sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix slashing in Custom fields values. Allow for the meta_key to be updated without changing meta_value. Use wpdb::insert in add_meta(). Fixes #12418

Browse Source 
git-svn-id: https://develop.svn.wordpress.org/trunk@13489 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Dion Hulse 2010-02-28 07:12:05 +00:00
parent 1a258ebff7
commit df84c657f9
3 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
wp-admin/admin-ajax.php
View File

@ -854,7 +854,7 @@ case 'add-meta' :
'position' => 1, 'position' => 1,
'supplemental' => array('postid' => $pid) 'supplemental' => array('postid' => $pid)
) ); ) );
} else { } else { // Update?
$mid = (int) array_pop(array_keys($_POST['meta'])); $mid = (int) array_pop(array_keys($_POST['meta']));
$key = $_POST['meta'][$mid]['key']; $key = $_POST['meta'][$mid]['key'];
$value = $_POST['meta'][$mid]['value']; $value = $_POST['meta'][$mid]['value'];
@ -862,7 +862,7 @@ case 'add-meta' :
die('0'); // if meta doesn't exist die('0'); // if meta doesn't exist
if ( !current_user_can( 'edit_post', $meta->post_id ) ) if ( !current_user_can( 'edit_post', $meta->post_id ) )
die('-1'); die('-1');
if ( $meta->meta_value != stripslashes($value) ) { if ( $meta->meta_value != stripslashes($value) || $meta->meta_key != stripslashes($key) ) {
if ( !$u = update_meta( $mid, $key, $value ) ) if ( !$u = update_meta( $mid, $key, $value ) )
die('0'); // We know meta exists; we also know it's unchanged (or DB error, in which case there are bigger problems). die('0'); // We know meta exists; we also know it's unchanged (or DB error, in which case there are bigger problems).
} }

9
wp-admin/includes/post.php
View File

@ -597,8 +597,7 @@ function add_meta( $post_ID ) {
return false; return false;
wp_cache_delete($post_ID, 'post_meta'); wp_cache_delete($post_ID, 'post_meta');
$wpdb->insert( $wpdb->postmeta, array( 'post_id' => $post_ID, 'meta_key' => $metakey, 'meta_value' => $metavalue ) );
$wpdb->query( $wpdb->prepare("INSERT INTO $wpdb->postmeta (post_id,meta_key,meta_value ) VALUES (%s, %s, %s)", $post_ID, $metakey, $metavalue) );
do_action( 'added_postmeta', $wpdb->insert_id, $post_ID, $metakey, $metavalue ); do_action( 'added_postmeta', $wpdb->insert_id, $post_ID, $metakey, $metavalue );
return $wpdb->insert_id; return $wpdb->insert_id;
@ -690,8 +689,8 @@ function has_meta( $postid ) {
* @since unknown * @since unknown
* *
* @param unknown_type $meta_id * @param unknown_type $meta_id
* @param unknown_type $meta_key * @param unknown_type $meta_key Expect Slashed
* @param unknown_type $meta_value * @param unknown_type $meta_value Expect Slashed
* @return unknown * @return unknown
*/ */
function update_meta( $meta_id, $meta_key, $meta_value ) { function update_meta( $meta_id, $meta_key, $meta_value ) {
@ -699,6 +698,8 @@ function update_meta( $meta_id, $meta_key, $meta_value ) {
$protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' ); $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
$meta_key = stripslashes($meta_key);
if ( in_array($meta_key, $protected) ) if ( in_array($meta_key, $protected) )
return false; return false;

7
wp-admin/includes/template.php
View File

@ -2450,8 +2450,7 @@ function meta_form() {
<?php <?php
foreach ( $keys as $key ) { foreach ( $keys as $key ) {
$key = esc_attr( $key ); echo "\n<option value='" . esc_attr($key) . "'>" . esc_html($key) . "</option>";
echo "\n<option value='" . esc_attr($key) . "'>$key</option>";
} }
?> ?>
</select> </select>
@ -3289,7 +3288,7 @@ function find_posts_div($found_action = '') {
<?php wp_nonce_field( 'find-posts', '_ajax_nonce', false ); ?> <?php wp_nonce_field( 'find-posts', '_ajax_nonce', false ); ?>
<label class="screen-reader-text" for="find-posts-input"><?php _e( 'Search' ); ?></label> <label class="screen-reader-text" for="find-posts-input"><?php _e( 'Search' ); ?></label>
<input type="text" id="find-posts-input" name="ps" value="" /> <input type="text" id="find-posts-input" name="ps" value="" />
<input type="button" onClick="findPosts.send();" value="<?php esc_attr_e( 'Search' ); ?>" class="button" /><br /> <input type="button" onclick="findPosts.send();" value="<?php esc_attr_e( 'Search' ); ?>" class="button" /><br />
<input type="radio" name="find-posts-what" id="find-posts-posts" checked="checked" value="posts" /> <input type="radio" name="find-posts-what" id="find-posts-posts" checked="checked" value="posts" />
<label for="find-posts-posts"><?php _e( 'Posts' ); ?></label> <label for="find-posts-posts"><?php _e( 'Posts' ); ?></label>
@ -3299,7 +3298,7 @@ function find_posts_div($found_action = '') {
<div id="find-posts-response"></div> <div id="find-posts-response"></div>
</div> </div>
<div class="find-box-buttons"> <div class="find-box-buttons">
<input type="button" class="button alignleft" onClick="findPosts.close();" value="<?php esc_attr_e('Close'); ?>" /> <input type="button" class="button alignleft" onclick="findPosts.close();" value="<?php esc_attr_e('Close'); ?>" />
<input id="find-posts-submit" type="submit" class="button-primary alignright" value="<?php esc_attr_e('Select'); ?>" /> <input id="find-posts-submit" type="submit" class="button-primary alignright" value="<?php esc_attr_e('Select'); ?>" />
</div> </div>
</div> </div>