diff --git a/wp-admin/includes/deprecated.php b/wp-admin/includes/deprecated.php index b91c64fc77..a318f0ee79 100644 --- a/wp-admin/includes/deprecated.php +++ b/wp-admin/includes/deprecated.php @@ -454,7 +454,7 @@ class WP_User_Search { function WP_User_Search ($search_term = '', $page = '', $role = '') { _deprecated_function( __FUNCTION__, '3.1', 'WP_User_Query' ); - $this->search_term = $search_term; + $this->search_term = stripslashes( $search_term ); $this->raw_page = ( '' == $page ) ? false : (int) $page; $this->page = (int) ( '' == $page ) ? 1 : $page; $this->role = $role; @@ -485,7 +485,7 @@ class WP_User_Search { $searches = array(); $search_sql = 'AND ('; foreach ( array('user_login', 'user_nicename', 'user_email', 'user_url', 'display_name') as $col ) - $searches[] = $col . " LIKE '%$this->search_term%'"; + $searches[] = $wpdb->prepare( $col . ' LIKE %s', '%' . like_escape($this->search_term) . '%' ); $search_sql .= implode(' OR ', $searches); $search_sql .= ')'; } diff --git a/wp-includes/post.php b/wp-includes/post.php index d859473b48..f96523f776 100644 --- a/wp-includes/post.php +++ b/wp-includes/post.php @@ -3421,6 +3421,43 @@ function &get_pages($args = '') { $where_post_type = $wpdb->prepare( "post_type = '%s' AND post_status = '%s'", $post_type, $post_status ); + $orderby_array = array(); + $allowed_keys = array('author', 'post_author', 'date', 'post_date', 'title', 'post_title', 'modified', + 'post_modified', 'modified_gmt', 'post_modified_gmt', 'menu_order', 'parent', 'post_parent', + 'ID', 'rand', 'comment_count'); + foreach ( explode( ',', $sort_column ) as $orderby ) { + $orderby = trim( $orderby ); + if ( !in_array( $orderby, $allowed_keys ) ) + continue; + + switch ( $orderby ) { + case 'menu_order': + break; + case 'ID': + $orderby = "$wpdb->posts.ID"; + break; + case 'rand': + $orderby = 'RAND()'; + break; + case 'comment_count': + $orderby = "$wpdb->posts.comment_count"; + break; + default: + if ( 0 === strpos( $orderby, 'post_' ) ) + $orderby = "$wpdb->posts." . $orderby; + else + $orderby = "$wpdb->posts.post_" . $orderby; + } + + $orderby_array[] = $orderby; + + } + $sort_column = ! empty( $orderby_array ) ? implode( ',', $orderby_array ) : "$wpdb->posts.post_title"; + + $sort_order = strtoupper( $sort_order ); + if ( '' !== $sort_order && !in_array( $sort_order, array( 'ASC', 'DESC' ) ) ) + $sort_order = 'ASC'; + $query = "SELECT * FROM $wpdb->posts $join WHERE ($where_post_type) $where "; $query .= $author_query; $query .= " ORDER BY " . $sort_column . " " . $sort_order ; diff --git a/wp-includes/wp-db.php b/wp-includes/wp-db.php index d9e7086581..a90c2814d0 100644 --- a/wp-includes/wp-db.php +++ b/wp-includes/wp-db.php @@ -644,6 +644,7 @@ class wpdb { if ( is_multisite() ) { if ( null === $blog_id ) $blog_id = $this->blogid; + $blog_id = (int) $blog_id; if ( defined( 'MULTISITE' ) && ( 0 == $blog_id || 1 == $blog_id ) ) return $this->base_prefix; else