From 9b019acfbe45011207b6c7b58a1018ec6a7e150f Mon Sep 17 00:00:00 2001 From: Ryan Boren Date: Thu, 11 Mar 2010 21:49:56 +0000 Subject: [PATCH] make *_option(), *_transient() functions consistently expect unslashed data. Props Denis-de-Bernardy. see #12416 git-svn-id: https://develop.svn.wordpress.org/trunk@13673 602fd350-edb4-49c9-b593-d223f7449a82 --- wp-includes/formatting.php | 3 +- wp-includes/functions.php | 83 +++++++++++++++++--------------------- wp-includes/theme.php | 2 +- 3 files changed, 38 insertions(+), 50 deletions(-) diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index 83395f5dd0..7e73117571 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -2441,8 +2441,7 @@ function sanitize_option($option, $value) { case 'siteurl': case 'home': - $value = stripslashes($value); - $value = esc_url($value); + $value = esc_url_raw($value); break; default : $value = apply_filters("sanitize_option_{$option}", $value, $option); diff --git a/wp-includes/functions.php b/wp-includes/functions.php index 4d4ea3a70f..0f6f9c465d 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -307,7 +307,7 @@ function is_serialized_string( $data ) { * @uses apply_filters() Calls 'option_$option', after checking the option, with * the option value. * - * @param string $option Name of option to retrieve. Should already be SQL-escaped + * @param string $option Name of option to retrieve. Expected to not be SQL-escaped. * @return mixed Value set for the option. */ function get_option( $option, $default = false ) { @@ -339,8 +339,7 @@ function get_option( $option, $default = false ) { if ( false === $value ) { if ( defined( 'WP_INSTALLING' ) ) $suppress = $wpdb->suppress_errors(); - // expected_slashed ($option) - $row = $wpdb->get_row( "SELECT option_value FROM $wpdb->options WHERE option_name = '$option' LIMIT 1" ); + $row = $wpdb->get_row( $wpdb->prepare( "SELECT option_value FROM $wpdb->options WHERE option_name = '%s' LIMIT 1", $option ) ); if ( defined( 'WP_INSTALLING' ) ) $wpdb->suppress_errors( $suppress ); @@ -482,8 +481,8 @@ function wp_load_core_site_options( $site_id = null ) { * @uses do_action() Calls 'update_option' hook before updating the option. * @uses do_action() Calls 'update_option_$option' and 'updated_option' hooks on success. * - * @param string $option Option name. Expected to not be SQL-escaped - * @param mixed $newvalue Option value. + * @param string $option Option name. Expected to not be SQL-escaped. + * @param mixed $newvalue Option value. Expected to not be SQL-escaped. * @return bool False if value was not updated and true if value was updated. */ function update_option( $option, $newvalue ) { @@ -491,9 +490,8 @@ function update_option( $option, $newvalue ) { wp_protect_special_option( $option ); - $safe_option = esc_sql( $option ); $newvalue = sanitize_option( $option, $newvalue ); - $oldvalue = get_option( $safe_option ); + $oldvalue = get_option( $option ); $newvalue = apply_filters( 'pre_update_option_' . $option, $newvalue, $oldvalue ); // If the new and old values are the same, no need to update. @@ -516,10 +514,10 @@ function update_option( $option, $newvalue ) { if ( ! defined( 'WP_INSTALLING' ) ) { $alloptions = wp_load_alloptions(); if ( isset( $alloptions[$option] ) ) { - $alloptions[$option] = $newvalue; - wp_cache_set( 'alloptions', $alloptions, 'options' ); + $alloptions[$option] = $_newvalue; + wp_cache_set( 'alloptions', $_alloptions, 'options' ); } else { - wp_cache_set( $option, $newvalue, 'options' ); + wp_cache_set( $option, $_newvalue, 'options' ); } } @@ -554,8 +552,8 @@ function update_option( $option, $newvalue ) { * @uses do_action() Calls 'add_option' hook before adding the option. * @uses do_action() Calls 'add_option_$option' and 'added_option' hooks on success. * - * @param string $option Name of option to add. Expects to NOT be SQL escaped. - * @param mixed $value Optional. Option value, can be anything. + * @param string $option Name of option to add. Expected to not be SQL-escaped. + * @param mixed $value Optional. Option value, can be anything. Expected to not be SQL-escaped. * @param mixed $deprecated Optional. Description. Not used anymore. * @param bool $autoload Optional. Default is enabled. Whether to load the option when WordPress starts up. * @return null returns when finished. @@ -567,13 +565,12 @@ function add_option( $option, $value = '', $deprecated = '', $autoload = 'yes' ) global $wpdb; wp_protect_special_option( $option ); - $safe_option = esc_sql( $option ); $value = sanitize_option( $option, $value ); // Make sure the option doesn't already exist. We can check the 'notoptions' cache before we ask for a db query $notoptions = wp_cache_get( 'notoptions', 'options' ); if ( !is_array( $notoptions ) || !isset( $notoptions[$option] ) ) - if ( false !== get_option( $safe_option ) ) + if ( false !== get_option( $option ) ) return; $_value = $value; @@ -617,7 +614,7 @@ function add_option( $option, $value = '', $deprecated = '', $autoload = 'yes' ) * @uses do_action() Calls 'delete_option' hook before option is deleted. * @uses do_action() Calls 'deleted_option' and 'delete_option_$option' hooks on success. * - * @param string $option Name of option to remove. + * @param string $option Name of option to remove. Expected to not be SQL-escaped. * @return bool True, if option is successfully deleted. False on failure. */ function delete_option( $option ) { @@ -626,13 +623,11 @@ function delete_option( $option ) { wp_protect_special_option( $option ); // Get the ID, if no ID then return - // expected_slashed ($option) - $row = $wpdb->get_row( "SELECT autoload FROM $wpdb->options WHERE option_name = '$option'" ); + $row = $wpdb->get_row( $wpdb->prepare( "SELECT autoload FROM $wpdb->options WHERE option_name = '%s'", $option ) ); if ( is_null( $row ) ) return false; do_action( 'delete_option', $option ); - // expected_slashed ($option) - $result = $wpdb->query( "DELETE FROM $wpdb->options WHERE option_name = '$option'" ); + $result = $wpdb->query( $wpdb->prepare( "DELETE FROM $wpdb->options WHERE option_name = '%s'", $option) ); if ( ! defined( 'WP_INSTALLING' ) ) { if ( 'yes' == $row->autoload ) { $alloptions = wp_load_alloptions(); @@ -662,7 +657,7 @@ function delete_option( $option ) { * @uses do_action() Calls 'delete_transient_$transient' hook before transient is deleted. * @uses do_action() Calls 'deleted_transient' hook on success. * - * @param string $transient Transient name. Expected to not be SQL-escaped + * @param string $transient Transient name. Expected to not be SQL-escaped. * @return bool true if successful, false otherwise */ function delete_transient( $transient ) { @@ -673,7 +668,7 @@ function delete_transient( $transient ) { if ( $_wp_using_ext_object_cache ) { $result = wp_cache_delete( $transient, 'transient' ); } else { - $option = '_transient_' . esc_sql( $transient ); + $option = '_transient_' . $transient; $result = delete_option( $option ); } @@ -711,13 +706,12 @@ function get_transient( $transient ) { if ( $_wp_using_ext_object_cache ) { $value = wp_cache_get( $transient, 'transient' ); } else { - $safe_transient = esc_sql( $transient ); - $transient_option = '_transient_' . $safe_transient; + $transient_option = '_transient_' . $transient; if ( ! defined( 'WP_INSTALLING' ) ) { // If option is not in alloptions, it is not autoloaded and thus has a timeout $alloptions = wp_load_alloptions(); if ( !isset( $alloptions[$transient_option] ) ) { - $transient_timeout = '_transient_timeout_' . $safe_transient; + $transient_timeout = '_transient_timeout_' . $transient; if ( get_option( $transient_timeout ) < time() ) { delete_option( $transient_option ); delete_option( $transient_timeout ); @@ -746,8 +740,8 @@ function get_transient( $transient ) { * transient value to be stored. * @uses do_action() Calls 'set_transient_$transient' and 'setted_transient' hooks on success. * - * @param string $transient Transient name. Expected to not be SQL-escaped - * @param mixed $value Transient value. + * @param string $transient Transient name. Expected to not be SQL-escaped. + * @param mixed $value Transient value. Expected to not be SQL-escaped. * @param int $expiration Time until expiration in seconds, default 0 * @return bool False if value was not set and true if value was set. */ @@ -761,8 +755,7 @@ function set_transient( $transient, $value, $expiration = 0 ) { } else { $transient_timeout = '_transient_timeout_' . $transient; $transient = '_transient_' . $transient; - $safe_transient = esc_sql( $transient ); - if ( false === get_option( $safe_transient ) ) { + if ( false === get_option( $transient ) ) { $autoload = 'yes'; if ( $expiration ) { $autoload = 'no'; @@ -1000,10 +993,7 @@ function delete_all_user_settings() { * @return mixed A scalar data */ function maybe_serialize( $data ) { - if ( is_array( $data ) || is_object( $data ) ) - return serialize( $data ); - - if ( is_serialized( $data ) ) + if ( !is_scalar( $data ) ) return serialize( $data ); return $data; @@ -3384,7 +3374,7 @@ function wp_suspend_cache_invalidation($suspend = true) { * @uses apply_filters() Calls 'site_option_$option', after checking the option, with * the option value. * - * @param string $option Name of option to retrieve. Should already be SQL-escaped + * @param string $option Name of option to retrieve. Expected to not be SQL-escaped. * @param mixed $default Optional value to return if option doesn't exist. Default false. * @param bool $use_cache Whether to use cache. Multisite only. Default true. * @return mixed Value set for the option. @@ -3431,8 +3421,8 @@ function get_site_option( $option, $default = false, $use_cache = true ) { * option value to be stored. * @uses do_action() Calls 'add_site_option_$option' and 'add_site_option' hooks on success. * - * @param string $option Name of option to add. Expects to not be SQL escaped. - * @param mixed $value Optional. Option value, can be anything. + * @param string $option Name of option to add. Expected to not be SQL-escaped. + * @param mixed $value Optional. Option value, can be anything. Expected to not be SQL-escaped. * @return bool False if option was not added and true if option was added. */ function add_site_option( $option, $value ) { @@ -3475,7 +3465,7 @@ function add_site_option( $option, $value ) { * @uses do_action() Calls 'delete_site_option' and 'delete_site_option_$option' * hooks on success. * - * @param string $option Name of option to remove. Expected to be SQL-escaped. + * @param string $option Name of option to remove. Expected to not be SQL-escaped. * @return bool True, if succeed. False, if failure. */ function delete_site_option( $option ) { @@ -3517,8 +3507,8 @@ function delete_site_option( $option ) { * option value to be stored. * @uses do_action() Calls 'update_site_option_$option' and 'update_site_option' hooks on success. * - * @param string $option Name of option. Expected to not be SQL-escaped - * @param mixed $value Option value. + * @param string $option Name of option. Expected to not be SQL-escaped. + * @param mixed $value Option value. Expected to not be SQL-escaped. * @return bool False if value was not updated and true if value was updated. */ function update_site_option( $option, $value ) { @@ -3564,7 +3554,7 @@ function update_site_option( $option, $value ) { * @uses do_action() Calls 'delete_site_transient_$transient' hook before transient is deleted. * @uses do_action() Calls 'deleted_site_transient' hook on success. * - * @param string $transient Transient name. Expected to not be SQL-escaped + * @param string $transient Transient name. Expected to not be SQL-escaped. * @return bool True if successful, false otherwise */ function delete_site_transient( $transient ) { @@ -3574,7 +3564,7 @@ function delete_site_transient( $transient ) { if ( $_wp_using_ext_object_cache ) { $result = wp_cache_delete( $transient, 'site-transient' ); } else { - $option = '_site_transient_' . esc_sql( $transient ); + $option = '_site_transient_' . $transient; $result = delete_site_option( $option ); } if ( $result ) @@ -3599,7 +3589,7 @@ function delete_site_transient( $transient ) { * @uses apply_filters() Calls 'site_transient_$option' hook, after checking the transient, with * the transient value. * - * @param string $transient Transient name. Expected to not be SQL-escaped + * @param string $transient Transient name. Expected to not be SQL-escaped. * @return mixed Value of transient */ function get_site_transient( $transient ) { @@ -3614,9 +3604,9 @@ function get_site_transient( $transient ) { } else { // Core transients that do not have a timeout. Listed here so querying timeouts can be avoided. $no_timeout = array('update_core', 'update_plugins', 'update_themes'); - $transient_option = '_site_transient_' . esc_sql( $transient ); + $transient_option = '_site_transient_' . $transient; if ( ! in_array( $transient, $no_timeout ) ) { - $transient_timeout = '_site_transient_timeout_' . esc_sql( $transient ); + $transient_timeout = '_site_transient_timeout_' . $transient; $timeout = get_site_option( $transient_timeout ); if ( false !== $timeout && $timeout < time() ) { delete_site_option( $transient_option ); @@ -3646,8 +3636,8 @@ function get_site_transient( $transient ) { * transient value to be stored. * @uses do_action() Calls 'set_site_transient_$transient' and 'setted_site_transient' hooks on success. * - * @param string $transient Transient name. Expected to not be SQL-escaped - * @param mixed $value Transient value. + * @param string $transient Transient name. Expected to not be SQL-escaped. + * @param mixed $value Transient value. Expected to not be SQL-escaped. * @param int $expiration Time until expiration in seconds, default 0 * @return bool False if value was not set and true if value was set. */ @@ -3661,8 +3651,7 @@ function set_site_transient( $transient, $value, $expiration = 0 ) { } else { $transient_timeout = '_site_transient_timeout_' . $transient; $transient = '_site_transient_' . $transient; - $safe_transient = esc_sql( $transient ); - if ( false === get_site_option( $safe_transient ) ) { + if ( false === get_site_option( $transient ) ) { if ( $expiration ) add_site_option( $transient_timeout, time() + $expiration ); $result = add_site_option( $transient, $value ); diff --git a/wp-includes/theme.php b/wp-includes/theme.php index 80e3cfdd07..3e3ca319f1 100644 --- a/wp-includes/theme.php +++ b/wp-includes/theme.php @@ -1200,7 +1200,7 @@ function validate_current_theme() { function get_theme_mod($name, $default = false) { $theme = get_current_theme(); - $mods = get_option( esc_sql( "mods_$theme" ) ); + $mods = get_option( "mods_$theme" ); if ( isset($mods[$name]) ) return apply_filters( "theme_mod_$name", $mods[$name] );