mirror of
https://github.com/WordPress/WordPress.git
synced 2024-09-24 21:32:51 +02:00
Use table aliases for columns in SQL generated by WP_Date_Query.
The use of non-aliased column names (eg 'post_date' instead of 'wp_posts.post_date') in WP_Date_Query causes SQL notices and other failures when queries involve table joins, such as date_query combined with tax_query or meta_query. This changeset modifies WP_Date_Query::validate_column() to add the table alias when it can be detected from the column name (ie, in the case of core columns). A side effect of this change is that it is now possible to use WP_Date_Query to build WHERE clauses across multiple tables, though there is currently no core support for the automatic generation of the necessary JOIN clauses. See Props ew_holmes, wonderboymusic, neoxx, Viper007Bond, boonebgorges. Fixes #25775. Built from https://develop.svn.wordpress.org/trunk@29933 git-svn-id: http://core.svn.wordpress.org/trunk@29685 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
50f1b45594
commit
fcc82fd671
@ -435,6 +435,11 @@ class WP_Date_Query {
|
|||||||
/**
|
/**
|
||||||
* Validates a column name parameter.
|
* Validates a column name parameter.
|
||||||
*
|
*
|
||||||
|
* Column names without a table prefix (like 'post_date') are checked against a whitelist of
|
||||||
|
* known tables, and then, if found, have a table prefix (such as 'wp_posts.') prepended.
|
||||||
|
* Prefixed column names (such as 'wp_posts.post_date') bypass this whitelist check,
|
||||||
|
* and are only sanitized to remove illegal characters.
|
||||||
|
*
|
||||||
* @since 3.7.0
|
* @since 3.7.0
|
||||||
* @access public
|
* @access public
|
||||||
*
|
*
|
||||||
@ -442,22 +447,53 @@ class WP_Date_Query {
|
|||||||
* @return string A validated column name value.
|
* @return string A validated column name value.
|
||||||
*/
|
*/
|
||||||
public function validate_column( $column ) {
|
public function validate_column( $column ) {
|
||||||
|
global $wpdb;
|
||||||
|
|
||||||
$valid_columns = array(
|
$valid_columns = array(
|
||||||
'post_date', 'post_date_gmt', 'post_modified',
|
'post_date', 'post_date_gmt', 'post_modified',
|
||||||
'post_modified_gmt', 'comment_date', 'comment_date_gmt'
|
'post_modified_gmt', 'comment_date', 'comment_date_gmt'
|
||||||
);
|
);
|
||||||
/**
|
|
||||||
* Filter the list of valid date query columns.
|
|
||||||
*
|
|
||||||
* @since 3.7.0
|
|
||||||
*
|
|
||||||
* @param array $valid_columns An array of valid date query columns. Defaults are 'post_date', 'post_date_gmt',
|
|
||||||
* 'post_modified', 'post_modified_gmt', 'comment_date', 'comment_date_gmt'
|
|
||||||
*/
|
|
||||||
if ( ! in_array( $column, apply_filters( 'date_query_valid_columns', $valid_columns ) ) )
|
|
||||||
$column = 'post_date';
|
|
||||||
|
|
||||||
return $column;
|
// Attempt to detect a table prefix.
|
||||||
|
if ( false === strpos( $column, '.' ) ) {
|
||||||
|
/**
|
||||||
|
* Filter the list of valid date query columns.
|
||||||
|
*
|
||||||
|
* @since 3.7.0
|
||||||
|
*
|
||||||
|
* @param array $valid_columns An array of valid date query columns. Defaults
|
||||||
|
* are 'post_date', 'post_date_gmt', 'post_modified',
|
||||||
|
* 'post_modified_gmt', 'comment_date', 'comment_date_gmt'
|
||||||
|
*/
|
||||||
|
if ( ! in_array( $column, apply_filters( 'date_query_valid_columns', $valid_columns ) ) ) {
|
||||||
|
$column = 'post_date';
|
||||||
|
}
|
||||||
|
|
||||||
|
$known_columns = array(
|
||||||
|
$wpdb->posts => array(
|
||||||
|
'post_date',
|
||||||
|
'post_date_gmt',
|
||||||
|
'post_modified',
|
||||||
|
'post_modified_gmt',
|
||||||
|
),
|
||||||
|
$wpdb->comments => array(
|
||||||
|
'comment_date',
|
||||||
|
'comment_date_gmt',
|
||||||
|
),
|
||||||
|
);
|
||||||
|
|
||||||
|
// If it's a known column name, add the appropriate table prefix.
|
||||||
|
foreach ( $known_columns as $table_name => $table_columns ) {
|
||||||
|
if ( in_array( $column, $table_columns ) ) {
|
||||||
|
$column = $table_name . '.' . $column;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
// Remove unsafe characters.
|
||||||
|
return preg_replace( '/[^a-zA-Z0-9_$\.]/', '', $column );
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
Loading…
Reference in New Issue
Block a user