Changeset 7645

Timestamp:

04/14/08 16:13:25 (7 months ago)

Author:

ryan

Message:

Prepare DB queries in more places. Props filosofo. see #6644

Files:

• trunk/wp-admin/admin-ajax.php (modified) (1 diff)
• trunk/wp-admin/edit-comments.php (modified) (1 diff)
• trunk/wp-admin/edit-pages.php (modified) (1 diff)
• trunk/wp-admin/edit.php (modified) (1 diff)
• trunk/wp-admin/import/blogger.php (modified) (2 diffs)
• trunk/wp-admin/import/dotclear.php (modified) (2 diffs)
• trunk/wp-admin/import/textpattern.php (modified) (2 diffs)
• trunk/wp-admin/import/wp-cat2tag.php (modified) (2 diffs)
• trunk/wp-admin/includes/bookmark.php (modified) (2 diffs)
• trunk/wp-admin/includes/comment.php (modified) (2 diffs)
• trunk/wp-admin/includes/export.php (modified) (3 diffs)
• trunk/wp-admin/includes/post.php (modified) (8 diffs)
• trunk/wp-admin/includes/template.php (modified) (1 diff)
• trunk/wp-admin/includes/upgrade.php (modified) (24 diffs)
• trunk/wp-admin/includes/user.php (modified) (10 diffs)
• trunk/wp-admin/update-links.php (modified) (1 diff)
• trunk/wp-admin/upload.php (modified) (1 diff)
• trunk/wp-comments-post.php (modified) (1 diff)
• trunk/wp-includes/comment.php (modified) (11 diffs)
• trunk/wp-includes/post.php (modified) (4 diffs)
• trunk/wp-includes/taxonomy.php (modified) (4 diffs)
• trunk/wp-includes/user.php (modified) (6 diffs)
• trunk/wp-trackback.php (modified) (1 diff)
• trunk/xmlrpc.php (modified) (5 diffs)

trunk/wp-admin/admin-ajax.php

@@ -16 +16 @@
-    if ( strstr( $s, ',' ) )
-        die; // it's a multiple tag insert, we won't find anything
-"SELECT name FROM $wpdb->terms WHERE name LIKE ('%$s%')"
+$wpdb->prepare("SELECT name FROM $wpdb->terms WHERE name LIKE (%s)", '%' . $s . '%')
-    echo join( $results, "\n" );
-    die;

trunk/wp-admin/edit-comments.php

@@ -13 +13 @@
-    foreach ($_REQUEST['delete_comments'] as $comment) : // Check the permissions on each
-        $comment = (int) $comment;
-
-
+
-        if ( !current_user_can('edit_post', $post_id) )
-            continue;

trunk/wp-admin/edit-pages.php

@@ -176 +176 @@
-if ( 1 == count($posts) && is_singular() ) :
-
-"SELECT * FROM $wpdb->comments WHERE comment_post_ID = $id AND comment_approved != 'spam' ORDER BY comment_date"
+ $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_approved != 'spam' ORDER BY comment_date", $id) 
-    if ( $comments ) :
-        // Make sure comments, post, and post_author are cached

trunk/wp-admin/edit.php

@@ -206 +206 @@
-if ( 1 == count($posts) && is_singular() ) :
-
-"SELECT * FROM $wpdb->comments WHERE comment_post_ID = $id AND comment_approved != 'spam' ORDER BY comment_date"
+ $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_approved != 'spam' ORDER BY comment_date", $id) 
-    if ( $comments ) :
-        // Make sure comments, post, and post_author are cached

trunk/wp-admin/import/blogger.php

@@ -642 +642 @@
-
-        // Get an array of posts => authors
-"SELECT post_id FROM $wpdb->postmeta WHERE meta_key = 'blogger_blog' AND meta_value = '$host'"
+ $wpdb->prepare("SELECT post_id FROM $wpdb->postmeta WHERE meta_key = 'blogger_blog' AND meta_value = %s", $host) 
-        $post_ids = join( ',', $post_ids );
-        $results = (array) $wpdb->get_results("SELECT post_id, meta_value FROM $wpdb->postmeta WHERE meta_key = 'blogger_author' AND post_id IN ($post_ids)");
@@ -659 +659 @@
-            $post_ids = join( ',', $post_ids);
-
-"UPDATE $wpdb->posts SET post_author = $user_id WHERE id IN ($post_ids)"
+ $wpdb->prepare("UPDATE $wpdb->posts SET post_author = %d WHERE id IN ($post_ids)", $user_id) 
-            $this->blogs[$importing_blog]['authors'][$author][1] = $user_id;
-        }

trunk/wp-admin/import/dotclear.php

@@ -14 +14 @@
-    {
-        global $wpdb;
-'SELECT count(*) FROM '.$wpdb->comments.' WHERE comment_post_ID = '.$post_ID
+ $wpdb->prepare("SELECT count(*) FROM $wpdb->comments WHERE comment_post_ID = %d", $post_ID) 
-    }
-}
@@ -23 +23 @@
-    {
-        global $wpdb;
-'SELECT link_id FROM '.$wpdb->links.' WHERE link_name = "'.$linkname.'"'
+ $wpdb->prepare("SELECT link_id FROM $wpdb->links WHERE link_name = %s", $linkname) 
-    }
-}

trunk/wp-admin/import/textpattern.php

@@ -9 +9 @@
-    {
-        global $wpdb;
-'SELECT count(*) FROM '.$wpdb->comments.' WHERE comment_post_ID = '.$post_ID
+ $wpdb->prepare("SELECT count(*) FROM $wpdb->comments WHERE comment_post_ID = %d", $post_ID) 
-    }
-}
@@ -18 +18 @@
-    {
-        global $wpdb;
-'SELECT link_id FROM '.$wpdb->links.' WHERE link_name = "'.$wpdb->escape($linkname).'"'
+ $wpdb->prepare("SELECT link_id FROM $wpdb->links WHERE link_name = %s", $linkname) 
-    }
-}

trunk/wp-admin/import/wp-cat2tag.php

@@ -165 +165 @@
-                    $posts = get_objects_in_term($category->term_id, 'category');
-                    foreach ( $posts as $post ) {
-"SELECT object_id FROM $wpdb->term_relationships WHERE object_id = '$post' AND term_taxonomy_id = '$id'"
-"INSERT INTO $wpdb->term_relationships (object_id, term_taxonomy_id) VALUES ('$post', '$id')"
+ $wpdb->prepare("SELECT object_id FROM $wpdb->term_relationships WHERE object_id = %d AND term_taxonomy_id = %d", $post, $id) 
+ $wpdb->prepare("INSERT INTO $wpdb->term_relationships (object_id, term_taxonomy_id) VALUES (%d, %d)", $post, $id) 
-                        clean_post_cache($post);
-                    }
-                } else {
-"SELECT term_taxonomy_id FROM $wpdb->term_taxonomy WHERE term_id = '{$category->term_id}' AND taxonomy = 'category'"
+ $wpdb->prepare("SELECT term_taxonomy_id FROM $wpdb->term_taxonomy WHERE term_id = %d AND taxonomy = 'category'", $category->term_id) 
-                    if ( $tt_ids ) {
-                        $posts = $wpdb->get_col("SELECT object_id FROM $wpdb->term_relationships WHERE term_taxonomy_id IN (" . join(',', $tt_ids) . ") GROUP BY object_id");
@@ -178 +178 @@
-
-                    // Change the category to a tag.
-"UPDATE $wpdb->term_taxonomy SET taxonomy = 'post_tag' WHERE term_id = '{$category->term_id}' AND taxonomy = 'category'"
-
-"SELECT term_id FROM $wpdb->term_taxonomy WHERE parent = '{$category->term_id}' AND taxonomy = 'category'"
+ $wpdb->prepare("UPDATE $wpdb->term_taxonomy SET taxonomy = 'post_tag' WHERE term_id = %d AND taxonomy = 'category'", $category->term_id) 
+
+ $wpdb->prepare("SELECT term_id FROM $wpdb->term_taxonomy WHERE parent = %d AND taxonomy = 'category'", $category->term_id) 
-                    foreach ( (array) $terms as $term )
-                        clean_category_cache($term);
-
-                    // Set all parents to 0 (root-level) if their parent was the converted tag
-"UPDATE $wpdb->term_taxonomy SET parent = 0 WHERE parent = '{$category->term_id}' AND taxonomy = 'category'"
+ $wpdb->prepare("UPDATE $wpdb->term_taxonomy SET parent = 0 WHERE parent = %d AND taxonomy = 'category'", $category->term_id) 
-                }
-                // Clean the cache

trunk/wp-admin/includes/bookmark.php

@@ -48 +48 @@
-    wp_delete_object_term_relationships($link_id, 'link_category');
-
-"DELETE FROM $wpdb->links WHERE link_id = '$link_id'"
+ $wpdb->prepare("DELETE FROM $wpdb->links WHERE link_id = %d", $link_id) 
-
-    do_action('deleted_link', $link_id);
@@ -120 +120 @@
-
-    if ( $update ) {
-
-
-
-
-
-
-
+
+
+
+
+
-    } else {
-
+
+
-        $link_id = (int) $wpdb->insert_id;
-    }

trunk/wp-admin/includes/comment.php

@@ -4 +4 @@
-    global $wpdb;
-
-
-'$comment_author' AND comment_date = '$comment_date'"
+ $wpdb->prepare(
+%s AND comment_date = %s", $comment_author, $comment_date) 
-}
-
@@ -68 +68 @@
-    global $wpdb;
-    $post_id = (int) $post_id;
-"SELECT COUNT(*) FROM $wpdb->comments WHERE comment_post_ID = $post_id AND comment_approved = '0'"
+$wpdb->prepare("SELECT COUNT(*) FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_approved = '0'", $post_id)
-    return $pending;
-}

trunk/wp-admin/includes/export.php

@@ -18 +18 @@
-if ( $author and $author != 'all' ) {
-    $author_id = (int) $author;
-" WHERE post_author = '$author_id' "
+$wpdb->prepare(" WHERE post_author = %d ", $author_id)
-}
-
@@ -218 +218 @@
-<?php } ?>
-<?php
-"SELECT * FROM $wpdb->postmeta WHERE post_id = $post->ID"
+ $wpdb->prepare("SELECT * FROM $wpdb->postmeta WHERE post_id = %d", $post->ID) 
-if ( $postmeta ) {
-?>
@@ -229 +229 @@
-<?php } ?>
-<?php
-"SELECT * FROM $wpdb->comments WHERE comment_post_ID = $post->ID"
+ $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d", $post->ID) 
-if ( $comments ) { foreach ( $comments as $c ) { ?>
-<wp:comment>

trunk/wp-admin/includes/post.php

@@ -195 +195 @@
-
-    if (!empty ($post_date))
-"AND post_date = '$post_date'"
+$wpdb->prepare("AND post_date = %s", $post_date)
-
-    if (!empty ($title))
-"SELECT ID FROM $wpdb->posts WHERE post_title = '$title' $post_date"
+ $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title = %s $post_date", $title) 
-    else
-        if (!empty ($content))
-"SELECT ID FROM $wpdb->posts WHERE post_content = '$content' $post_date"
+ $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_content = %s $post_date", $content) 
-
-    return 0;
@@ -381 +381 @@
-        wp_cache_delete($post_ID, 'post_meta');
-
-
-
-
-
-
+
+
+
-        return $wpdb->insert_id;
-    }
@@ -395 +393 @@
-    $mid = (int) $mid;
-
-"SELECT post_id FROM $wpdb->postmeta WHERE meta_id = '$mid'"
+ $wpdb->prepare("SELECT post_id FROM $wpdb->postmeta WHERE meta_id = %d", $mid) 
-    wp_cache_delete($post_id, 'post_meta');
-
-"DELETE FROM $wpdb->postmeta WHERE meta_id = '$mid'"
+$wpdb->prepare("DELETE FROM $wpdb->postmeta WHERE meta_id = %d", $mid)
-}
-
@@ -418 +416 @@
-    $mid = (int) $mid;
-
-"SELECT * FROM $wpdb->postmeta WHERE meta_id = '$mid'"
+$wpdb->prepare("SELECT * FROM $wpdb->postmeta WHERE meta_id = %d", $mid)
-    if ( is_serialized_string( $meta->meta_value ) )
-        $meta->meta_value = maybe_unserialize( $meta->meta_value );
@@ -428 +426 @@
-    global $wpdb;
-
-
-
-
-
-
+
+
+
-
-}
@@ -444 +440 @@
-        return false;
-
-"SELECT post_id FROM $wpdb->postmeta WHERE meta_id = '$mid'"
+ $wpdb->prepare("SELECT post_id FROM $wpdb->postmeta WHERE meta_id = %d", $mid) 
-    wp_cache_delete($post_id, 'post_meta');
-
@@ -450 +446 @@
-    $mvalue = $wpdb->escape( $mvalue );
-    $mid = (int) $mid;
-"UPDATE $wpdb->postmeta SET meta_key = '$mkey', meta_value = '$mvalue' WHERE meta_id = '$mid'"
+$wpdb->prepare("UPDATE $wpdb->postmeta SET meta_key = %s, meta_value = %s WHERE meta_id = %d", $mkey, $mvalue, $mid)
-}
-
@@ -503 +499 @@
-    $old_ID = (int) $old_ID;
-    $new_ID = (int) $new_ID;
-"UPDATE $wpdb->posts SET post_parent = $new_ID WHERE post_parent = $old_ID"
+$wpdb->prepare("UPDATE $wpdb->posts SET post_parent = %d WHERE post_parent = %d", $new_ID, $old_ID)
-}
-

trunk/wp-admin/includes/template.php

@@ -893 +893 @@
-function parent_dropdown( $default = 0, $parent = 0, $level = 0 ) {
-    global $wpdb, $post_ID;
-"SELECT ID, post_parent, post_title FROM $wpdb->posts WHERE post_parent = $parent AND post_type = 'page' ORDER BY menu_order"
+$wpdb->prepare("SELECT ID, post_parent, post_title FROM $wpdb->posts WHERE post_parent = %d AND post_type = 'page' ORDER BY menu_order", $parent)
-
-    if ( $items ) {

trunk/wp-admin/includes/upgrade.php

@@ -219 +219 @@
-            if ('' == $post->post_name) {
-                $newtitle = sanitize_title($post->post_title);
-"UPDATE $wpdb->posts SET post_name = '$newtitle' WHERE ID = '$post->ID'"
+ $wpdb->prepare("UPDATE $wpdb->posts SET post_name = %s WHERE ID = %d", $newtitle, $post->ID) 
-            }
-        }
@@ -228 +228 @@
-        if ('' == $category->category_nicename) {
-            $newtitle = sanitize_title($category->cat_name);
-"UPDATE $wpdb->categories SET category_nicename = '$newtitle' WHERE cat_ID = '$category->cat_ID'"
+ $wpdb->prepare("UPDATE $wpdb->categories SET category_nicename = %s WHERE cat_ID = %d", $newtitle, $category->cat_ID) 
-        }
-    }
@@ -251 +251 @@
-        foreach ($allposts as $post) {
-            // Check to see if it's already been imported
-"SELECT * FROM $wpdb->post2cat WHERE post_id = $post->ID AND category_id = $post->post_category"
+ $wpdb->("SELECT * FROM $wpdb->post2cat WHERE post_id = %d AND category_id = %d", $post->ID, $post->post_category) 
-            if (!$cat && 0 != $post->post_category) { // If there's no result
-
-
+
-                    (post_id, category_id)
-
-
-
+
+
-            }
-        }
@@ -286 +284 @@
-        if ('' == $user->user_nicename) {
-            $newname = sanitize_title($user->user_nickname);
-"UPDATE $wpdb->users SET user_nicename = '$newname' WHERE ID = '$user->ID'"
+ $wpdb->prepare("UPDATE $wpdb->users SET user_nicename = %s WHERE ID = %d", $newname, $user->ID) 
-        }
-    }
@@ -402 +400 @@
-        if ( 1 != $option->dupes ) { // Could this be done in the query?
-            $limit = $option->dupes - 1;
-"SELECT option_id FROM $wpdb->options WHERE option_name = '$option->option_name' LIMIT $limit"
+ $wpdb->prepare("SELECT option_id FROM $wpdb->options WHERE option_name = %s LIMIT %d", $option->option_name, $limit) 
-            $dupe_ids = join($dupe_ids, ',');
-            $wpdb->query("DELETE FROM $wpdb->options WHERE option_id IN ($dupe_ids)");
@@ -446 +444 @@
-            if ($idmode == 'namelf') $id = $user->user_lastname.' '.$user->user_firstname;
-            if (!$idmode) $id = $user->user_nickname;
-
-
+
-        endif;
-
@@ -469 +466 @@
-    if( is_array( $comments ) ) {
-        foreach ($comments as $comment) {
-"UPDATE $wpdb->posts SET comment_count = $comment->c WHERE ID = '$comment->comment_post_ID'"
+$wpdb->prepare("UPDATE $wpdb->posts SET comment_count = %d WHERE ID = %d", $comment->c, $comment->comment_post_ID)
-        }
-    }
@@ -478 +475 @@
-        $objects = $wpdb->get_results("SELECT ID, post_type FROM $wpdb->posts WHERE post_status = 'object'");
-        foreach ($objects as $object) {
-
-'$object->post_type'
+ $wpdb->prepare(
+%s
-            post_type = ''
-$object->ID"
+%d", $object->post_type, $object->ID) 
-
-            $meta = get_post_meta($object->ID, 'imagedata', true);
@@ -509 +506 @@
-            }
-
-"UPDATE $wpdb->posts SET post_status = '$status', post_type = '$type' WHERE ID = '$post->ID'"
+ $wpdb->prepare("UPDATE $wpdb->posts SET post_status = %s, post_type = %s WHERE ID = %d", $status, $type, $post->ID) 
-        }
-    }
@@ -542 +539 @@
-    foreach ($categories as $category) {
-        $term_id = (int) $category->cat_ID;
-        $name = $wpdb->escape($category->cat_name);
-        $description = $wpdb->escape($category->category_description);
-        $slug = $wpdb->escape($category->category_nicename);
-        $parent = $wpdb->escape($category->category_parent);
-        $term_group = 0;
-
-        // Associate terms with the same slug in a term group and make slugs unique.
-"SELECT term_id, term_group FROM $wpdb->terms WHERE slug = '$slug'"
+ $wpdb->prepare("SELECT term_id, term_group FROM $wpdb->terms WHERE slug = %s", $slug) 
-            $term_group = $exists[0]->term_group;
-            $id = $exists[0]->term_id;
@@ -556 +549 @@
-                $alt_slug = $slug . "-$num";
-                $num++;
-"SELECT slug FROM $wpdb->terms WHERE slug = '$alt_slug'"
+ $wpdb->prepare("SELECT slug FROM $wpdb->terms WHERE slug = %s", $alt_slug) 
-            } while ( $slug_check );
-
@@ -563 +556 @@
-            if ( empty( $term_group ) ) {
-                $term_group = $wpdb->get_var("SELECT MAX(term_group) FROM $wpdb->terms GROUP BY term_group") + 1;
-"UPDATE $wpdb->terms SET term_group = '$term_group' WHERE term_id = '$id'"
+ $wpdb->prepare("UPDATE $wpdb->terms SET term_group = %d WHERE term_id = %d", $term_group, $id) 
-            }
-        }
-
-
+
+
-
-        $count = 0;
@@ -573 +567 @@
-            $count = (int) $category->category_count;
-            $taxonomy = 'category';
-"INSERT INTO $wpdb->term_taxonomy (term_id, taxonomy, description, parent, count) VALUES ('$term_id', '$taxonomy', '$description', '$parent', '$count')"
+ $wpdb->prepare("INSERT INTO $wpdb->term_taxonomy (term_id, taxonomy, description, parent, count) VALUES ( %d, %s, %s, %d, %d)", $term_id, $taxonomy, $description, $parent, $count) 
-            $tt_ids[$term_id][$taxonomy] = (int) $wpdb->insert_id;
-        }
@@ -580 +574 @@
-            $count = (int) $category->link_count;
-            $taxonomy = 'link_category';
-"INSERT INTO $wpdb->term_taxonomy (term_id, taxonomy, description, parent, count) VALUES ('$term_id', '$taxonomy', '$description', '$parent', '$count')"
+ $wpdb->prepare("INSERT INTO $wpdb->term_taxonomy (term_id, taxonomy, description, parent, count) VALUES ( %d, %s, %s, %d, %d)", $term_id, $taxonomy, $description, $parent, $count) 
-            $tt_ids[$term_id][$taxonomy] = (int) $wpdb->insert_id;
-        }
@@ -588 +582 @@
-            $count = (int) $category->tag_count;
-            $taxonomy = 'post_tag';
-"INSERT INTO $wpdb->term_taxonomy (term_id, taxonomy, description, parent, count) VALUES ('$term_id', '$taxonomy', '$description', '$parent', '$count')"
+ $wpdb->prepare("INSERT INTO $wpdb->term_taxonomy (term_id, taxonomy, description, parent, count) VALUES ( %d, %s, %s, %d, %d)", $term_id, $taxonomy, $description, $parent, $count) 
-            $tt_ids[$term_id][$taxonomy] = (int) $wpdb->insert_id;
-        }
@@ -595 +589 @@
-            $count = 0;
-            $taxonomy = 'category';
-"INSERT INTO $wpdb->term_taxonomy (term_id, taxonomy, description, parent, count) VALUES ('$term_id', '$taxonomy', '$description', '$parent', '$count')"
+ $wpdb->prepare("INSERT INTO $wpdb->term_taxonomy (term_id, taxonomy, description, parent, count) VALUES ( %d, %s, %s, %d, %d)", $term_id, $taxonomy, $description, $parent, $count) 
-            $tt_ids[$term_id][$taxonomy] = (int) $wpdb->insert_id;
-        }
@@ -615 +609 @@
-            continue;
-
-"INSERT INTO $wpdb->term_relationships (object_id, term_taxonomy_id) VALUES ('$post_id', '$tt_id')"
+ $wpdb->prepare("INSERT INTO $wpdb->term_relationships (object_id, term_taxonomy_id) VALUES ( %d, %d)", $post_id, $tt_id) 
-    }
-
@@ -634 +628 @@
-
-            // Associate terms with the same slug in a term group and make slugs unique.
-"SELECT term_id, term_group FROM $wpdb->terms WHERE slug = '$slug'"
+ $wpdb->prepare("SELECT term_id, term_group FROM $wpdb->terms WHERE slug = %s", $slug) 
-                $term_group = $exists[0]->term_group;
-                $term_id = $exists[0]->term_id;
@@ -640 +634 @@
-
-            if ( empty($term_id) ) {
-"INSERT INTO $wpdb->terms (name, slug, term_group) VALUES ('$name', '$slug', '$term_group')"
+ $wpdb->prepare("INSERT INTO $wpdb->terms (name, slug, term_group) VALUES (%s, %s, %d)", $name, $slug, $term_group) 
-                $term_id = (int) $wpdb->insert_id;
-            }
@@ -647 +641 @@
-            $default_link_cat = $term_id;
-
-"INSERT INTO $wpdb->term_taxonomy (term_id, taxonomy, description, parent, count) VALUES ('$term_id', 'link_category', '', '0', '0')"
+ $wpdb->prepare("INSERT INTO $wpdb->term_taxonomy (term_id, taxonomy, description, parent, count) VALUES (%d, 'link_category', '', '0', '0')", $term_id) 
-            $tt_ids[$term_id] = (int) $wpdb->insert_id;
-        }
@@ -663 +657 @@
-                continue;
-
-"INSERT INTO $wpdb->term_relationships (object_id, term_taxonomy_id) VALUES ('$link->link_id', '$tt_id')"
+ $wpdb->prepare("INSERT INTO $wpdb->term_relationships (object_id, term_taxonomy_id) VALUES ( %d, %d)", $link->link_id, $tt_id) 
-        }
-
@@ -678 +672 @@
-                continue;
-
-'$link_id', '$tt_id')"
+ %d, %d)", $link_id, $tt_id) 
-        }
-    }
@@ -691 +685 @@
-    foreach ( (array) $terms as $term ) {
-        if ( ('post_tag' == $term->taxonomy) || ('category' == $term->taxonomy) )
-"SELECT COUNT(*) FROM $wpdb->term_relationships, $wpdb->posts WHERE $wpdb->posts.ID = $wpdb->term_relationships.object_id AND post_status = 'publish' AND post_type = 'post' AND term_taxonomy_id = '$term->term_taxonomy_id'"
+ $wpdb->prepare("SELECT COUNT(*) FROM $wpdb->term_relationships, $wpdb->posts WHERE $wpdb->posts.ID = $wpdb->term_relationships.object_id AND post_status = 'publish' AND post_type = 'post' AND term_taxonomy_id = %d", $term->term_taxonomy_id) 
-        else
-"SELECT COUNT(*) FROM $wpdb->term_relationships WHERE term_taxonomy_id = '$term->term_taxonomy_id'"
-"UPDATE $wpdb->term_taxonomy SET count = '$count' WHERE term_taxonomy_id = '$term->term_taxonomy_id'"
+ $wpdb->prepare("SELECT COUNT(*) FROM $wpdb->term_relationships WHERE term_taxonomy_id = %d", $term->term_taxonomy_id) 
+ $wpdb->prepare("UPDATE $wpdb->term_taxonomy SET count = %d WHERE term_taxonomy_id = %d", $count, $term->term_taxonomy_id) 
-    }
-}
@@ -824 +818 @@
-    }
-
-"SELECT option_value FROM $wpdb->options WHERE option_name = '$setting'"
+ $wpdb->prepare("SELECT option_value FROM $wpdb->options WHERE option_name = %s", $setting) 
-
-    if ( 'home' == $setting && '' == $option )

trunk/wp-admin/includes/user.php

@@ -142 +142 @@
-    global $wpdb;
-    $level_key = $wpdb->prefix . 'user_level';
-
-
-
-
+
-}
-
@@ -177 +174 @@
-    $level_key = $wpdb->prefix . 'user_level';
-
-"SELECT user_id FROM $wpdb->usermeta WHERE meta_key = '$level_key'"
+$wpdb->prepare("SELECT user_id FROM $wpdb->usermeta WHERE meta_key = %s", $level_key)
-    if ( $exclude_zeros )
-        $query .= " AND meta_value != '0'";
@@ -188 +185 @@
-    $level_key = $wpdb->prefix . 'user_level';
-
-
-
-
+
-}
-
@@ -209 +204 @@
-    } else {
-        $editable = join(',', $editable);
-"SELECT ID, post_title, post_author FROM $wpdb->posts WHERE post_type = 'post' AND $type_sql AND post_author IN ($editable) AND post_author != '$user_id' ORDER BY post_modified $dir"
+ $wpdb->prepare("SELECT ID, post_title, post_author FROM $wpdb->posts WHERE post_type = 'post' AND $type_sql AND post_author IN ($editable) AND post_author != %d ORDER BY post_modified $dir", $user_id) 
-    }
-
@@ -242 +237 @@
-function get_users_drafts( $user_id ) {
-    global $wpdb;
-
-
+
-    $query = apply_filters('get_users_drafts', $query);
-    return $wpdb->get_results( $query );
@@ -254 +248 @@
-
-    if ($reassign == 'novalue') {
-"SELECT ID FROM $wpdb->posts WHERE post_author = $id"
+ $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_author = %d", $id) 
-
-        if ($post_ids) {
@@ -262 +256 @@
-
-        // Clean links
-"DELETE FROM $wpdb->links WHERE link_owner = $id"
+ $wpdb->prepare("DELETE FROM $wpdb->links WHERE link_owner = %d", $id) 
-    } else {
-        $reassign = (int) $reassign;
-"UPDATE $wpdb->posts SET post_author = {$reassign} WHERE post_author = {$id}"
-"UPDATE $wpdb->links SET link_owner = {$reassign} WHERE link_owner = {$id}"
+ $wpdb->prepare("UPDATE $wpdb->posts SET post_author = %d WHERE post_author = %d", $reassign, $id) 
+ $wpdb->prepare("UPDATE $wpdb->links SET link_owner = %d WHERE link_owner = %d}", $reassign, $id) 
-    }
-
@@ -272 +266 @@
-    do_action('delete_user', $id);
-
-"DELETE FROM $wpdb->users WHERE ID = $id"
-"DELETE FROM $wpdb->usermeta WHERE user_id = '$id'"
+ $wpdb->prepare("DELETE FROM $wpdb->users WHERE ID = %d", $id) 
+ $wpdb->prepare("DELETE FROM $wpdb->usermeta WHERE user_id = %d", $id) 
-
-    wp_cache_delete($id, 'users');
@@ -324 +318 @@
-        global $wpdb;
-        $this->first_user = ($this->page - 1) * $this->users_per_page;
-' LIMIT ' . $this->first_user . ',' . $this->users_per_page
+$wpdb->prepare(" LIMIT %d, %d", $this->first_user, $this->users_per_page)
-        $this->query_sort = ' ORDER BY user_login';
-        $search_sql = '';
@@ -338 +332 @@
-        $this->query_from_where = "FROM $wpdb->users";
-        if ( $this->role )
-" INNER JOIN $wpdb->usermeta ON $wpdb->users.ID = $wpdb->usermeta.user_id WHERE $wpdb->usermeta.meta_key = '{$wpdb->prefix}capabilities' AND $wpdb->usermeta.meta_value LIKE '%$this->role%'"
+$wpdb->prepare(" INNER JOIN $wpdb->usermeta ON $wpdb->users.ID = $wpdb->usermeta.user_id WHERE $wpdb->usermeta.meta_key = '{$wpdb->prefix}capabilities' AND $wpdb->usermeta.meta_value LIKE %s", '%' . $this->role . '%')
-        else
-            $this->query_from_where .= " WHERE 1=1";

trunk/wp-admin/update-links.php

@@ -37 +37 @@
-
-    foreach ($returns as $return) :
-$wpdb->escape( substr($return, 0, 19) 
-$wpdb->escape( preg_replace('/(.*?) | (.*?)/', '$2', $return) 
-"UPDATE $wpdb->links SET link_updated = '$time' WHERE link_url = '$uri'"
+substr($return, 0, 19
+preg_replace('/(.*?) | (.*?)/', '$2', $return
+ $wpdb->prepare("UPDATE $wpdb->links SET link_updated = %s WHERE link_url = %s", $time, $uri) 
-    endforeach;
-}

trunk/wp-admin/upload.php

@@ -212 +212 @@
-if ( 1 == count($posts) && is_singular() ) :
-    
-"SELECT * FROM $wpdb->comments WHERE comment_post_ID = $id AND comment_approved != 'spam' ORDER BY comment_date"
+ $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_approved != 'spam' ORDER BY comment_date", $id) 
-    if ( $comments ) :
-        // Make sure comments, post, and post_author are cached

trunk/wp-comments-post.php

@@ -12 +12 @@
-$comment_post_ID = (int) $_POST['comment_post_ID'];
-
-"SELECT post_status, comment_status FROM $wpdb->posts WHERE ID = '$comment_post_ID'"
+ $wpdb->prepare("SELECT post_status, comment_status FROM $wpdb->posts WHERE ID = %d", $comment_post_ID) 
-
-if ( empty($status->comment_status) ) {

trunk/wp-includes/comment.php

@@ -242 +242 @@
-    $where = '';
-    if ( $post_id > 0 ) {
-"WHERE comment_post_ID = {$post_id}"
+$wpdb->prepare("WHERE comment_post_ID = %d", $post_id)
-    }
-
@@ -380 +380 @@
-    if ( current_user_can( 'manage_options' ) )
-        return; // don't throttle admins
-"SELECT comment_date_gmt FROM $wpdb->comments WHERE comment_author_IP = '$ip' OR comment_author_email = '$email' ORDER BY comment_date DESC LIMIT 1"
+ $wpdb->prepare("SELECT comment_date_gmt FROM $wpdb->comments WHERE comment_author_IP = %s OR comment_author_email = %s ORDER BY comment_date DESC LIMIT 1", $ip, $email) 
-        $time_lastcomment = mysql2date('U', $lasttime);
-        $time_newcomment  = mysql2date('U', $date);
@@ -488 +488 @@
-    $comment = get_comment($comment_id);
-
-"DELETE FROM $wpdb->comments WHERE comment_ID='$comment_id' LIMIT 1"
+ $wpdb->prepare("DELETE FROM $wpdb->comments WHERE comment_ID = %d LIMIT 1", $comment_id) 
-        return false;
-
@@ -586 +586 @@
-        $user_id = 0;
-
-
+ $wpdb->prepare(
-    (comment_post_ID, comment_author, comment_author_email, comment_author_url, comment_author_IP, comment_date, comment_date_gmt, comment_content, comment_approved, comment_agent, comment_type, comment_parent, user_id)
-
-
-
+
+
-
-    $id = (int) $wpdb->insert_id;
@@ -715 +714 @@
-    switch ( $comment_status ) {
-        case 'hold':
-"UPDATE $wpdb->comments SET comment_approved='0' WHERE comment_ID='$comment_id' LIMIT 1"
+$wpdb->prepare("UPDATE $wpdb->comments SET comment_approved='0' WHERE comment_ID = %d LIMIT 1", $comment_id)
-            break;
-        case 'approve':
-"UPDATE $wpdb->comments SET comment_approved='1' WHERE comment_ID='$comment_id' LIMIT 1"
+$wpdb->prepare("UPDATE $wpdb->comments SET comment_approved='1' WHERE comment_ID = %d LIMIT 1", $comment_id)
-            break;
-        case 'spam':
-"UPDATE $wpdb->comments SET comment_approved='spam' WHERE comment_ID='$comment_id' LIMIT 1"
+$wpdb->prepare("UPDATE $wpdb->comments SET comment_approved='spam' WHERE comment_ID = %d LIMIT 1", $comment_id)
-            break;
-        case 'delete':
@@ -775 +774 @@
-    $comment_date_gmt = get_gmt_from_date($comment_date);
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-    $rval = $wpdb->rows_affected;
@@ -880 +886 @@
-
-    $old = (int) $post->comment_count;
-"SELECT COUNT(*) FROM $wpdb->comments WHERE comment_post_ID = '$post_id' AND comment_approved = '1'"
-"UPDATE $wpdb->posts SET comment_count = '$new' WHERE ID = '$post_id'"
+ $wpdb->prepare("SELECT COUNT(*) FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_approved = '1'", $post_id) 
+ $wpdb->prepare("UPDATE $wpdb->posts SET comment_count = %d WHERE ID = %d", $new, $post_id) 
-
-    if ( 'page' == $post->post_type )
@@ -1009 +1015 @@
-    // Do Enclosures
-    while ($enclosure = $wpdb->get_row("SELECT * FROM {$wpdb->posts}, {$wpdb->postmeta} WHERE {$wpdb->posts}.ID = {$wpdb->postmeta}.post_id AND {$wpdb->postmeta}.meta_key = '_encloseme' LIMIT 1")) {
-"DELETE FROM {$wpdb->postmeta} WHERE post_id = {$enclosure->ID} AND meta_key = '_encloseme';"
+ $wpdb->prepare("DELETE FROM {$wpdb->postmeta} WHERE post_id = %d AND meta_key = '_encloseme';", $enclosure->ID) 
-        do_enclose($enclosure->post_content, $enclosure->ID);
-    }
@@ -1036 +1042 @@
-    global $wpdb;
-
-"SELECT * FROM $wpdb->posts WHERE ID = $post_id"
+ $wpdb->prepare("SELECT * FROM $wpdb->posts WHERE ID = %d", $post_id) 
-    $to_ping = get_to_ping($post_id);
-    $pinged  = get_pung($post_id);
-    if ( empty($to_ping) ) {
-