28712</a></dd>
<dt>Author</dt> <dd>wonderboymusic</dd>
<dt>Date</dt> <dd>2014-06-10 00:43:32 +0000 (Tue, 10 Jun 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>Replace all uses of `like_escape()` with `$wpdb->esc_like()`.
Props miqrogroove.
See <a href="http://core.trac.wordpress.org/ticket/10041">#10041</a>.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunksrcwpadminincludesclasswpmssiteslisttablephp">trunk/src/wp-admin/includes/class-wp-ms-sites-list-table.php</a></li>
<li><a href="#trunksrcwpadminincludesschemaphp">trunk/src/wp-admin/includes/schema.php</a></li>
<li><a href="#trunksrcwpadminincludestemplatephp">trunk/src/wp-admin/includes/template.php</a></li>
<li><a href="#trunksrcwpadminincludesupgradephp">trunk/src/wp-admin/includes/upgrade.php</a></li>
<li><a href="#trunksrcwpadmininstallphp">trunk/src/wp-admin/install.php</a></li>
<li><a href="#trunksrcwpadminmaintrepairphp">trunk/src/wp-admin/maint/repair.php</a></li>
<li><a href="#trunksrcwpadminnetworksitesettingsphp">trunk/src/wp-admin/network/site-settings.php</a></li>
<li><a href="#trunksrcwpadminnetworkphp">trunk/src/wp-admin/network.php</a></li>
<li><a href="#trunksrcwpincludesbookmarkphp">trunk/src/wp-includes/bookmark.php</a></li>
<li><a href="#trunksrcwpincludescanonicalphp">trunk/src/wp-includes/canonical.php</a></li>
<li><a href="#trunksrcwpincludesclasswpxmlrpcserverphp">trunk/src/wp-includes/class-wp-xmlrpc-server.php</a></li>
<li><a href="#trunksrcwpincludescommentphp">trunk/src/wp-includes/comment.php</a></li>
<li><a href="#trunksrcwpincludesfunctionsphp">trunk/src/wp-includes/functions.php</a></li>
<li><a href="#trunksrcwpincludesmetaphp">trunk/src/wp-includes/meta.php</a></li>
<li><a href="#trunksrcwpincludesmsloadphp">trunk/src/wp-includes/ms-load.php</a></li>
<li><a href="#trunksrcwpincludespostphp">trunk/src/wp-includes/post.php</a></li>
<li><a href="#trunksrcwpincludesqueryphp">trunk/src/wp-includes/query.php</a></li>
<li><a href="#trunksrcwpincludestaxonomyphp">trunk/src/wp-includes/taxonomy.php</a></li>
<li><a href="#trunksrcwpincludesuserphp">trunk/src/wp-includes/user.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunksrcwpadminincludesclasswpmssiteslisttablephp"></a>
<div class="modfile"><h4>Modified: trunk/src/wp-admin/includes/class-wp-ms-sites-list-table.php (28711 => 28712)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-admin/includes/class-wp-ms-sites-list-table.php 2014-06-10 00:29:35 UTC (rev 28711)
+++ trunk/src/wp-admin/includes/class-wp-ms-sites-list-table.php 2014-06-10 00:43:32 UTC (rev 28712)
</span><span class="lines">@@ -38,8 +38,6 @@
</span><span class="cx"> $s = trim($s, '*');
</span><span class="cx"> }
</span><span class="cx">
</span><del>- $like_s = esc_sql( like_escape( $s ) );
-
</del><span class="cx"> // If the network is large and a search is not being performed, show only the latest blogs with no paging in order
</span><span class="cx"> // to avoid expensive count queries.
</span><span class="cx"> if ( !$s && wp_is_large_network() ) {
</span><span class="lines">@@ -58,7 +56,8 @@
</span><span class="cx"> preg_match( '/^[0-9]{1,3}\.[0-9]{1,3}\.?$/', $s ) ||
</span><span class="cx"> preg_match( '/^[0-9]{1,3}\.$/', $s ) ) {
</span><span class="cx"> // IPv4 address
</span><del>- $reg_blog_ids = $wpdb->get_col( "SELECT blog_id FROM {$wpdb->registration_log} WHERE {$wpdb->registration_log}.IP LIKE ( '{$like_s}$wild' )" );
</del><ins>+ $sql = $wpdb->prepare( "SELECT blog_id FROM {$wpdb->registration_log} WHERE {$wpdb->registration_log}.IP LIKE %s", $wpdb->esc_like( $s ) . $wild );
+ $reg_blog_ids = $wpdb->get_col( $sql );
</ins><span class="cx">
</span><span class="cx"> if ( !$reg_blog_ids )
</span><span class="cx"> $reg_blog_ids = array( 0 );
</span><span class="lines">@@ -69,17 +68,18 @@
</span><span class="cx"> AND {$wpdb->blogs}.blog_id IN (" . implode( ', ', $reg_blog_ids ) . ")";
</span><span class="cx"> } else {
</span><span class="cx"> if ( is_numeric($s) && empty( $wild ) ) {
</span><del>- $query .= " AND ( {$wpdb->blogs}.blog_id = '{$like_s}' )";
</del><ins>+ $query .= $wpdb->prepare( " AND ( {$wpdb->blogs}.blog_id = %s )", $s );
</ins><span class="cx"> } elseif ( is_subdomain_install() ) {
</span><del>- $blog_s = str_replace( '.' . $current_site->domain, '', $like_s );
- $blog_s .= $wild . '.' . $current_site->domain;
- $query .= " AND ( {$wpdb->blogs}.domain LIKE '$blog_s' ) ";
</del><ins>+ $blog_s = str_replace( '.' . $current_site->domain, '', $s );
+ $blog_s = $wpdb->esc_like( $blog_s ) . $wild . $wpdb->esc_like( '.' . $current_site->domain );
+ $query .= $wpdb->prepare( " AND ( {$wpdb->blogs}.domain LIKE %s ) ", $blog_s );
</ins><span class="cx"> } else {
</span><del>- if ( $like_s != trim('/', $current_site->path) )
- $blog_s = $current_site->path . $like_s . $wild . '/';
- else
- $blog_s = $like_s;
- $query .= " AND ( {$wpdb->blogs}.path LIKE '$blog_s' )";
</del><ins>+ if ( $s != trim('/', $current_site->path) ) {
+ $blog_s = $wpdb->esc_like( $current_site->path . $s ) . $wild . $wpdb->esc_like( '/' );
+ } else {
+ $blog_s = $wpdb->esc_like( $s );
+ }
+ $query .= $wpdb->prepare( " AND ( {$wpdb->blogs}.path LIKE %s )", $blog_s );
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunksrcwpadminincludesschemaphp"></a>
<div class="modfile"><h4>Modified: trunk/src/wp-admin/includes/schema.php (28711 => 28712)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-admin/includes/schema.php 2014-06-10 00:29:35 UTC (rev 28711)
+++ trunk/src/wp-admin/includes/schema.php 2014-06-10 00:43:32 UTC (rev 28712)
</span><span class="lines">@@ -553,19 +553,21 @@
</span><span class="cx"> // The multi-table delete syntax is used to delete the transient record from table a,
</span><span class="cx"> // and the corresponding transient_timeout record from table b.
</span><span class="cx"> $time = time();
</span><del>- $wpdb->query("DELETE a, b FROM $wpdb->options a, $wpdb->options b WHERE
- a.option_name LIKE '\_transient\_%' AND
- a.option_name NOT LIKE '\_transient\_timeout\_%' AND
- b.option_name = CONCAT( '_transient_timeout_', SUBSTRING( a.option_name, 12 ) )
- AND b.option_value < $time");
</del><ins>+ $sql = "DELETE a, b FROM $wpdb->options a, $wpdb->options b
+ WHERE a.option_name LIKE %s
+ AND a.option_name NOT LIKE %s
+ AND b.option_name = CONCAT( '_transient_timeout_', SUBSTRING( a.option_name, 12 ) )
+ AND b.option_value < %d";
+ $wpdb->query( $wpdb->prepare( $sql, $wpdb->esc_like( '_transient_' ) . '%', $wpdb->esc_like( '_transient_timeout_' ) . '%', $time ) );
</ins><span class="cx">
</span><span class="cx"> if ( is_main_site() && is_main_network() ) {
</span><del>- $wpdb->query("DELETE a, b FROM $wpdb->options a, $wpdb->options b WHERE
- a.option_name LIKE '\_site\_transient\_%' AND
- a.option_name NOT LIKE '\_site\_transient\_timeout\_%' AND
- b.option_name = CONCAT( '_site_transient_timeout_', SUBSTRING( a.option_name, 17 ) )
- AND b.option_value < $time");
- }
</del><ins>+ $sql = "DELETE a, b FROM $wpdb->options a, $wpdb->options b
+ WHERE a.option_name LIKE %s
+ AND a.option_name NOT LIKE %s
+ AND b.option_name = CONCAT( '_site_transient_timeout_', SUBSTRING( a.option_name, 17 ) )
+ AND b.option_value < %d";
+ $wpdb->query( $wpdb->prepare( $sql, $wpdb->esc_like( '_site_transient_' ) . '%', $wpdb->esc_like( '_site_transient_timeout_' ) . '%', $time ) );
+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> /**
</span></span></pre></div>
<a id="trunksrcwpadminincludestemplatephp"></a>
<div class="modfile"><h4>Modified: trunk/src/wp-admin/includes/template.php (28711 => 28712)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-admin/includes/template.php 2014-06-10 00:29:35 UTC (rev 28711)
+++ trunk/src/wp-admin/includes/template.php 2014-06-10 00:43:32 UTC (rev 28712)
</span><span class="lines">@@ -632,14 +632,14 @@
</span><span class="cx"> *
</span><span class="cx"> * @param int $limit Number of custom fields to retrieve. Default 30.
</span><span class="cx"> */
</span><del>- $limit = (int) apply_filters( 'postmeta_form_limit', 30 );
- $keys = $wpdb->get_col( "
- SELECT meta_key
</del><ins>+ $limit = apply_filters( 'postmeta_form_limit', 30 );
+ $sql = "SELECT meta_key
</ins><span class="cx"> FROM $wpdb->postmeta
</span><span class="cx"> GROUP BY meta_key
</span><del>- HAVING meta_key NOT LIKE '\_%'
</del><ins>+ HAVING meta_key NOT LIKE %s
</ins><span class="cx"> ORDER BY meta_key
</span><del>- LIMIT $limit" );
</del><ins>+ LIMIT %d";
+ $keys = $wpdb->get_col( $wpdb->prepare( $sql, $wpdb->esc_like( '_' ) . '%', $limit ) );
</ins><span class="cx"> if ( $keys ) {
</span><span class="cx"> natcasesort( $keys );
</span><span class="cx"> $meta_key_input_id = 'metakeyselect';
</span></span></pre></div>
<a id="trunksrcwpadminincludesupgradephp"></a>
<div class="modfile"><h4>Modified: trunk/src/wp-admin/includes/upgrade.php (28711 => 28712)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-admin/includes/upgrade.php 2014-06-10 00:29:35 UTC (rev 28711)
+++ trunk/src/wp-admin/includes/upgrade.php 2014-06-10 00:43:32 UTC (rev 28712)
</span><span class="lines">@@ -465,9 +465,11 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- $wpdb->query("UPDATE $wpdb->options SET option_value = REPLACE(option_value, 'wp-links/links-images/', 'wp-images/links/')
- WHERE option_name LIKE 'links_rating_image%'
- AND option_value LIKE 'wp-links/links-images/%'");
</del><ins>+ $sql = "UPDATE $wpdb->options
+ SET option_value = REPLACE(option_value, 'wp-links/links-images/', 'wp-images/links/')
+ WHERE option_name LIKE %s
+ AND option_value LIKE %s";
+ $wpdb->query( $wpdb->prepare( $sql, $wpdb->esc_like( 'links_rating_image' ) . '%', $wpdb->esc_like( 'wp-links/links-images/' ) . '%' ) );
</ins><span class="cx">
</span><span class="cx"> $done_ids = $wpdb->get_results("SELECT DISTINCT post_id FROM $wpdb->post2cat");
</span><span class="cx"> if ($done_ids) :
</span><span class="lines">@@ -1100,9 +1102,28 @@
</span><span class="cx">
</span><span class="cx"> // 3.0 screen options key name changes.
</span><span class="cx"> if ( is_main_site() && !defined('DO_NOT_UPGRADE_GLOBAL_TABLES') ) {
</span><del>- $prefix = like_escape($wpdb->base_prefix);
- $wpdb->query( "DELETE FROM $wpdb->usermeta WHERE meta_key LIKE '{$prefix}%meta-box-hidden%' OR meta_key LIKE '{$prefix}%closedpostboxes%' OR meta_key LIKE '{$prefix}%manage-%-columns-hidden%' OR meta_key LIKE '{$prefix}%meta-box-order%' OR meta_key LIKE '{$prefix}%metaboxorder%' OR meta_key LIKE '{$prefix}%screen_layout%'
- OR meta_key = 'manageedittagscolumnshidden' OR meta_key='managecategoriescolumnshidden' OR meta_key = 'manageedit-tagscolumnshidden' OR meta_key = 'manageeditcolumnshidden' OR meta_key = 'categories_per_page' OR meta_key = 'edit_tags_per_page'" );
</del><ins>+ $sql = "DELETE FROM $wpdb->usermeta
+ WHERE meta_key LIKE %s
+ OR meta_key LIKE %s
+ OR meta_key LIKE %s
+ OR meta_key LIKE %s
+ OR meta_key LIKE %s
+ OR meta_key LIKE %s
+ OR meta_key = 'manageedittagscolumnshidden'
+ OR meta_key = 'managecategoriescolumnshidden'
+ OR meta_key = 'manageedit-tagscolumnshidden'
+ OR meta_key = 'manageeditcolumnshidden'
+ OR meta_key = 'categories_per_page'
+ OR meta_key = 'edit_tags_per_page'";
+ $prefix = $wpdb->esc_like( $wpdb->base_prefix );
+ $wpdb->query( $wpdb->prepare( $sql,
+ $prefix . '%' . $wpdb->esc_like( 'meta-box-hidden' ) . '%',
+ $prefix . '%' . $wpdb->esc_like( 'closedpostboxes' ) . '%',
+ $prefix . '%' . $wpdb->esc_like( 'manage-' ) . '%' . $wpdb->esc_like( '-columns-hidden' ) . '%',
+ $prefix . '%' . $wpdb->esc_like( 'meta-box-order' ) . '%',
+ $prefix . '%' . $wpdb->esc_like( 'metaboxorder' ) . '%',
+ $prefix . '%' . $wpdb->esc_like( 'screen_layout' ) . '%'
+ ) );
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> }
</span><span class="lines">@@ -1284,11 +1305,12 @@
</span><span class="cx"> // The multi-table delete syntax is used to delete the transient record from table a,
</span><span class="cx"> // and the corresponding transient_timeout record from table b.
</span><span class="cx"> $time = time();
</span><del>- $wpdb->query("DELETE a, b FROM $wpdb->sitemeta a, $wpdb->sitemeta b WHERE
- a.meta_key LIKE '\_site\_transient\_%' AND
- a.meta_key NOT LIKE '\_site\_transient\_timeout\_%' AND
- b.meta_key = CONCAT( '_site_transient_timeout_', SUBSTRING( a.meta_key, 17 ) )
- AND b.meta_value < $time");
</del><ins>+ $sql = "DELETE a, b FROM $wpdb->sitemeta a, $wpdb->sitemeta b
+ WHERE a.meta_key LIKE %s
+ AND a.meta_key NOT LIKE %s
+ AND b.meta_key = CONCAT( '_site_transient_timeout_', SUBSTRING( a.meta_key, 17 ) )
+ AND b.meta_value < %d";
+ $wpdb->query( $wpdb->prepare( $sql, $wpdb->esc_like( '_site_transient_' ) . '%', $wpdb->esc_like ( '_site_transient_timeout_' ) . '%', $time ) );
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // 2.8
</span><span class="lines">@@ -1382,13 +1404,18 @@
</span><span class="cx"> */
</span><span class="cx"> function maybe_create_table($table_name, $create_ddl) {
</span><span class="cx"> global $wpdb;
</span><del>- if ( $wpdb->get_var("SHOW TABLES LIKE '$table_name'") == $table_name )
</del><ins>+
+ $query = $wpdb->prepare( "SHOW TABLES LIKE %s", $wpdb->esc_like( $table_name ) );
+
+ if ( $wpdb->get_var( $query ) == $table_name ) {
</ins><span class="cx"> return true;
</span><ins>+ }
</ins><span class="cx"> //didn't find it try to create it.
</span><span class="cx"> $wpdb->query($create_ddl);
</span><span class="cx"> // we cannot directly tell that whether this succeeded!
</span><del>- if ( $wpdb->get_var("SHOW TABLES LIKE '$table_name'") == $table_name )
</del><ins>+ if ( $wpdb->get_var( $query ) == $table_name ) {
</ins><span class="cx"> return true;
</span><ins>+ }
</ins><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunksrcwpadmininstallphp"></a>
<div class="modfile"><h4>Modified: trunk/src/wp-admin/install.php (28711 => 28712)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-admin/install.php 2014-06-10 00:29:35 UTC (rev 28711)
+++ trunk/src/wp-admin/install.php 2014-06-10 00:43:32 UTC (rev 28712)
</span><span class="lines">@@ -74,8 +74,10 @@
</span><span class="cx"> */
</span><span class="cx"> function display_setup_form( $error = null ) {
</span><span class="cx"> global $wpdb;
</span><del>- $user_table = ( $wpdb->get_var("SHOW TABLES LIKE '$wpdb->users'") != null );
</del><span class="cx">
</span><ins>+ $sql = $wpdb->prepare( "SHOW TABLES LIKE %s", $wpdb->esc_like( $wpdb->users ) );
+ $user_table = ( $wpdb->get_var( $sql ) != null );
+
</ins><span class="cx"> // Ensure that Blogs appear in search engines by default
</span><span class="cx"> $blog_public = 1;
</span><span class="cx"> if ( ! empty( $_POST ) )
</span></span></pre></div>
<a id="trunksrcwpadminmaintrepairphp"></a>
<div class="modfile"><h4>Modified: trunk/src/wp-admin/maint/repair.php (28711 => 28712)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-admin/maint/repair.php 2014-06-10 00:29:35 UTC (rev 28711)
+++ trunk/src/wp-admin/maint/repair.php 2014-06-10 00:43:32 UTC (rev 28712)
</span><span class="lines">@@ -36,8 +36,10 @@
</span><span class="cx"> $tables = $wpdb->tables();
</span><span class="cx">
</span><span class="cx"> // Sitecategories may not exist if global terms are disabled.
</span><del>- if ( is_multisite() && ! $wpdb->get_var( "SHOW TABLES LIKE '$wpdb->sitecategories'" ) )
</del><ins>+ $query = $wpdb->prepare( "SHOW TABLES LIKE %s", $wpdb->esc_like( $wpdb->sitecategories ) );
+ if ( is_multisite() && ! $wpdb->get_var( $query ) ) {
</ins><span class="cx"> unset( $tables['sitecategories'] );
</span><ins>+ }
</ins><span class="cx">
</span><span class="cx"> /**
</span><span class="cx"> * Filter additional database tables to repair.
</span></span></pre></div>
<a id="trunksrcwpadminnetworksitesettingsphp"></a>
<div class="modfile"><h4>Modified: trunk/src/wp-admin/network/site-settings.php (28711 => 28712)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-admin/network/site-settings.php 2014-06-10 00:29:35 UTC (rev 28711)
+++ trunk/src/wp-admin/network/site-settings.php 2014-06-10 00:43:32 UTC (rev 28712)
</span><span class="lines">@@ -113,7 +113,14 @@
</span><span class="cx"> <table class="form-table">
</span><span class="cx"> <?php
</span><span class="cx"> $blog_prefix = $wpdb->get_blog_prefix( $id );
</span><del>- $options = $wpdb->get_results( "SELECT * FROM {$blog_prefix}options WHERE option_name NOT LIKE '\_%' AND option_name NOT LIKE '%user_roles'" );
</del><ins>+ $sql = "SELECT * FROM {$blog_prefix}options
+ WHERE option_name NOT LIKE %s
+ AND option_name NOT LIKE %s";
+ $query = $wpdb->prepare( $sql,
+ $wpdb->esc_like( '_' ) . '%',
+ '%' . $wpdb->esc_like( 'user_roles' )
+ );
+ $options = $wpdb->get_results( $query );
</ins><span class="cx"> foreach ( $options as $option ) {
</span><span class="cx"> if ( $option->option_name == 'default_role' )
</span><span class="cx"> $editblog_default_role = $option->option_value;
</span></span></pre></div>
<a id="trunksrcwpadminnetworkphp"></a>
<div class="modfile"><h4>Modified: trunk/src/wp-admin/network.php (28711 => 28712)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-admin/network.php 2014-06-10 00:29:35 UTC (rev 28711)
+++ trunk/src/wp-admin/network.php 2014-06-10 00:43:32 UTC (rev 28712)
</span><span class="lines">@@ -39,8 +39,11 @@
</span><span class="cx"> */
</span><span class="cx"> function network_domain_check() {
</span><span class="cx"> global $wpdb;
</span><del>- if ( $wpdb->get_var( "SHOW TABLES LIKE '$wpdb->site'" ) )
</del><ins>+
+ $sql = $wpdb->prepare( "SHOW TABLES LIKE %s", $wpdb->esc_like( $wpdb->site ) );
+ if ( $wpdb->get_var( $sql ) ) {
</ins><span class="cx"> return $wpdb->get_var( "SELECT domain FROM $wpdb->site ORDER BY id ASC LIMIT 1" );
</span><ins>+ }
</ins><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunksrcwpincludesbookmarkphp"></a>
<div class="modfile"><h4>Modified: trunk/src/wp-includes/bookmark.php (28711 => 28712)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-includes/bookmark.php 2014-06-10 00:29:35 UTC (rev 28711)
+++ trunk/src/wp-includes/bookmark.php 2014-06-10 00:43:32 UTC (rev 28712)
</span><span class="lines">@@ -208,8 +208,8 @@
</span><span class="cx">
</span><span class="cx"> $search = '';
</span><span class="cx"> if ( ! empty( $r['search'] ) ) {
</span><del>- $search = esc_sql( like_escape( $r['search'] ) );
- $search = " AND ( (link_url LIKE '%$search%') OR (link_name LIKE '%$search%') OR (link_description LIKE '%$search%') ) ";
</del><ins>+ $like = '%' . $wpdb->esc_like( $r['search'] ) . '%';
+ $search = $wpdb->prepare(" AND ( (link_url LIKE %s) OR (link_name LIKE %s) OR (link_description LIKE %s) ) ", $like, $like, $like );
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> $category_query = '';
</span></span></pre></div>
<a id="trunksrcwpincludescanonicalphp"></a>
<div class="modfile"><h4>Modified: trunk/src/wp-includes/canonical.php (28711 => 28712)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-includes/canonical.php 2014-06-10 00:29:35 UTC (rev 28711)
+++ trunk/src/wp-includes/canonical.php 2014-06-10 00:43:32 UTC (rev 28712)
</span><span class="lines">@@ -504,7 +504,7 @@
</span><span class="cx"> global $wpdb, $wp_rewrite;
</span><span class="cx">
</span><span class="cx"> if ( get_query_var('name') ) {
</span><del>- $where = $wpdb->prepare("post_name LIKE %s", like_escape( get_query_var('name') ) . '%');
</del><ins>+ $where = $wpdb->prepare("post_name LIKE %s", $wpdb->esc_like( get_query_var('name') ) . '%');
</ins><span class="cx">
</span><span class="cx"> // if any of post_type, year, monthnum, or day are set, use them to refine the query
</span><span class="cx"> if ( get_query_var('post_type') )
</span></span></pre></div>
<a id="trunksrcwpincludesclasswpxmlrpcserverphp"></a>
<div class="modfile"><h4>Modified: trunk/src/wp-includes/class-wp-xmlrpc-server.php (28711 => 28712)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-includes/class-wp-xmlrpc-server.php 2014-06-10 00:29:35 UTC (rev 28711)
+++ trunk/src/wp-includes/class-wp-xmlrpc-server.php 2014-06-10 00:43:32 UTC (rev 28712)
</span><span class="lines">@@ -5764,7 +5764,7 @@
</span><span class="cx"> } elseif ( is_string($urltest['fragment']) ) {
</span><span class="cx"> // ...or a string #title, a little more complicated
</span><span class="cx"> $title = preg_replace('/[^a-z0-9]/i', '.', $urltest['fragment']);
</span><del>- $sql = $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title RLIKE %s", like_escape( $title ) );
</del><ins>+ $sql = $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title RLIKE %s", $title );
</ins><span class="cx"> if (! ($post_ID = $wpdb->get_var($sql)) ) {
</span><span class="cx"> // returning unknown error '0' is better than die()ing
</span><span class="cx"> return $this->pingback_error( 0, '' );
</span></span></pre></div>
<a id="trunksrcwpincludescommentphp"></a>
<div class="modfile"><h4>Modified: trunk/src/wp-includes/comment.php (28711 => 28712)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-includes/comment.php 2014-06-10 00:29:35 UTC (rev 28711)
+++ trunk/src/wp-includes/comment.php 2014-06-10 00:43:32 UTC (rev 28712)
</span><span class="lines">@@ -481,11 +481,11 @@
</span><span class="cx"> * @return string
</span><span class="cx"> */
</span><span class="cx"> protected function get_search_sql( $string, $cols ) {
</span><del>- $string = esc_sql( like_escape( $string ) );
</del><ins>+ global $wpdb;
</ins><span class="cx">
</span><span class="cx"> $searches = array();
</span><span class="cx"> foreach ( $cols as $col )
</span><del>- $searches[] = "$col LIKE '%$string%'";
</del><ins>+ $searches[] = $wpdb->prepare( "$col LIKE %s", $wpdb->esc_like( $string ) );
</ins><span class="cx">
</span><span class="cx"> return ' AND (' . implode(' OR ', $searches) . ')';
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunksrcwpincludesfunctionsphp"></a>
<div class="modfile"><h4>Modified: trunk/src/wp-includes/functions.php (28711 => 28712)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-includes/functions.php 2014-06-10 00:29:35 UTC (rev 28711)
+++ trunk/src/wp-includes/functions.php 2014-06-10 00:43:32 UTC (rev 28712)
</span><span class="lines">@@ -479,7 +479,7 @@
</span><span class="cx">
</span><span class="cx"> foreach ( $pung as $link_test ) {
</span><span class="cx"> if ( ! in_array( $link_test, $post_links_temp ) ) { // link no longer in post
</span><del>- $mids = $wpdb->get_col( $wpdb->prepare("SELECT meta_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = 'enclosure' AND meta_value LIKE (%s)", $post_ID, like_escape( $link_test ) . '%') );
</del><ins>+ $mids = $wpdb->get_col( $wpdb->prepare("SELECT meta_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = 'enclosure' AND meta_value LIKE %s", $post_ID, $wpdb->esc_like( $link_test ) . '%') );
</ins><span class="cx"> foreach ( $mids as $mid )
</span><span class="cx"> delete_metadata_by_mid( 'post', $mid );
</span><span class="cx"> }
</span><span class="lines">@@ -498,7 +498,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> foreach ( (array) $post_links as $url ) {
</span><del>- if ( $url != '' && !$wpdb->get_var( $wpdb->prepare( "SELECT post_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = 'enclosure' AND meta_value LIKE (%s)", $post_ID, like_escape( $url ) . '%' ) ) ) {
</del><ins>+ if ( $url != '' && !$wpdb->get_var( $wpdb->prepare( "SELECT post_id FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = 'enclosure' AND meta_value LIKE %s", $post_ID, $wpdb->esc_like( $url ) . '%' ) ) ) {
</ins><span class="cx">
</span><span class="cx"> if ( $headers = wp_get_http_headers( $url) ) {
</span><span class="cx"> $len = isset( $headers['content-length'] ) ? (int) $headers['content-length'] : 0;
</span></span></pre></div>
<a id="trunksrcwpincludesmetaphp"></a>
<div class="modfile"><h4>Modified: trunk/src/wp-includes/meta.php (28711 => 28712)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-includes/meta.php 2014-06-10 00:29:35 UTC (rev 28711)
+++ trunk/src/wp-includes/meta.php 2014-06-10 00:43:32 UTC (rev 28712)
</span><span class="lines">@@ -1047,8 +1047,8 @@
</span><span class="cx"> } elseif ( 'BETWEEN' == substr( $meta_compare, -7) ) {
</span><span class="cx"> $meta_value = array_slice( $meta_value, 0, 2 );
</span><span class="cx"> $meta_compare_string = '%s AND %s';
</span><del>- } elseif ( 'LIKE' == substr( $meta_compare, -4 ) ) {
- $meta_value = '%' . like_escape( $meta_value ) . '%';
</del><ins>+ } elseif ( 'LIKE' == $meta_compare || 'NOT LIKE' == $meta_compare ) {
+ $meta_value = '%' . $wpdb->esc_like( $meta_value ) . '%';
</ins><span class="cx"> $meta_compare_string = '%s';
</span><span class="cx"> } else {
</span><span class="cx"> $meta_compare_string = '%s';
</span></span></pre></div>
<a id="trunksrcwpincludesmsloadphp"></a>
<div class="modfile"><h4>Modified: trunk/src/wp-includes/ms-load.php (28711 => 28712)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-includes/ms-load.php 2014-06-10 00:29:35 UTC (rev 28711)
+++ trunk/src/wp-includes/ms-load.php 2014-06-10 00:43:32 UTC (rev 28712)
</span><span class="lines">@@ -397,14 +397,17 @@
</span><span class="cx">
</span><span class="cx"> $title = __( 'Error establishing a database connection' );
</span><span class="cx"> $msg = '<h1>' . $title . '</h1>';
</span><del>- if ( ! is_admin() )
</del><ins>+ if ( ! is_admin() ) {
</ins><span class="cx"> die( $msg );
</span><ins>+ }
</ins><span class="cx"> $msg .= '<p>' . __( 'If your site does not display, please contact the owner of this network.' ) . '';
</span><span class="cx"> $msg .= ' ' . __( 'If you are the owner of this network please check that MySQL is running properly and all tables are error free.' ) . '</p>';
</span><del>- if ( ! $wpdb->get_var( "SHOW TABLES LIKE '$wpdb->site'" ) )
</del><ins>+ $query = $wpdb->prepare( "SHOW TABLES LIKE %s", $wpdb->esc_like( $wpdb->site ) );
+ if ( ! $wpdb->get_var( $query ) ) {
</ins><span class="cx"> $msg .= '<p>' . sprintf( __( '<strong>Database tables are missing.</strong> This means that MySQL is not running, WordPress was not installed properly, or someone deleted <code>%s</code>. You really should look at your database now.' ), $wpdb->site ) . '</p>';
</span><del>- else
</del><ins>+ } else {
</ins><span class="cx"> $msg .= '<p>' . sprintf( __( '<strong>Could not find site <code>%1$s</code>.</strong> Searched for table <code>%2$s</code> in database <code>%3$s</code>. Is that right?' ), rtrim( $domain . $path, '/' ), $wpdb->blogs, DB_NAME ) . '</p>';
</span><ins>+ }
</ins><span class="cx"> $msg .= '<p><strong>' . __( 'What do I do now?' ) . '</strong> ';
</span><span class="cx"> $msg .= __( 'Read the <a target="_blank" href="http://codex.wordpress.org/Debugging_a_WordPress_Network">bug report</a> page. Some of the guidelines there may help you figure out what went wrong.' );
</span><span class="cx"> $msg .= ' ' . __( 'If you’re still stuck with this message, then check that your database contains the following tables:' ) . '</p><ul>';
</span></span></pre></div>
<a id="trunksrcwpincludespostphp"></a>
<div class="modfile"><h4>Modified: trunk/src/wp-includes/post.php (28711 => 28712)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-includes/post.php 2014-06-10 00:29:35 UTC (rev 28711)
+++ trunk/src/wp-includes/post.php 2014-06-10 00:43:32 UTC (rev 28712)
</span><span class="lines">@@ -4796,7 +4796,7 @@
</span><span class="cx">
</span><span class="cx"> if ( ! empty($meta['thumb']) ) {
</span><span class="cx"> // Don't delete the thumb if another attachment uses it
</span><del>- if (! $wpdb->get_row( $wpdb->prepare( "SELECT meta_id FROM $wpdb->postmeta WHERE meta_key = '_wp_attachment_metadata' AND meta_value LIKE %s AND post_id <> %d", '%' . $meta['thumb'] . '%', $post_id)) ) {
</del><ins>+ if (! $wpdb->get_row( $wpdb->prepare( "SELECT meta_id FROM $wpdb->postmeta WHERE meta_key = '_wp_attachment_metadata' AND meta_value LIKE %s AND post_id <> %d", '%' . $wpdb->esc_like( $meta['thumb'] ) . '%', $post_id)) ) {
</ins><span class="cx"> $thumbfile = str_replace(basename($file), $meta['thumb'], $file);
</span><span class="cx"> /** This filter is documented in wp-admin/custom-header.php */
</span><span class="cx"> $thumbfile = apply_filters( 'wp_delete_file', $thumbfile );
</span></span></pre></div>
<a id="trunksrcwpincludesqueryphp"></a>
<div class="modfile"><h4>Modified: trunk/src/wp-includes/query.php (28711 => 28712)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-includes/query.php 2014-06-10 00:29:35 UTC (rev 28711)
+++ trunk/src/wp-includes/query.php 2014-06-10 00:43:32 UTC (rev 28712)
</span><span class="lines">@@ -1983,11 +1983,13 @@
</span><span class="cx"> $searchand = '';
</span><span class="cx"> $q['search_orderby_title'] = array();
</span><span class="cx"> foreach ( $q['search_terms'] as $term ) {
</span><del>- $term = like_escape( esc_sql( $term ) );
- if ( $n )
- $q['search_orderby_title'][] = "$wpdb->posts.post_title LIKE '%$term%'";
</del><ins>+ if ( $n ) {
+ $like = '%' . $wpdb->esc_like( $term ) . '%';
+ $q['search_orderby_title'][] = $wpdb->prepare( "$wpdb->posts.post_title LIKE %s", $like );
+ }
</ins><span class="cx">
</span><del>- $search .= "{$searchand}(($wpdb->posts.post_title LIKE '{$n}{$term}{$n}') OR ($wpdb->posts.post_content LIKE '{$n}{$term}{$n}'))";
</del><ins>+ $like = $n . $wpdb->esc_like( $term ) . $n;
+ $search .= $wpdb->prepare( "{$searchand}(($wpdb->posts.post_title LIKE %s) OR ($wpdb->posts.post_content LIKE %s))", $like, $like );
</ins><span class="cx"> $searchand = ' AND ';
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -2086,11 +2088,11 @@
</span><span class="cx">
</span><span class="cx"> if ( $q['search_terms_count'] > 1 ) {
</span><span class="cx"> $num_terms = count( $q['search_orderby_title'] );
</span><del>- $search_orderby_s = like_escape( esc_sql( $q['s'] ) );
</del><ins>+ $like = '%' . $wpdb->esc_like( $q['s'] ) . '%';
</ins><span class="cx">
</span><span class="cx"> $search_orderby = '(CASE ';
</span><span class="cx"> // sentence match in 'post_title'
</span><del>- $search_orderby .= "WHEN $wpdb->posts.post_title LIKE '%{$search_orderby_s}%' THEN 1 ";
</del><ins>+ $search_orderby .= $wpdb->prepare( "WHEN $wpdb->posts.post_title LIKE %s THEN 1 ", $like );
</ins><span class="cx">
</span><span class="cx"> // sanity limit, sort as sentence when more than 6 terms
</span><span class="cx"> // (few searches are longer than 6 terms and most titles are not)
</span><span class="lines">@@ -2103,7 +2105,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // sentence match in 'post_content'
</span><del>- $search_orderby .= "WHEN $wpdb->posts.post_content LIKE '%{$search_orderby_s}%' THEN 4 ";
</del><ins>+ $search_orderby .= $wpdb->prepare( "WHEN $wpdb->posts.post_content LIKE %s THEN 4 ", $like );
</ins><span class="cx"> $search_orderby .= 'ELSE 5 END)';
</span><span class="cx"> } else {
</span><span class="cx"> // single word or sentence search
</span></span></pre></div>
<a id="trunksrcwpincludestaxonomyphp"></a>
<div class="modfile"><h4>Modified: trunk/src/wp-includes/taxonomy.php (28711 => 28712)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-includes/taxonomy.php 2014-06-10 00:29:35 UTC (rev 28711)
+++ trunk/src/wp-includes/taxonomy.php 2014-06-10 00:43:32 UTC (rev 28712)
</span><span class="lines">@@ -1480,13 +1480,11 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if ( ! empty( $args['name__like'] ) ) {
</span><del>- $name__like = like_escape( $args['name__like'] );
- $where .= $wpdb->prepare( " AND t.name LIKE %s", '%' . $name__like . '%' );
</del><ins>+ $where .= $wpdb->prepare( " AND t.name LIKE %s", '%' . $wpdb->esc_like( $args['name__like'] ) . '%' );
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if ( ! empty( $args['description__like'] ) ) {
</span><del>- $description__like = like_escape( $args['description__like'] );
- $where .= $wpdb->prepare( " AND tt.description LIKE %s", '%' . $description__like . '%' );
</del><ins>+ $where .= $wpdb->prepare( " AND tt.description LIKE %s", '%' . $wpdb->esc_like( $args['description__like'] ) . '%' );
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if ( '' !== $parent ) {
</span><span class="lines">@@ -1517,8 +1515,8 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if ( ! empty( $args['search'] ) ) {
</span><del>- $search = like_escape( $args['search'] );
- $where .= $wpdb->prepare( ' AND ((t.name LIKE %s) OR (t.slug LIKE %s))', '%' . $search . '%', '%' . $search . '%' );
</del><ins>+ $like = '%' . $wpdb->esc_like( $args['search'] ) . '%';
+ $where .= $wpdb->prepare( ' AND ((t.name LIKE %s) OR (t.slug LIKE %s))', $like, $like );
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> $selects = array();
</span></span></pre></div>
<a id="trunksrcwpincludesuserphp"></a>
<div class="modfile"><h4>Modified: trunk/src/wp-includes/user.php (28711 => 28712)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/src/wp-includes/user.php 2014-06-10 00:29:35 UTC (rev 28711)
+++ trunk/src/wp-includes/user.php 2014-06-10 00:43:32 UTC (rev 28712)
</span><span class="lines">@@ -797,16 +797,16 @@
</span><span class="cx"> * @return string
</span><span class="cx"> */
</span><span class="cx"> protected function get_search_sql( $string, $cols, $wild = false ) {
</span><del>- $string = esc_sql( $string );
</del><ins>+ global $wpdb;
</ins><span class="cx">
</span><span class="cx"> $searches = array();
</span><span class="cx"> $leading_wild = ( 'leading' == $wild || 'both' == $wild ) ? '%' : '';
</span><span class="cx"> $trailing_wild = ( 'trailing' == $wild || 'both' == $wild ) ? '%' : '';
</span><span class="cx"> foreach ( $cols as $col ) {
</span><span class="cx"> if ( 'ID' == $col )
</span><del>- $searches[] = "$col = '$string'";
</del><ins>+ $searches[] = $wpdb->prepare( "$col = %s", $string );
</ins><span class="cx"> else
</span><del>- $searches[] = "$col LIKE '$leading_wild" . like_escape($string) . "$trailing_wild'";
</del><ins>+ $searches[] = $wpdb->prepare( "$col LIKE %s", $leading_wild . $wpdb->esc_like( $string ) . $trailing_wild );
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> return ' AND (' . implode(' OR ', $searches) . ')';
</span><span class="lines">@@ -1149,7 +1149,7 @@
</span><span class="cx"> // Build a CPU-intensive query that will return concise information.
</span><span class="cx"> $select_count = array();
</span><span class="cx"> foreach ( $avail_roles as $this_role => $name ) {
</span><del>- $select_count[] = "COUNT(NULLIF(`meta_value` LIKE '%\"" . like_escape( $this_role ) . "\"%', false))";
</del><ins>+ $select_count[] = $wpdb->prepare( "COUNT(NULLIF(`meta_value` LIKE %s, false))", '%' . $wpdb->esc_like( '"' . $this_role . '"' ) . '%');
</ins><span class="cx"> }
</span><span class="cx"> $select_count = implode(', ', $select_count);
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>