Use mysql_real_escape_string() only in prepare(), insert(), and update(). escape() uses addslashes only. Add array support to escape(). see #9189

git-svn-id: https://develop.svn.wordpress.org/trunk@10604 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Ryan Boren 2009-02-20 19:05:12 +00:00
parent 999851f2cb
commit 37b231b542

View File

@ -427,21 +427,55 @@ class wpdb {
} }
} }
/** function _weak_escape($string) {
* Escapes content for insertion into the database, for security return addslashes($string);
* }
* @since 0.71
* function _real_escape($string) {
* @param string $string
* @return string query safe string
*/
function escape($string) {
if ( $this->dbh && $this->real_escape ) if ( $this->dbh && $this->real_escape )
return mysql_real_escape_string( $string, $this->dbh ); return mysql_real_escape_string( $string, $this->dbh );
else else
return addslashes( $string ); return addslashes( $string );
} }
function _escape($data) {
if ( is_array($data) ) {
foreach ( (array) $data as $k => $v ) {
if ( is_array($v) )
$data[$k] = $this->_escape( $v );
else
$data[$k] = $this->_real_escape( $v );
}
} else {
$data = $this->_real_escape( $data );
}
return $data;
}
/**
* Escapes content for insertion into the database using addslashes(), for security
*
* @since 0.71
*
* @param string|array $data
* @return string query safe string
*/
function escape($data) {
if ( is_array($data) ) {
foreach ( (array) $data as $k => $v ) {
if ( is_array($v) )
$data[$k] = $this->escape( $v );
else
$data[$k] = $this->_weak_escape( $v );
}
} else {
$data = $this->_weak_escape( $data );
}
return $data;
}
/** /**
* Escapes content by reference for insertion into the database, for security * Escapes content by reference for insertion into the database, for security
* *
@ -449,8 +483,8 @@ class wpdb {
* *
* @param string $s * @param string $s
*/ */
function escape_by_ref(&$s) { function escape_by_ref(&$string) {
$s = $this->escape($s); $string = $this->_real_escape( $string );
} }
/** /**
@ -665,7 +699,7 @@ class wpdb {
* @return mixed Results of $this->query() * @return mixed Results of $this->query()
*/ */
function insert($table, $data) { function insert($table, $data) {
$data = add_magic_quotes($data); $data = $this->_escape($data);
$fields = array_keys($data); $fields = array_keys($data);
return $this->query("INSERT INTO $table (`" . implode('`,`',$fields) . "`) VALUES ('".implode("','",$data)."')"); return $this->query("INSERT INTO $table (`" . implode('`,`',$fields) . "`) VALUES ('".implode("','",$data)."')");
} }
@ -681,14 +715,14 @@ class wpdb {
* @return mixed Results of $this->query() * @return mixed Results of $this->query()
*/ */
function update($table, $data, $where){ function update($table, $data, $where){
$data = add_magic_quotes($data); $data = $this->_escape($data);
$bits = $wheres = array(); $bits = $wheres = array();
foreach ( (array) array_keys($data) as $k ) foreach ( (array) array_keys($data) as $k )
$bits[] = "`$k` = '$data[$k]'"; $bits[] = "`$k` = '$data[$k]'";
if ( is_array( $where ) ) if ( is_array( $where ) )
foreach ( $where as $c => $v ) foreach ( $where as $c => $v )
$wheres[] = "$c = '" . $this->escape( $v ) . "'"; $wheres[] = "$c = '" . $this->_escape( $v ) . "'";
else else
return false; return false;