From 6f0cbc16a8dba44fb7f579b7d05d6510e2ac6c98 Mon Sep 17 00:00:00 2001
From: markjaquith <markjaquith@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Sat, 13 Oct 2007 03:51:11 +0000
Subject: [PATCH] prepare(), insert(), update() for wp-includes/ taxonomy.php,
 rss.php, registration.php

git-svn-id: http://svn.automattic.com/wordpress/trunk@6241 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/registration.php | 19 +++-------
 wp-includes/rss.php          |  5 +--
 wp-includes/taxonomy.php     | 68 +++++++++++++++++++-----------------
 3 files changed, 44 insertions(+), 48 deletions(-)

diff --git a/wp-includes/registration.php b/wp-includes/registration.php
index c0d62aea33..f9cc27dc57 100644
--- a/wp-includes/registration.php
+++ b/wp-includes/registration.php
@@ -21,8 +21,7 @@ function username_exists( $username ) {
  */
 function email_exists( $email ) {
 	global $wpdb;
-	$email = $wpdb->escape( $email );
-	return $wpdb->get_var( "SELECT ID FROM $wpdb->users WHERE user_email = '$email'" );
+	return $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->users WHERE user_email = %s", $email) );
 }
 
 /**
@@ -98,18 +97,13 @@ function wp_insert_user($userdata) {
 	if ( empty($user_registered) )
 		$user_registered = gmdate('Y-m-d H:i:s');
 
+	$data = compact( 'user_pass', 'user_email', 'user_url', 'user_nicename', 'display_name' );
+
 	if ( $update ) {
-		$query = "UPDATE $wpdb->users SET user_pass='$user_pass', user_email='$user_email', user_url='$user_url', user_nicename = '$user_nicename', display_name = '$display_name' WHERE ID = '$ID'";
-		$query = apply_filters('update_user_query', $query);
-		$wpdb->query( $query );
+		$wpdb->update( $wpdb->users, $data, compact( 'ID' ) );
 		$user_id = (int) $ID;
 	} else {
-		$query = "INSERT INTO $wpdb->users
-		(user_login, user_pass, user_email, user_url, user_registered, user_nicename, display_name)
-	VALUES
-		('$user_login', '$user_pass', '$user_email', '$user_url', '$user_registered', '$user_nicename', '$display_name')";
-		$query = apply_filters('create_user_query', $query);
-		$wpdb->query( $query );
+		$wpdb->insert( $wpdb->users, $data + compact( 'user_login' ) );
 		$user_id = (int) $wpdb->insert_id;
 	}
 
@@ -145,13 +139,10 @@ function wp_insert_user($userdata) {
 
 /**
  * Update an user in the database.
- * @global object $wpdb WordPress database layer.
  * @param array $userdata An array of user data.
  * @return int The updated user's ID.
  */
 function wp_update_user($userdata) {
-	global $wpdb;
-
 	$ID = (int) $userdata['ID'];
 
 	// First, get all of the original fields
diff --git a/wp-includes/rss.php b/wp-includes/rss.php
index 76841bf97b..52cb88ef22 100644
--- a/wp-includes/rss.php
+++ b/wp-includes/rss.php
@@ -667,9 +667,10 @@ class RSSCache {
 		$cache_option = 'rss_' . $this->file_name( $url );
 		$cache_timestamp = 'rss_' . $this->file_name( $url ) . '_ts';
 
-		if ( !$wpdb->get_var("SELECT option_name FROM $wpdb->options WHERE option_name = '$cache_option'") )
+		// shouldn't these be using get_option() ?
+		if ( !$wpdb->get_var( $wpdb->prepare( "SELECT option_name FROM $wpdb->options WHERE option_name = %s", $cache_option ) ) )
 			add_option($cache_option, '', '', 'no');
-		if ( !$wpdb->get_var("SELECT option_name FROM $wpdb->options WHERE option_name = '$cache_timestamp'") )
+		if ( !$wpdb->get_var( $wpdb->prepare( "SELECT option_name FROM $wpdb->options WHERE option_name = %s", $cache_timestamp ) ) )
 			add_option($cache_timestamp, '', '', 'no');
 
 		update_option($cache_option, $rss);
diff --git a/wp-includes/taxonomy.php b/wp-includes/taxonomy.php
index a99c506d5b..37851f2136 100644
--- a/wp-includes/taxonomy.php
+++ b/wp-includes/taxonomy.php
@@ -195,6 +195,8 @@ function get_objects_in_term( $terms, $taxonomies, $args = array() ) {
 	$args = wp_parse_args( $args, $defaults );
 	extract($args, EXTR_SKIP);
 
+	$order = ( 'desc' == strtolower($order) ) ? 'DESC' : 'ASC';
+
 	$terms = array_map('intval', $terms);
 
 	$taxonomies = "'" . implode("', '", $taxonomies) . "'";
@@ -240,7 +242,7 @@ function &get_term($term, $taxonomy, $output = OBJECT, $filter = 'raw') {
 	} else {
 		$term = (int) $term;
 		if ( ! $_term = wp_cache_get($term, $taxonomy) ) {
-			$_term = $wpdb->get_row("SELECT t.*, tt.* FROM $wpdb->terms AS t INNER JOIN $wpdb->term_taxonomy AS tt ON t.term_id = tt.term_id WHERE tt.taxonomy = '$taxonomy' AND t.term_id = '$term' LIMIT 1");
+			$_term = $wpdb->get_row( $wpdb->prepare( "SELECT t.*, tt.* FROM $wpdb->terms AS t INNER JOIN $wpdb->term_taxonomy AS tt ON t.term_id = tt.term_id WHERE tt.taxonomy = %s AND t.term_id = %s LIMIT 1", $taxonomy, $term) );
 			wp_cache_add($term, $_term, $taxonomy);
 		}
 	}
@@ -314,7 +316,7 @@ function get_term_by($field, $value, $taxonomy, $output = OBJECT, $filter = 'raw
 		$value = (int) $value;
 	}
 
-	$term = $wpdb->get_row("SELECT t.*, tt.* FROM $wpdb->terms AS t INNER JOIN $wpdb->term_taxonomy AS tt ON t.term_id = tt.term_id WHERE tt.taxonomy = '$taxonomy' AND $field = '$value' LIMIT 1");
+	$term = $wpdb->get_row( $wpdb->prepare( "SELECT t.*, tt.* FROM $wpdb->terms AS t INNER JOIN $wpdb->term_taxonomy AS tt ON t.term_id = tt.term_id WHERE tt.taxonomy = %s AND $field = %s LIMIT 1", $taxonomy, $value) );
 	if ( !$term )
 		return false;
 
@@ -466,7 +468,7 @@ function &get_terms($taxonomies, $args = '') {
 		'hierarchical' => true, 'child_of' => 0, 'get' => '', 'name__like' => '',
 		'pad_counts' => false);
 	$args = wp_parse_args( $args, $defaults );
-	$args['number'] = (int) $args['number'];
+	$args['number'] = absint( $args['number'] );
 	if ( !$single_taxonomy || !is_taxonomy_hierarchical($taxonomies[0]) ||
 		'' != $args['parent'] ) {
 		$args['child_of'] = 0;
@@ -633,11 +635,11 @@ function is_term($term, $taxonomy = '') {
 	if ( is_int($term) ) {
 		if ( 0 == $term )
 			return 0;
-		$where = "t.term_id = '$term'";
+		$where = $wpdb->prepare( "t.term_id = %d", $term );
 	} else {
 		if ( ! $term = sanitize_title($term) )
 			return 0;
-		$where = "t.slug = '$term'";
+		$where = $wpdb->prepare( "t.slug = %s", $term );
 	}
 
 	$term_id = $wpdb->get_var("SELECT term_id FROM $wpdb->terms as t WHERE $where");
@@ -645,6 +647,7 @@ function is_term($term, $taxonomy = '') {
 	if ( empty($taxonomy) || empty($term_id) )
 		return $term_id;
 
+	$taxonomy = $wpdb->escape( $taxonomy );
 	return $wpdb->get_row("SELECT tt.term_id, tt.term_taxonomy_id FROM $wpdb->terms AS t INNER JOIN $wpdb->term_taxonomy as tt ON tt.term_id = t.term_id WHERE $where AND tt.taxonomy = '$taxonomy'", ARRAY_A);
 }
 
@@ -751,6 +754,7 @@ function wp_count_terms( $taxonomy, $args = array() ) {
 	if ( $ignore_empty )
 		$where = 'AND count > 0';
 
+	$taxonomy = $wpdb->escape( $taxonomy );
 	return $wpdb->get_var("SELECT COUNT(*) FROM $wpdb->term_taxonomy WHERE taxonomy = '$taxonomy' $where");
 }
 
@@ -808,10 +812,10 @@ function wp_delete_term( $term, $taxonomy, $args = array() ) {
 			return $term_obj;
 		$parent = $term_obj->parent;
 
-		$wpdb->query("UPDATE $wpdb->term_taxonomy SET parent = '$parent' WHERE parent = '$term_obj->term_id' AND taxonomy = '$taxonomy'");
+		$wpdb->update( $wpdb->term_taxonomy, compact( $parent ), array( 'parent' => $term_obj->term_id) + compact( $taxonomy ) );
 	}
 
-	$objects = $wpdb->get_col("SELECT object_id FROM $wpdb->term_relationships WHERE term_taxonomy_id = '$tt_id'");
+	$objects = $wpdb->get_col( $wpdb->prepare( "SELECT object_id FROM $wpdb->term_relationships WHERE term_taxonomy_id = %d", $tt_id ) );
 
 	foreach ( (array) $objects as $object ) {
 		$terms = wp_get_object_terms($object, $taxonomy, 'fields=ids');
@@ -823,11 +827,11 @@ function wp_delete_term( $term, $taxonomy, $args = array() ) {
 		wp_set_object_terms($object, $terms, $taxonomy);
 	}
 
-	$wpdb->query("DELETE FROM $wpdb->term_taxonomy WHERE term_taxonomy_id = '$tt_id'");
+	$wpdb->query( $wpdb->prepare( "DELETE FROM $wpdb->term_taxonomy WHERE term_taxonomy_id = %d", $tt_id ) );
 
 	// Delete the term if no taxonomies use it.
-	if ( !$wpdb->get_var("SELECT COUNT(*) FROM $wpdb->term_taxonomy WHERE term_id = '$term'") )
-		$wpdb->query("DELETE FROM $wpdb->terms WHERE term_id = '$term'");
+	if ( !$wpdb->get_var( $wpdb->prepare( "SELECT COUNT(*) FROM $wpdb->term_taxonomy WHERE term_id = %d", $term) ) )
+		$wpdb->query( $wpdb->prepare( "DELETE FROM $wpdb->terms WHERE term_id = %d", $term) );
 
 	clean_term_cache($term, $taxonomy);
 
@@ -927,39 +931,39 @@ function wp_insert_term( $term, $taxonomy, $args = array() ) {
 
 	$term_group = 0;
 	if ( $alias_of ) {
-		$alias = $wpdb->fetch_row("SELECT term_id, term_group FROM $wpdb->terms WHERE slug = '$alias_of'");
+		$alias = $wpdb->fetch_row( $wpdb->prepare( "SELECT term_id, term_group FROM $wpdb->terms WHERE slug = %s", $alias_of) );
 		if ( $alias->term_group ) {
 			// The alias we want is already in a group, so let's use that one.
 			$term_group = $alias->term_group;
 		} else {
 			// The alias isn't in a group, so let's create a new one and firstly add the alias term to it.
 			$term_group = $wpdb->get_var("SELECT MAX(term_group) FROM $wpdb->terms GROUP BY term_group") + 1;
-			$wpdb->query("UPDATE $wpdb->terms SET term_group = $term_group WHERE term_id = $alias->term_id");
+			$wpdb->query( $wpdb->prepare( "UPDATE $wpdb->terms SET term_group = %d WHERE term_id = %d", $term_group, $alias->term_id ) );
 		}
 	}
 
 	if ( ! $term_id = is_term($slug) ) {
-		$wpdb->query("INSERT INTO $wpdb->terms (name, slug, term_group) VALUES ('$name', '$slug', '$term_group')");
+		$wpdb->insert( $wpdb->terms, compact( 'name', 'slug', 'term_group' ) );
 		$term_id = (int) $wpdb->insert_id;
 	} else if ( is_taxonomy_hierarchical($taxonomy) && !empty($parent) ) {
 		// If the taxonomy supports hierarchy and the term has a parent, make the slug unique
 		// by incorporating parent slugs.
 		$slug = wp_unique_term_slug($slug, (object) $args);
-		$wpdb->query("INSERT INTO $wpdb->terms (name, slug, term_group) VALUES ('$name', '$slug', '$term_group')");
+		$wpdb->insert( $wpdb->terms, compact( 'name', 'slug', 'term_group' ) );
 		$term_id = (int) $wpdb->insert_id;
 	}
 
 	if ( empty($slug) ) {
 		$slug = sanitize_title($slug, $term_id);
-		$wpdb->query("UPDATE $wpdb->terms SET slug = '$slug' WHERE term_id = '$term_id'");
+		$wpdb->update( $wpdb->terms, compact( 'slug' ), compact( 'term_id' ) );
 	}
 
-	$tt_id = $wpdb->get_var("SELECT tt.term_taxonomy_id FROM $wpdb->term_taxonomy AS tt INNER JOIN $wpdb->terms AS t ON tt.term_id = t.term_id WHERE tt.taxonomy = '$taxonomy' AND t.term_id = $term_id");
+	$tt_id = $wpdb->get_var( $wpdb->prepare( "SELECT tt.term_taxonomy_id FROM $wpdb->term_taxonomy AS tt INNER JOIN $wpdb->terms AS t ON tt.term_id = t.term_id WHERE tt.taxonomy = %s AND t.term_id = %d", $taxonomy, $term_id ) );
 
 	if ( !empty($tt_id) )
 		return array('term_id' => $term_id, 'term_taxonomy_id' => $tt_id);
 
-	$wpdb->query("INSERT INTO $wpdb->term_taxonomy (term_id, taxonomy, description, parent, count) VALUES ('$term_id', '$taxonomy', '$description', '$parent', '0')");
+	$wpdb->insert( $wpdb->term_taxonomy, compact( 'term_id', 'taxonomy', 'description', 'parent') + array( 'count' => 0 ) );
 	$tt_id = (int) $wpdb->insert_id;
 
 	do_action("create_term", $term_id, $tt_id);
@@ -1011,9 +1015,9 @@ function wp_set_object_terms($object_id, $terms, $taxonomy, $append = false) {
 		$id = $id['term_taxonomy_id'];
 		$tt_ids[] = $id;
 
-		if ( $wpdb->get_var("SELECT term_taxonomy_id FROM $wpdb->term_relationships WHERE object_id = '$object_id' AND term_taxonomy_id = '$id'") )
+		if ( $wpdb->get_var( $wpdb->prepare( "SELECT term_taxonomy_id FROM $wpdb->term_relationships WHERE object_id = %d AND term_taxonomy_id = %d", $object_id, $id ) ) )
 			continue;
-		$wpdb->query("INSERT INTO $wpdb->term_relationships (object_id, term_taxonomy_id) VALUES ('$object_id', '$id')");
+		$wpdb->insert( $wpdb->term_relationships, array( 'object_id' => $object_id, 'term_taxonomy_id' => $id ) );
 	}
 
 	wp_update_term_count($tt_ids, $taxonomy);
@@ -1049,12 +1053,12 @@ function wp_unique_term_slug($slug, $term) {
 	}
 
 	// If we didn't get a unique slug, try appending a number to make it unique.
-	if ( $wpdb->get_var("SELECT slug FROM $wpdb->terms WHERE slug = '$slug'") ) {
+	if ( $wpdb->get_var( $wpdb->prepare( "SELECT slug FROM $wpdb->terms WHERE slug = %s", $slug ) ) ) {
 		$num = 2;
 		do {
 			$alt_slug = $slug . "-$num";
 			$num++;
-			$slug_check = $wpdb->get_var("SELECT slug FROM $wpdb->terms WHERE slug = '$alt_slug'");
+			$slug_check = $wpdb->get_var( $wpdb->prepare( "SELECT slug FROM $wpdb->terms WHERE slug = %s", $alt_slug ) );
 		} while ( $slug_check );
 		$slug = $alt_slug;
 	}
@@ -1091,19 +1095,19 @@ function wp_update_term( $term, $taxonomy, $args = array() ) {
 	}
 
 	if ( $alias_of ) {
-		$alias = $wpdb->fetch_row("SELECT term_id, term_group FROM $wpdb->terms WHERE slug = '$alias_of'");
+		$alias = $wpdb->fetch_row( $wpdb->prepare( "SELECT term_id, term_group FROM $wpdb->terms WHERE slug = %s", $alias_of) );
 		if ( $alias->term_group ) {
 			// The alias we want is already in a group, so let's use that one.
 			$term_group = $alias->term_group;
 		} else {
 			// The alias isn't in a group, so let's create a new one and firstly add the alias term to it.
 			$term_group = $wpdb->get_var("SELECT MAX(term_group) FROM $wpdb->terms GROUP BY term_group") + 1;
-			$wpdb->query("UPDATE $wpdb->terms SET term_group = $term_group WHERE term_id = $alias->term_id");
+			$wpdb->update( $wpdb->terms, compact('term_group'), array( 'term_id' => $alias->term_id ) );
 		}
 	}
 
 	// Check for duplicate slug
-	$id = $wpdb->get_var("SELECT term_id FROM $wpdb->terms WHERE slug = '$slug'");
+	$id = $wpdb->get_var( $wpdb->prepare( "SELECT term_id FROM $wpdb->terms WHERE slug = %s", $slug ) );
 	if ( $id && ($id != $term_id) ) {
 		// If an empty slug was passed, reset the slug to something unique.
 		// Otherwise, bail.
@@ -1113,16 +1117,16 @@ function wp_update_term( $term, $taxonomy, $args = array() ) {
 			return new WP_Error('duplicate_term_slug', sprintf(__('The slug "%s" is already in use by another term'), $slug));
 	}
 
-	$wpdb->query("UPDATE $wpdb->terms SET name = '$name', slug = '$slug', term_group = '$term_group' WHERE term_id = '$term_id'");
+	$wpdb->update($wpdb->terms, compact( 'name', 'slug', 'term_group' ), compact( 'term_id' ) );
 
 	if ( empty($slug) ) {
 		$slug = sanitize_title($name, $term_id);
-		$wpdb->query("UPDATE $wpdb->terms SET slug = '$slug' WHERE term_id = '$term_id'");
+		$wpdb->update( $wpdb->terms, compact( 'slug' ), compact( 'term_id' ) );
 	}
 
-	$tt_id = $wpdb->get_var("SELECT tt.term_taxonomy_id FROM $wpdb->term_taxonomy AS tt INNER JOIN $wpdb->terms AS t ON tt.term_id = t.term_id WHERE tt.taxonomy = '$taxonomy' AND t.term_id = $term_id");
+	$tt_id = $wpdb->get_var( $wpdb->prepare( "SELECT tt.term_taxonomy_id FROM $wpdb->term_taxonomy AS tt INNER JOIN $wpdb->terms AS t ON tt.term_id = t.term_id WHERE tt.taxonomy = %s AND t.term_id = %d", $taxonomy, $term_id) );
 
-	$wpdb->query("UPDATE $wpdb->term_taxonomy SET term_id = '$term_id', taxonomy = '$taxonomy', description = '$description', parent = '$parent' WHERE term_taxonomy_id = '$tt_id'");
+	$wpdb->update( $wpdb->term_taxonomy, compact( 'term_id', 'taxonomy', 'description', 'parent' ), array( 'term_taxnonoy_id' => $tt_id ) );
 
 	do_action("edit_term", $term_id, $tt_id);
 	do_action("edit_$taxonomy", $term_id, $tt_id);
@@ -1154,8 +1158,8 @@ function wp_update_term_count( $terms, $taxonomy ) {
 	} else {
 		// Default count updater
 		foreach ($terms as $term) {
-			$count = $wpdb->get_var("SELECT COUNT(*) FROM $wpdb->term_relationships WHERE term_taxonomy_id = '$term'");
-			$wpdb->query("UPDATE $wpdb->term_taxonomy SET count = '$count' WHERE term_taxonomy_id = '$term'");
+			$count = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(*) FROM $wpdb->term_relationships WHERE term_taxonomy_id = %d", $term) );
+			$wpdb->update( $wpdb->term_taxonomy, compact( 'count' ), array( 'term_taxnomy_id' => $term ) );
 		}
 
 	}
@@ -1388,8 +1392,8 @@ function _update_post_term_count( $terms ) {
 	global $wpdb;
 
 	foreach ( $terms as $term ) {
-		$count = $wpdb->get_var("SELECT COUNT(*) FROM $wpdb->term_relationships, $wpdb->posts WHERE $wpdb->posts.ID = $wpdb->term_relationships.object_id AND post_status = 'publish' AND post_type = 'post' AND term_taxonomy_id = '$term'");
-		$wpdb->query("UPDATE $wpdb->term_taxonomy SET count = '$count' WHERE term_taxonomy_id = '$term'");
+		$count = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(*) FROM $wpdb->term_relationships, $wpdb->posts WHERE $wpdb->posts.ID = $wpdb->term_relationships.object_id AND post_status = 'publish' AND post_type = 'post' AND term_taxonomy_id = %d", $term ) );
+		$wpdb->update( $wpdb->term_taxnomoy, compact( 'count' ), array( 'term_taxnomy_id' => $term ) );
 	}
 }