From 4fd4d4452fdaf23be341e624d3a90d5ad5597918 Mon Sep 17 00:00:00 2001
From: Andrew Nacin <wp@andrewnacin.com>
Date: Tue, 16 Jul 2013 14:21:05 +0000
Subject: [PATCH] Use sanitize_key() instead of esc_sql() when 'escaping'
 variable DB field names. see #21767.

git-svn-id: http://core.svn.wordpress.org/trunk@24714 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/meta.php     | 14 +++++++-------
 wp-includes/taxonomy.php |  2 +-
 wp-includes/user.php     |  2 +-
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/wp-includes/meta.php b/wp-includes/meta.php
index 49fd8c7b73..22b03157ae 100644
--- a/wp-includes/meta.php
+++ b/wp-includes/meta.php
@@ -40,7 +40,7 @@ function add_metadata($meta_type, $object_id, $meta_key, $meta_value, $unique =
 
 	global $wpdb;
 
-	$column = esc_sql($meta_type . '_id');
+	$column = sanitize_key($meta_type . '_id');
 
 	// expected_slashed ($meta_key)
 	$meta_key = wp_unslash($meta_key);
@@ -110,7 +110,7 @@ function update_metadata($meta_type, $object_id, $meta_key, $meta_value, $prev_v
 
 	global $wpdb;
 
-	$column = esc_sql($meta_type . '_id');
+	$column = sanitize_key($meta_type . '_id');
 	$id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
 
 	// expected_slashed ($meta_key)
@@ -193,7 +193,7 @@ function delete_metadata($meta_type, $object_id, $meta_key, $meta_value = '', $d
 
 	global $wpdb;
 
-	$type_column = esc_sql($meta_type . '_id');
+	$type_column = sanitize_key($meta_type . '_id');
 	$id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
 	// expected_slashed ($meta_key)
 	$meta_key = wp_unslash($meta_key);
@@ -397,7 +397,7 @@ function update_metadata_by_mid( $meta_type, $meta_id, $meta_value, $meta_key =
 	if ( ! $table = _get_meta_table( $meta_type ) )
 		return false;
 
-	$column = esc_sql($meta_type . '_id');
+	$column = sanitize_key($meta_type . '_id');
 	$id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
 
 	// Fetch the meta and go on if it's found.
@@ -478,7 +478,7 @@ function delete_metadata_by_mid( $meta_type, $meta_id ) {
 		return false;
 
 	// object and id columns
-	$column = esc_sql($meta_type . '_id');
+	$column = sanitize_key($meta_type . '_id');
 	$id_column = 'user' == $meta_type ? 'umeta_id' : 'meta_id';
 
 	// Fetch the meta and go on if it's found.
@@ -528,7 +528,7 @@ function update_meta_cache($meta_type, $object_ids) {
 	if ( ! $table = _get_meta_table($meta_type) )
 		return false;
 
-	$column = esc_sql($meta_type . '_id');
+	$column = sanitize_key($meta_type . '_id');
 
 	global $wpdb;
 
@@ -706,7 +706,7 @@ class WP_Meta_Query {
 		if ( ! $meta_table = _get_meta_table( $type ) )
 			return false;
 
-		$meta_id_column = esc_sql( $type . '_id' );
+		$meta_id_column = sanitize_key( $type . '_id' );
 
 		$join = array();
 		$where = array();
diff --git a/wp-includes/taxonomy.php b/wp-includes/taxonomy.php
index 64a38ea3e2..ecca35fc05 100644
--- a/wp-includes/taxonomy.php
+++ b/wp-includes/taxonomy.php
@@ -791,7 +791,7 @@ class WP_Tax_Query {
 		if ( $query['field'] == $resulting_field )
 			return;
 
-		$resulting_field = esc_sql( $resulting_field );
+		$resulting_field = sanitize_key( $resulting_field );
 
 		switch ( $query['field'] ) {
 			case 'slug':
diff --git a/wp-includes/user.php b/wp-includes/user.php
index f22b046753..9d307d3d01 100644
--- a/wp-includes/user.php
+++ b/wp-includes/user.php
@@ -393,7 +393,7 @@ class WP_User_Query {
 
 			$this->query_fields = array();
 			foreach ( $qv['fields'] as $field )
-				$this->query_fields[] = $wpdb->users . '.' . esc_sql( $field );
+				$this->query_fields[] = $wpdb->users . '.' . sanitize_key( $field );
 			$this->query_fields = implode( ',', $this->query_fields );
 		} elseif ( 'all' == $qv['fields'] ) {
 			$this->query_fields = "$wpdb->users.*";