Ticket #6644: prepared_queries6.diff

File prepared_queries6.diff, 3.1 kB (added by filosofo, 5 months ago)

  • wp-admin/update-links.php

    old new  
    3636        $returns = explode("\n", $body); 
    3737 
    3838        foreach ($returns as $return) : 
    39                 $time = $wpdb->escape( substr($return, 0, 19) ); 
    40                 $uri = $wpdb->escape( preg_replace('/(.*?) | (.*?)/', '$2', $return) ); 
    41                 $wpdb->query("UPDATE $wpdb->links SET link_updated = '$time' WHERE link_url = '$uri'"); 
     39                $time = substr($return, 0, 19); 
     40                $uri = preg_replace('/(.*?) | (.*?)/', '$2', $return); 
     41                $wpdb->query( $wpdb->prepare("UPDATE $wpdb->links SET link_updated = %s WHERE link_url = %s", $time, $uri) ); 
    4242        endforeach; 
    4343} 
    4444?> 

  • wp-admin/edit-comments.php

    old new  
    1212        $comments_deleted = $comments_approved = $comments_unapproved = $comments_spammed = 0; 
    1313        foreach ($_REQUEST['delete_comments'] as $comment) : // Check the permissions on each 
    1414                $comment = (int) $comment; 
    15                 $post_id = (int) $wpdb->get_var("SELECT comment_post_ID FROM $wpdb->comments WHERE comment_ID = $comment"); 
    16                 // $authordata = get_userdata( $wpdb->get_var("SELECT post_author FROM $wpdb->posts WHERE ID = $post_id") ); 
     15                $post_id = (int) $wpdb->get_var( $wpdb->prepare( "SELECT comment_post_ID FROM $wpdb->comments WHERE comment_ID = %d", $comment) ); 
    1716                if ( !current_user_can('edit_post', $post_id) ) 
    1817                        continue; 
    1918                if ( !empty( $_REQUEST['spamit'] ) ) { 

  • wp-admin/admin-ajax.php

    old new  
    1515 
    1616        if ( strstr( $s, ',' ) ) 
    1717                die; // it's a multiple tag insert, we won't find anything 
    18         $results = $wpdb->get_col( "SELECT name FROM $wpdb->terms WHERE name LIKE ('%$s%')" ); 
     18        $results = $wpdb->get_col( $wpdb->prepare("SELECT name FROM $wpdb->terms WHERE name LIKE (%s)", '%' . $s . '%') ); 
    1919        echo join( $results, "\n" ); 
    2020        die; 
    2121} 

  • wp-admin/includes/comment.php

    old new  
    33function comment_exists($comment_author, $comment_date) { 
    44        global $wpdb; 
    55 
    6         return $wpdb->get_var("SELECT comment_post_ID FROM $wpdb->comments 
    7                         WHERE comment_author = '$comment_author' AND comment_date = '$comment_date'"); 
     6        return $wpdb->get_var( $wpdb->prepare("SELECT comment_post_ID FROM $wpdb->comments 
     7                        WHERE comment_author = %s AND comment_date = %s", $comment_author, $comment_date) ); 
    88} 
    99 
    1010function edit_comment() { 
     
    6767function get_pending_comments_num( $post_id ) { 
    6868        global $wpdb; 
    6969        $post_id = (int) $post_id; 
    70         $pending = $wpdb->get_var( "SELECT COUNT(*) FROM $wpdb->comments WHERE comment_post_ID = $post_id AND comment_approved = '0'" ); 
     70        $pending = $wpdb->get_var( $wpdb->prepare("SELECT COUNT(*) FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_approved = '0'", $post_id) ); 
    7171        return $pending; 
    7272} 
    7373