diff options
author | donncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36> | 2007-08-06 16:50:11 +0000 |
---|---|---|
committer | donncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36> | 2007-08-06 16:50:11 +0000 |
commit | eb658e4837288d10e7ddff80893e214b7f3186af (patch) | |
tree | c873c23cb74590c55427e98bae16e5ef37a28546 /wp-includes | |
parent | 776c594e0937041a457138c2c4fd49eabe8d3be3 (diff) | |
download | wordpress-mu-eb658e4837288d10e7ddff80893e214b7f3186af.tar.gz wordpress-mu-eb658e4837288d10e7ddff80893e214b7f3186af.tar.xz wordpress-mu-eb658e4837288d10e7ddff80893e214b7f3186af.zip |
Escape site_option keys for sql queries
Properly stripslash value, fixes #397, props ddean
git-svn-id: http://svn.automattic.com/wordpress-mu/trunk@1016 7be80a69-a1ef-0310-a953-fb0f7c49ff36
Diffstat (limited to 'wp-includes')
-rw-r--r-- | wp-includes/wpmu-functions.php | 25 |
1 files changed, 16 insertions, 9 deletions
diff --git a/wp-includes/wpmu-functions.php b/wp-includes/wpmu-functions.php index f868241..4032335 100644 --- a/wp-includes/wpmu-functions.php +++ b/wp-includes/wpmu-functions.php @@ -237,9 +237,12 @@ function is_site_admin( $user_login = false ) { return false; } +// expects key not to be SQL escaped function get_site_option( $key, $default = false, $use_cache = true ) { global $wpdb; + $safe_key = $wpdb->escape( $key ); + if( $use_cache == true ) { $value = wp_cache_get($wpdb->siteid . $key, 'site-options'); } else { @@ -247,7 +250,8 @@ function get_site_option( $key, $default = false, $use_cache = true ) { } if ( false === $value ) { - $value = $wpdb->get_var("SELECT meta_value FROM $wpdb->sitemeta WHERE meta_key = '$key' AND site_id = '{$wpdb->siteid}'"); + $value = $wpdb->get_var("SELECT meta_value FROM $wpdb->sitemeta WHERE meta_key = '$safe_key' AND site_id = '{$wpdb->siteid}'"); + $value = stripslashes( $value ); if ( ! is_null($value) ) { wp_cache_add($wpdb->siteid . $key, $value, 'site-options'); } elseif ( $default ) { @@ -259,7 +263,6 @@ function get_site_option( $key, $default = false, $use_cache = true ) { } } - $value = stripslashes( $value ); @ $kellogs = unserialize($value); if ( $kellogs !== FALSE ) return $kellogs; @@ -267,10 +270,13 @@ function get_site_option( $key, $default = false, $use_cache = true ) { return $value; } +// expects $key, $value not to be SQL escaped function add_site_option( $key, $value ) { global $wpdb; - $exists = $wpdb->get_var("SELECT meta_value FROM $wpdb->sitemeta WHERE meta_key = '$key' AND site_id = '{$wpdb->siteid}'"); + $safe_key = $wpdb->escape( $key ); + + $exists = $wpdb->get_row("SELECT meta_value FROM $wpdb->sitemeta WHERE meta_key = '$safe_key' AND site_id = '{$wpdb->siteid}'"); if ( null !== $exists ) {// If we already have it update_site_option( $key, $value ); @@ -279,26 +285,27 @@ function add_site_option( $key, $value ) { if ( is_array($value) || is_object($value) ) $value = serialize($value); - $value = $wpdb->escape( $value ); wp_cache_delete($wpdb->siteid . $key, 'site-options'); - $wpdb->query( "INSERT INTO $wpdb->sitemeta ( site_id , meta_key , meta_value ) VALUES ( '{$wpdb->siteid}', '$key', '$value')" ); + $wpdb->query( "INSERT INTO $wpdb->sitemeta ( site_id , meta_key , meta_value ) VALUES ( '{$wpdb->siteid}', '$safe_key', '" . $wpdb->escape( $value ) . "')" ); return $wpdb->insert_id; } +// expects $key, $value not to be SQL escaped function update_site_option( $key, $value ) { global $wpdb; if ( $value == get_site_option( $key ) ) return; + if ( get_site_option( $key, false, false ) === false ) + add_site_option( $key, $value ); + if ( is_array($value) || is_object($value) ) $value = serialize($value); - $value = $wpdb->escape( $value ); - if ( get_site_option( $key, false, false ) === false ) - add_site_option( $key, $value ); + $safe_key = $wpdb->escape( $key ); - $wpdb->query( "UPDATE $wpdb->sitemeta SET meta_value = '".$wpdb->escape( $value )."' WHERE site_id='{$wpdb->siteid}' AND meta_key = '$key'" ); + $wpdb->query( "UPDATE $wpdb->sitemeta SET meta_value = '" . $wpdb->escape( $value ) . "' WHERE site_id='{$wpdb->siteid}' AND meta_key = '$safe_key'" ); wp_cache_delete( $wpdb->siteid . $key, 'site-options' ); } |