From d2374614c251db9d6d4157720cddc0e3bf6e3de1 Mon Sep 17 00:00:00 2001 From: "Dominik Schilling (ocean90)" Date: Thu, 26 Jan 2017 13:32:24 +0000 Subject: [PATCH] Query: Ensure that queries work correctly with post type names with special characters. git-svn-id: https://develop.svn.wordpress.org/trunk@39952 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/class-wp-query.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/wp-includes/class-wp-query.php b/src/wp-includes/class-wp-query.php index eb68f219ce..00a085dfaa 100644 --- a/src/wp-includes/class-wp-query.php +++ b/src/wp-includes/class-wp-query.php @@ -2257,12 +2257,12 @@ class WP_Query { if ( empty( $in_search_post_types ) ) { $where .= ' AND 1=0 '; } else { - $where .= " AND {$wpdb->posts}.post_type IN ('" . join("', '", $in_search_post_types ) . "')"; + $where .= " AND {$wpdb->posts}.post_type IN ('" . join( "', '", array_map( 'esc_sql', $in_search_post_types ) ) . "')"; } } elseif ( !empty( $post_type ) && is_array( $post_type ) ) { - $where .= " AND {$wpdb->posts}.post_type IN ('" . join("', '", $post_type) . "')"; + $where .= " AND {$wpdb->posts}.post_type IN ('" . join("', '", esc_sql( $post_type ) ) . "')"; } elseif ( ! empty( $post_type ) ) { - $where .= " AND {$wpdb->posts}.post_type = '$post_type'"; + $where .= $wpdb->prepare( " AND {$wpdb->posts}.post_type = %s", $post_type ); $post_type_object = get_post_type_object ( $post_type ); } elseif ( $this->is_attachment ) { $where .= " AND {$wpdb->posts}.post_type = 'attachment'";