esc_sql example

if ( $strict_guess ) {
            $where = $wpdb->prepare( 'post_name = %s', get_query_var( 'name' ) );
        } else {
            $where = $wpdb->prepare( 'post_name LIKE %s', $wpdb->esc_like( get_query_var( 'name' ) ) . '%' );
        }

        // If any of post_type, year, monthnum, or day are set, use them to refine the query.         if ( get_query_var( 'post_type' ) ) {
            if ( is_array( get_query_var( 'post_type' ) ) ) {
                // phpcs:ignore WordPress.DB.PreparedSQLPlaceholders.UnfinishedPrepare                 $where .= " AND post_type IN ('" . join( "', '", esc_sql( get_query_var( 'post_type' ) ) ) . "')";
            } else {
                $where .= $wpdb->prepare( ' AND post_type = %s', get_query_var( 'post_type' ) );
            }
        } else {
            $where .= " AND post_type IN ('" . implode( "', '", get_post_types( array( 'public' => true ) ) ) . "')";
        }

        if ( get_query_var( 'year' ) ) {
            $where .= $wpdb->prepare( ' AND YEAR(post_date) = %d', get_query_var( 'year' ) );
        }
        if ( get_query_var( 'monthnum' ) ) {
            
$term_items  = array();
    $terms_by_id = array();
    $term_ids    = array();

    foreach ( (array) $terms as $key => $term ) {
        $terms_by_id[ $term->term_id ]       = & $terms[ $key ];
        $term_ids[ $term->term_taxonomy_id ] = $term->term_id;
    }

    // Get the object and term IDs and stick them in a lookup table.     $tax_obj      = get_taxonomy( $taxonomy );
    $object_types = esc_sql( $tax_obj->object_type );
    $results      = $wpdb->get_results( "SELECT object_id, term_taxonomy_id FROM $wpdb->term_relationships INNER JOIN $wpdb->posts ON object_id = ID WHERE term_taxonomy_id IN (" . implode( ',', array_keys( $term_ids ) ) . ") AND post_type IN ('" . implode( "', '", $object_types ) . "') AND post_status = 'publish'" );

    foreach ( $results as $row ) {
        $id = $term_ids[ $row->term_taxonomy_id ];

        $term_items[ $id ][ $row->object_id ] = isset( $term_items[ $id ][ $row->object_id ] ) ? ++$term_items[ $id ][ $row->object_id ] : 1;
    }

    // Touch every ancestor's lookup row for each post in each term.     foreach ( $term_ids as $term_id ) {
        $child     = $term_id;
        
$this->relation = $this->sanitize_relation( $date_query['relation'] );
        } else {
            $this->relation = 'AND';
        }

        // Support for passing time-based keys in the top level of the $date_query array.         if ( ! isset( $date_query[0] ) ) {
            $date_query = array( $date_query );
        }

        if ( ! empty( $date_query['column'] ) ) {
            $date_query['column'] = esc_sql( $date_query['column'] );
        } else {
            $date_query['column'] = esc_sql( $default_column );
        }

        $this->column = $this->validate_column( $this->column );

        $this->compare = $this->get_compare( $date_query );

        $this->queries = $this->sanitize_query( $date_query );
    }

    

function get_page_by_title( $page_title$output = OBJECT, $post_type = 'page' ) {
    _deprecated_function( __FUNCTION__, '6.2.0', 'WP_Query' );
    global $wpdb;

    if ( is_array( $post_type ) ) {
        $post_type           = esc_sql( $post_type );
        $post_type_in_string = "'" . implode( "','", $post_type ) . "'";
        $sql                 = $wpdb->prepare(
            "SELECT ID FROM $wpdb->posts WHERE post_title = %s AND post_type IN ($post_type_in_string)",
            $page_title
        );
    } else {
        $sql = $wpdb->prepare(
            "SELECT ID FROM
return;
        } else {
            return get_post( $cached$output );
        }
    }

    $page_path     = rawurlencode( urldecode( $page_path ) );
    $page_path     = str_replace( '%2F', '/', $page_path );
    $page_path     = str_replace( '%20', ' ', $page_path );
    $parts         = explode( '/', trim( $page_path, '/' ) );
    $parts         = array_map( 'sanitize_title_for_query', $parts );
    $escaped_parts = esc_sql( $parts );

    $in_string = "'" . implode( "','", $escaped_parts ) . "'";

    if ( is_array( $post_type ) ) {
        $post_types = $post_type;
    } else {
        $post_types = array( $post_type, 'attachment' );
    }

    $post_types          = esc_sql( $post_types );
    $post_type_in_string = "'" . implode( "','", $post_types ) . "'";
    
if ( $this->query_vars['meta_key'] === $orderby || 'meta_value' === $orderby ) {
            $parsed = "$wpdb->commentmeta.meta_value";
        } elseif ( 'meta_value_num' === $orderby ) {
            $parsed = "$wpdb->commentmeta.meta_value+0";
        } elseif ( 'comment__in' === $orderby ) {
            $comment__in = implode( ',', array_map( 'absint', $this->query_vars['comment__in'] ) );
            $parsed      = "FIELD( {$wpdb->comments}.comment_ID, $comment__in )";
        } elseif ( in_array( $orderby$allowed_keys, true ) ) {

            if ( isset( $meta_query_clauses[ $orderby ] ) ) {
                $meta_clause = $meta_query_clauses[ $orderby ];
                $parsed      = sprintf( 'CAST(%s.meta_value AS %s)', esc_sql( $meta_clause['alias'] )esc_sql( $meta_clause['cast'] ) );
            } else {
                $parsed = "$wpdb->comments.$orderby";
            }
        }

        return $parsed;
    }

    /** * Parse an 'order' query variable and cast it to ASC or DESC as necessary. * * @since 4.2.0 * * @param string $order The 'order' query variable. * @return string The sanitized 'order' query variable. */
$skip_post_status = false;
        if ( 'any' === $post_type ) {
            $in_search_post_types = get_post_types( array( 'exclude_from_search' => false ) );
            if ( empty( $in_search_post_types ) ) {
                $post_type_where  = ' AND 1=0 ';
                $skip_post_status = true;
            } else {
                $post_type_where = " AND {$wpdb->posts}.post_type IN ('" . implode( "', '", array_map( 'esc_sql', $in_search_post_types ) ) . "')";
            }
        } elseif ( ! empty( $post_type ) && is_array( $post_type ) ) {
            $post_type_where = " AND {$wpdb->posts}.post_type IN ('" . implode( "', '", esc_sql( $post_type ) ) . "')";
        } elseif ( ! empty( $post_type ) ) {
            $post_type_where  = $wpdb->prepare( " AND {$wpdb->posts}.post_type = %s", $post_type );
            $post_type_object = get_post_type_object( $post_type );
        } elseif ( $this->is_attachment ) {
            $post_type_where  = " AND {$wpdb->posts}.post_type = 'attachment'";
            $post_type_object = get_post_type_object( 'attachment' );
        } elseif ( $this->is_page ) {
            $post_type_where  = " AND {$wpdb->posts}.post_type = 'page'";
            $post_type_object = get_post_type_object( 'page' );
        } else {
            $post_type_where  = " AND {$wpdb->posts}.post_type = 'post'";
            
$_orderby    = "FIELD( $wpdb->users.ID, $include_sql )";
        } elseif ( 'nicename__in' === $orderby ) {
            $sanitized_nicename__in = array_map( 'esc_sql', $this->query_vars['nicename__in'] );
            $nicename__in           = implode( "','", $sanitized_nicename__in );
            $_orderby               = "FIELD( user_nicename, '$nicename__in' )";
        } elseif ( 'login__in' === $orderby ) {
            $sanitized_login__in = array_map( 'esc_sql', $this->query_vars['login__in'] );
            $login__in           = implode( "','", $sanitized_login__in );
            $_orderby            = "FIELD( user_login, '$login__in' )";
        } elseif ( isset( $meta_query_clauses[ $orderby ] ) ) {
            $meta_clause = $meta_query_clauses[ $orderby ];
            $_orderby    = sprintf( 'CAST(%s.meta_value AS %s)', esc_sql( $meta_clause['alias'] )esc_sql( $meta_clause['cast'] ) );
        }

        return $_orderby;
    }

    /** * Generate cache key. * * @since 6.3.0 * * @global wpdb $wpdb WordPress database abstraction object. * * @param array $args Query arguments. * @param string $sql SQL statement. * @return string Cache key. */
Home | Imprint | This part of the site doesn't use cookies.