mirror of
https://github.com/WordPress/WordPress.git
synced 2024-12-23 09:37:42 +01:00
Query cleanups. Use absint, concat where instead of overwrite, make post_parent independent, sanitize post__in and post__not_in. Props mdawaffe. see #6772
git-svn-id: http://svn.automattic.com/wordpress/trunk@7906 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
c25a6fe381
commit
7a0f94ffa3
@ -515,17 +515,17 @@ class WP_Query {
|
||||
if ( ! empty($qv['robots']) )
|
||||
$this->is_robots = true;
|
||||
|
||||
$qv['p'] = (int) $qv['p'];
|
||||
$qv['page_id'] = (int) $qv['page_id'];
|
||||
$qv['year'] = (int) $qv['year'];
|
||||
$qv['monthnum'] = (int) $qv['monthnum'];
|
||||
$qv['day'] = (int) $qv['day'];
|
||||
$qv['w'] = (int) $qv['w'];
|
||||
$qv['m'] = (int) $qv['m'];
|
||||
$qv['p'] = absint($qv['p']);
|
||||
$qv['page_id'] = absint($qv['page_id']);
|
||||
$qv['year'] = absint($qv['year']);
|
||||
$qv['monthnum'] = absint($qv['monthnum']);
|
||||
$qv['day'] = absint($qv['day']);
|
||||
$qv['w'] = absint($qv['w']);
|
||||
$qv['m'] = absint($qv['m']);
|
||||
$qv['cat'] = preg_replace( '|[^0-9,-]|', '', $qv['cat'] ); // comma separated list of positive or negative integers
|
||||
if ( '' !== $qv['hour'] ) $qv['hour'] = (int) $qv['hour'];
|
||||
if ( '' !== $qv['minute'] ) $qv['minute'] = (int) $qv['minute'];
|
||||
if ( '' !== $qv['second'] ) $qv['second'] = (int) $qv['second'];
|
||||
if ( '' !== $qv['hour'] ) $qv['hour'] = absint($qv['hour']);
|
||||
if ( '' !== $qv['minute'] ) $qv['minute'] = absint($qv['minute']);
|
||||
if ( '' !== $qv['second'] ) $qv['second'] = absint($qv['second']);
|
||||
|
||||
// Compat. Map subpost to attachment.
|
||||
if ( '' != $qv['subpost'] )
|
||||
@ -533,7 +533,7 @@ class WP_Query {
|
||||
if ( '' != $qv['subpost_id'] )
|
||||
$qv['attachment_id'] = $qv['subpost_id'];
|
||||
|
||||
$qv['attachment_id'] = (int) $qv['attachment_id'];
|
||||
$qv['attachment_id'] = absint($qv['attachment_id']);
|
||||
|
||||
if ( ('' != $qv['attachment']) || !empty($qv['attachment_id']) ) {
|
||||
$this->is_single = true;
|
||||
@ -624,47 +624,47 @@ class WP_Query {
|
||||
if ( !is_array($qv['category__in']) || empty($qv['category__in']) ) {
|
||||
$qv['category__in'] = array();
|
||||
} else {
|
||||
$qv['category__in'] = array_map('intval', $qv['category__in']);
|
||||
$qv['category__in'] = array_map('absint', $qv['category__in']);
|
||||
$this->is_category = true;
|
||||
}
|
||||
|
||||
if ( !is_array($qv['category__not_in']) || empty($qv['category__not_in']) ) {
|
||||
$qv['category__not_in'] = array();
|
||||
} else {
|
||||
$qv['category__not_in'] = array_map('intval', $qv['category__not_in']);
|
||||
$qv['category__not_in'] = array_map('absint', $qv['category__not_in']);
|
||||
}
|
||||
|
||||
if ( !is_array($qv['category__and']) || empty($qv['category__and']) ) {
|
||||
$qv['category__and'] = array();
|
||||
} else {
|
||||
$qv['category__and'] = array_map('intval', $qv['category__and']);
|
||||
$qv['category__and'] = array_map('absint', $qv['category__and']);
|
||||
$this->is_category = true;
|
||||
}
|
||||
|
||||
if ( '' != $qv['tag'] )
|
||||
$this->is_tag = true;
|
||||
|
||||
$qv['tag_id'] = (int) $qv['tag_id'];
|
||||
$qv['tag_id'] = absint($qv['tag_id']);
|
||||
if ( !empty($qv['tag_id']) )
|
||||
$this->is_tag = true;
|
||||
|
||||
if ( !is_array($qv['tag__in']) || empty($qv['tag__in']) ) {
|
||||
$qv['tag__in'] = array();
|
||||
} else {
|
||||
$qv['tag__in'] = array_map('intval', $qv['tag__in']);
|
||||
$qv['tag__in'] = array_map('absint', $qv['tag__in']);
|
||||
$this->is_tag = true;
|
||||
}
|
||||
|
||||
if ( !is_array($qv['tag__not_in']) || empty($qv['tag__not_in']) ) {
|
||||
$qv['tag__not_in'] = array();
|
||||
} else {
|
||||
$qv['tag__not_in'] = array_map('intval', $qv['tag__not_in']);
|
||||
$qv['tag__not_in'] = array_map('absint', $qv['tag__not_in']);
|
||||
}
|
||||
|
||||
if ( !is_array($qv['tag__and']) || empty($qv['tag__and']) ) {
|
||||
$qv['tag__and'] = array();
|
||||
} else {
|
||||
$qv['tag__and'] = array_map('intval', $qv['tag__and']);
|
||||
$qv['tag__and'] = array_map('absint', $qv['tag__and']);
|
||||
$this->is_category = true;
|
||||
}
|
||||
|
||||
@ -871,8 +871,7 @@ class WP_Query {
|
||||
|
||||
if (isset($q['page'])) {
|
||||
$q['page'] = trim($q['page'], '/');
|
||||
$q['page'] = (int) $q['page'];
|
||||
$q['page'] = abs($q['page']);
|
||||
$q['page'] = absint($q['page']);
|
||||
}
|
||||
|
||||
// If a month is specified in the querystring, load that month
|
||||
@ -949,25 +948,26 @@ class WP_Query {
|
||||
$where .= " AND WEEK($wpdb->posts.post_date, 1)='" . $q['w'] . "'";
|
||||
|
||||
if ( intval($q['comments_popup']) )
|
||||
$q['p'] = intval($q['comments_popup']);
|
||||
$q['p'] = absint($q['comments_popup']);
|
||||
|
||||
// If an attachment is requested by number, let it supercede any post number.
|
||||
if ( $q['attachment_id'] )
|
||||
$q['p'] = $q['attachment_id'];
|
||||
$q['p'] = absint($q['attachment_id']);
|
||||
|
||||
// If a post number is specified, load that post
|
||||
if ( $q['p'] )
|
||||
$where = " AND {$wpdb->posts}.ID = " . $q['p'];
|
||||
elseif ( $q['post_parent'] )
|
||||
$where = $wpdb->prepare("AND $wpdb->posts.post_parent = %d ", $q['post_parent']);
|
||||
elseif ( $q['post__in'] ) {
|
||||
$post__in = "'" . implode("', '", $q['post__in']) . "'";
|
||||
$where = " AND {$wpdb->posts}.ID IN ($post__in)";
|
||||
if ( $q['p'] ) {
|
||||
$where .= " AND {$wpdb->posts}.ID = " . $q['p'];
|
||||
} elseif ( $q['post__in'] ) {
|
||||
$post__in = implode(',', array_map( 'absint', $q['post__in'] ));
|
||||
$where .= " AND {$wpdb->posts}.ID IN ($post__in)";
|
||||
} elseif ( $q['post__not_in'] ) {
|
||||
$post__not_in = "'" . implode("', '", $q['post__not_in']) . "'";
|
||||
$where = " AND {$wpdb->posts}.ID NOT IN ($post__not_in)";
|
||||
$post__not_in = implode(',', array_map( 'absint', $q['post__not_in'] ));
|
||||
$where .= " AND {$wpdb->posts}.ID NOT IN ($post__not_in)";
|
||||
}
|
||||
|
||||
if ( $q['post_parent'] )
|
||||
$where .= $wpdb->prepare( " AND $wpdb->posts.post_parent = %d ", $q['post_parent'] );
|
||||
|
||||
if ( $q['page_id'] ) {
|
||||
if ( ('page' != get_option('show_on_front') ) || ( $q['page_id'] != get_option('page_for_posts') ) ) {
|
||||
$q['p'] = $q['page_id'];
|
||||
@ -1207,15 +1207,15 @@ class WP_Query {
|
||||
$eq = '!=';
|
||||
$andor = 'AND';
|
||||
$q['author'] = explode('-', $q['author']);
|
||||
$q['author'] = ''.intval($q['author'][1]);
|
||||
$q['author'] = '' . absint($q['author'][1]);
|
||||
} else {
|
||||
$eq = '=';
|
||||
$andor = 'OR';
|
||||
}
|
||||
$author_array = preg_split('/[,\s]+/', $q['author']);
|
||||
$whichauthor .= " AND ($wpdb->posts.post_author ".$eq.' '.intval($author_array[0]);
|
||||
$whichauthor .= " AND ($wpdb->posts.post_author ".$eq.' '.absint($author_array[0]);
|
||||
for ($i = 1; $i < (count($author_array)); $i = $i + 1) {
|
||||
$whichauthor .= ' '.$andor." $wpdb->posts.post_author ".$eq.' '.intval($author_array[$i]);
|
||||
$whichauthor .= ' '.$andor." $wpdb->posts.post_author ".$eq.' '.absint($author_array[$i]);
|
||||
}
|
||||
$whichauthor .= ')';
|
||||
}
|
||||
@ -1233,7 +1233,7 @@ class WP_Query {
|
||||
}
|
||||
$q['author_name'] = sanitize_title($q['author_name']);
|
||||
$q['author'] = $wpdb->get_var("SELECT ID FROM $wpdb->users WHERE user_nicename='".$q['author_name']."'");
|
||||
$whichauthor .= " AND ($wpdb->posts.post_author = ".intval($q['author']).')';
|
||||
$whichauthor .= " AND ($wpdb->posts.post_author = ".absint($q['author']).')';
|
||||
}
|
||||
|
||||
// MIME-Type stuff for attachment browsing
|
||||
@ -1373,7 +1373,7 @@ class WP_Query {
|
||||
|
||||
if ( empty($q['offset']) ) {
|
||||
$pgstrt = '';
|
||||
$pgstrt = (intval($page) -1) * $q['posts_per_page'] . ', ';
|
||||
$pgstrt = ($page - 1) * $q['posts_per_page'] . ', ';
|
||||
$limits = 'LIMIT '.$pgstrt.$q['posts_per_page'];
|
||||
} else { // we're ignoring $page and using 'offset'
|
||||
$q['offset'] = absint($q['offset']);
|
||||
|
Loading…
Reference in New Issue
Block a user