From cdd05b3c9f173e1f6ee9d409339105a919f1d1d0 Mon Sep 17 00:00:00 2001
From: Ryan Boren <ryan@git.wordpress.org>
Date: Mon, 27 Jun 2011 20:47:04 +0000
Subject: [PATCH] Sanitize sort_column and sort_order in get_pages(). Escape
 search_term in WP_User_Search. Cast blog_id to int in get_blog_prefix().
 Props duck_

git-svn-id: https://develop.svn.wordpress.org/trunk@18350 602fd350-edb4-49c9-b593-d223f7449a82
---
 wp-admin/includes/deprecated.php |  6 +++---
 wp-includes/post.php             | 37 ++++++++++++++++++++++++++++++++
 wp-includes/wp-db.php            |  1 +
 3 files changed, 41 insertions(+), 3 deletions(-)

diff --git a/wp-admin/includes/deprecated.php b/wp-admin/includes/deprecated.php
index 412629f162..3e02dbc2e9 100644
--- a/wp-admin/includes/deprecated.php
+++ b/wp-admin/includes/deprecated.php
@@ -454,7 +454,7 @@ class WP_User_Search {
 	function WP_User_Search ($search_term = '', $page = '', $role = '') {
 		_deprecated_function( __FUNCTION__, '3.1', 'WP_User_Query' );
 
-		$this->search_term = $search_term;
+		$this->search_term = stripslashes( $search_term );
 		$this->raw_page = ( '' == $page ) ? false : (int) $page;
 		$this->page = (int) ( '' == $page ) ? 1 : $page;
 		$this->role = $role;
@@ -485,7 +485,7 @@ class WP_User_Search {
 			$searches = array();
 			$search_sql = 'AND (';
 			foreach ( array('user_login', 'user_nicename', 'user_email', 'user_url', 'display_name') as $col )
-				$searches[] = $col . " LIKE '%$this->search_term%'";
+				$searches[] = $wpdb->prepare( $col . ' LIKE %s', '%' . like_escape($this->search_term) . '%' );
 			$search_sql .= implode(' OR ', $searches);
 			$search_sql .= ')';
 		}
@@ -700,4 +700,4 @@ function get_others_pending($user_id) {
 function wp_dashboard_quick_press_output() {
 	_deprecated_function( __FUNCTION__, '3.2', 'wp_dashboard_quick_press()' );
 	wp_dashboard_quick_press();
-}
\ No newline at end of file
+}
diff --git a/wp-includes/post.php b/wp-includes/post.php
index 8d82cc6bb6..2525724e8e 100644
--- a/wp-includes/post.php
+++ b/wp-includes/post.php
@@ -3448,6 +3448,43 @@ function &get_pages($args = '') {
 		$where_post_type = $wpdb->prepare( "post_type = %s AND post_status IN ('$post_status')", $post_type );
 	}
 
+	$orderby_array = array();
+	$allowed_keys = array('author', 'post_author', 'date', 'post_date', 'title', 'post_title', 'modified',
+						  'post_modified', 'modified_gmt', 'post_modified_gmt', 'menu_order', 'parent', 'post_parent',
+						  'ID', 'rand', 'comment_count');
+	foreach ( explode( ',', $sort_column ) as $orderby ) {
+		$orderby = trim( $orderby );
+		if ( !in_array( $orderby, $allowed_keys ) )
+			continue;
+
+		switch ( $orderby ) {
+			case 'menu_order':
+				break;
+			case 'ID':
+				$orderby = "$wpdb->posts.ID";
+				break;
+			case 'rand':
+				$orderby = 'RAND()';
+				break;
+			case 'comment_count':
+				$orderby = "$wpdb->posts.comment_count";
+				break;
+			default:
+				if ( 0 === strpos( $orderby, 'post_' ) )
+					$orderby = "$wpdb->posts." . $orderby;
+				else
+					$orderby = "$wpdb->posts.post_" . $orderby;
+		}
+
+		$orderby_array[] = $orderby;
+
+	}
+	$sort_column = ! empty( $orderby_array ) ? implode( ',', $orderby_array ) : "$wpdb->posts.post_title";
+
+	$sort_order = strtoupper( $sort_order );
+	if ( '' !== $sort_order && !in_array( $sort_order, array( 'ASC', 'DESC' ) ) )
+		$sort_order = 'ASC';
+
 	$query = "SELECT * FROM $wpdb->posts $join WHERE ($where_post_type) $where ";
 	$query .= $author_query;
 	$query .= " ORDER BY " . $sort_column . " " . $sort_order ;
diff --git a/wp-includes/wp-db.php b/wp-includes/wp-db.php
index bc9dc9b81c..0cae3e638e 100644
--- a/wp-includes/wp-db.php
+++ b/wp-includes/wp-db.php
@@ -626,6 +626,7 @@ class wpdb {
 		if ( is_multisite() ) {
 			if ( null === $blog_id )
 				$blog_id = $this->blogid;
+			$blog_id = (int) $blog_id;
 			if ( defined( 'MULTISITE' ) && ( 0 == $blog_id || 1 == $blog_id ) )
 				return $this->base_prefix;
 			else