[wp-trac] [WordPress Trac] #25775: WP_Date_Query table prefixing
WordPress Trac
noreply at wordpress.org
Tue Oct 7 20:37:22 UTC 2014
#25775: WP_Date_Query table prefixing
-------------------------------------+------------------
Reporter: ew_holmes | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.1
Component: Query | Version: 3.7
Severity: major | Resolution:
Keywords: has-patch needs-testing | Focuses:
-------------------------------------+------------------
Comment (by boonebgorges):
Replying to [comment:32 Viper007Bond]:
> Thanks for your work on this! :)
>
> One quick question: why set `$dotpos` if you aren't going to use it? Why
not just do `false === strpos( $column, '.' )` ?
Whoops - this was a remnant of a different strategy I'd tried. Fixed in
[attachment:25775.2.patch].
Viper007Bond and others - I'd like some feedback on the following:
1. Does the patch deal adequately with the situations listed above? Does
it resolve the original problem of taxonomy/meta JOINs? Does it maintain
compatibility with real-world uses of the 'date_query_valid_columns'
filter that you're familiar with? I think the unit tests show that it does
all of these things, but a sanity check would be nice.
2. The one potential downside of my approach is that `validate_column()`
does a bit less than it did before. It used to be that you could
circumvent its logic only by filtering 'date_query_valid_columns'. Now you
can also pass a table-prefixed value. Do we care? Note that we are
*sanitizing* the value (ie against SQL injection). The "validation" in
question is merely a developer service: we try to make sure that no one
attempts to do a date_query against an incompatible column. My personal
opinion is that it's actually *better* to do less validation, because it
means that passing a bad column name will result in SQL errors rather than
mysteriously falling back to the value of 'post_date', which might
silently return unintended results. So, with my patch, the real purpose of
the method is not so much validation as it is convenience: it allows you
to pass merely 'post_date' instead of requiring you to concatenate
`$wpdb->posts . '.post_date'`.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/25775#comment:33>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list