[ Index ] |
PHP Cross Reference of WordPress Trunk (Updated Daily) |
[Summary view] [Print] [Text view]
1 <?php 2 /** 3 * WordPress database access abstraction class. 4 * 5 * Original code from {@link http://php.justinvincent.com Justin Vincent (justin@visunet.ie)} 6 * 7 * @package WordPress 8 * @subpackage Database 9 * @since 0.71 10 */ 11 12 /** 13 * @since 0.71 14 */ 15 define( 'EZSQL_VERSION', 'WP1.25' ); 16 17 /** 18 * @since 0.71 19 */ 20 define( 'OBJECT', 'OBJECT' ); 21 // phpcs:ignore Generic.NamingConventions.UpperCaseConstantName.ConstantNotUpperCase 22 define( 'object', 'OBJECT' ); // Back compat. 23 24 /** 25 * @since 2.5.0 26 */ 27 define( 'OBJECT_K', 'OBJECT_K' ); 28 29 /** 30 * @since 0.71 31 */ 32 define( 'ARRAY_A', 'ARRAY_A' ); 33 34 /** 35 * @since 0.71 36 */ 37 define( 'ARRAY_N', 'ARRAY_N' ); 38 39 /** 40 * WordPress database access abstraction class. 41 * 42 * This class is used to interact with a database without needing to use raw SQL statements. 43 * By default, WordPress uses this class to instantiate the global $wpdb object, providing 44 * access to the WordPress database. 45 * 46 * It is possible to replace this class with your own by setting the $wpdb global variable 47 * in wp-content/db.php file to your class. The wpdb class will still be included, so you can 48 * extend it or simply use your own. 49 * 50 * @link https://developer.wordpress.org/reference/classes/wpdb/ 51 * 52 * @since 0.71 53 */ 54 #[AllowDynamicProperties] 55 class wpdb { 56 57 /** 58 * Whether to show SQL/DB errors. 59 * 60 * Default is to show errors if both WP_DEBUG and WP_DEBUG_DISPLAY evaluate to true. 61 * 62 * @since 0.71 63 * 64 * @var bool 65 */ 66 public $show_errors = false; 67 68 /** 69 * Whether to suppress errors during the DB bootstrapping. Default false. 70 * 71 * @since 2.5.0 72 * 73 * @var bool 74 */ 75 public $suppress_errors = false; 76 77 /** 78 * The error encountered during the last query. 79 * 80 * @since 2.5.0 81 * 82 * @var string 83 */ 84 public $last_error = ''; 85 86 /** 87 * The number of queries made. 88 * 89 * @since 1.2.0 90 * 91 * @var int 92 */ 93 public $num_queries = 0; 94 95 /** 96 * Count of rows returned by the last query. 97 * 98 * @since 0.71 99 * 100 * @var int 101 */ 102 public $num_rows = 0; 103 104 /** 105 * Count of rows affected by the last query. 106 * 107 * @since 0.71 108 * 109 * @var int 110 */ 111 public $rows_affected = 0; 112 113 /** 114 * The ID generated for an AUTO_INCREMENT column by the last query (usually INSERT). 115 * 116 * @since 0.71 117 * 118 * @var int 119 */ 120 public $insert_id = 0; 121 122 /** 123 * The last query made. 124 * 125 * @since 0.71 126 * 127 * @var string 128 */ 129 public $last_query; 130 131 /** 132 * Results of the last query. 133 * 134 * @since 0.71 135 * 136 * @var stdClass[]|null 137 */ 138 public $last_result; 139 140 /** 141 * Database query result. 142 * 143 * Possible values: 144 * 145 * - `mysqli_result` instance for successful SELECT, SHOW, DESCRIBE, or EXPLAIN queries 146 * - `true` for other query types that were successful 147 * - `null` if a query is yet to be made or if the result has since been flushed 148 * - `false` if the query returned an error 149 * 150 * @since 0.71 151 * 152 * @var mysqli_result|bool|null 153 */ 154 protected $result; 155 156 /** 157 * Cached column info, for confidence checking data before inserting. 158 * 159 * @since 4.2.0 160 * 161 * @var array 162 */ 163 protected $col_meta = array(); 164 165 /** 166 * Calculated character sets keyed by table name. 167 * 168 * @since 4.2.0 169 * 170 * @var string[] 171 */ 172 protected $table_charset = array(); 173 174 /** 175 * Whether text fields in the current query need to be confidence checked. 176 * 177 * @since 4.2.0 178 * 179 * @var bool 180 */ 181 protected $check_current_query = true; 182 183 /** 184 * Flag to ensure we don't run into recursion problems when checking the collation. 185 * 186 * @since 4.2.0 187 * 188 * @see wpdb::check_safe_collation() 189 * @var bool 190 */ 191 private $checking_collation = false; 192 193 /** 194 * Saved info on the table column. 195 * 196 * @since 0.71 197 * 198 * @var array 199 */ 200 protected $col_info; 201 202 /** 203 * Log of queries that were executed, for debugging purposes. 204 * 205 * @since 1.5.0 206 * @since 2.5.0 The third element in each query log was added to record the calling functions. 207 * @since 5.1.0 The fourth element in each query log was added to record the start time. 208 * @since 5.3.0 The fifth element in each query log was added to record custom data. 209 * 210 * @var array[] { 211 * Array of arrays containing information about queries that were executed. 212 * 213 * @type array ...$0 { 214 * Data for each query. 215 * 216 * @type string $0 The query's SQL. 217 * @type float $1 Total time spent on the query, in seconds. 218 * @type string $2 Comma-separated list of the calling functions. 219 * @type float $3 Unix timestamp of the time at the start of the query. 220 * @type array $4 Custom query data. 221 * } 222 * } 223 */ 224 public $queries; 225 226 /** 227 * The number of times to retry reconnecting before dying. Default 5. 228 * 229 * @since 3.9.0 230 * 231 * @see wpdb::check_connection() 232 * @var int 233 */ 234 protected $reconnect_retries = 5; 235 236 /** 237 * WordPress table prefix. 238 * 239 * You can set this to have multiple WordPress installations in a single database. 240 * The second reason is for possible security precautions. 241 * 242 * @since 2.5.0 243 * 244 * @var string 245 */ 246 public $prefix = ''; 247 248 /** 249 * WordPress base table prefix. 250 * 251 * @since 3.0.0 252 * 253 * @var string 254 */ 255 public $base_prefix; 256 257 /** 258 * Whether the database queries are ready to start executing. 259 * 260 * @since 2.3.2 261 * 262 * @var bool 263 */ 264 public $ready = false; 265 266 /** 267 * Blog ID. 268 * 269 * @since 3.0.0 270 * 271 * @var int 272 */ 273 public $blogid = 0; 274 275 /** 276 * Site ID. 277 * 278 * @since 3.0.0 279 * 280 * @var int 281 */ 282 public $siteid = 0; 283 284 /** 285 * List of WordPress per-site tables. 286 * 287 * @since 2.5.0 288 * 289 * @see wpdb::tables() 290 * @var string[] 291 */ 292 public $tables = array( 293 'posts', 294 'comments', 295 'links', 296 'options', 297 'postmeta', 298 'terms', 299 'term_taxonomy', 300 'term_relationships', 301 'termmeta', 302 'commentmeta', 303 ); 304 305 /** 306 * List of deprecated WordPress tables. 307 * 308 * 'categories', 'post2cat', and 'link2cat' were deprecated in 2.3.0, db version 5539. 309 * 310 * @since 2.9.0 311 * 312 * @see wpdb::tables() 313 * @var string[] 314 */ 315 public $old_tables = array( 'categories', 'post2cat', 'link2cat' ); 316 317 /** 318 * List of WordPress global tables. 319 * 320 * @since 3.0.0 321 * 322 * @see wpdb::tables() 323 * @var string[] 324 */ 325 public $global_tables = array( 'users', 'usermeta' ); 326 327 /** 328 * List of Multisite global tables. 329 * 330 * @since 3.0.0 331 * 332 * @see wpdb::tables() 333 * @var string[] 334 */ 335 public $ms_global_tables = array( 336 'blogs', 337 'blogmeta', 338 'signups', 339 'site', 340 'sitemeta', 341 'registration_log', 342 ); 343 344 /** 345 * List of deprecated WordPress Multisite global tables. 346 * 347 * @since 6.1.0 348 * 349 * @see wpdb::tables() 350 * @var string[] 351 */ 352 public $old_ms_global_tables = array( 'sitecategories' ); 353 354 /** 355 * WordPress Comments table. 356 * 357 * @since 1.5.0 358 * 359 * @var string 360 */ 361 public $comments; 362 363 /** 364 * WordPress Comment Metadata table. 365 * 366 * @since 2.9.0 367 * 368 * @var string 369 */ 370 public $commentmeta; 371 372 /** 373 * WordPress Links table. 374 * 375 * @since 1.5.0 376 * 377 * @var string 378 */ 379 public $links; 380 381 /** 382 * WordPress Options table. 383 * 384 * @since 1.5.0 385 * 386 * @var string 387 */ 388 public $options; 389 390 /** 391 * WordPress Post Metadata table. 392 * 393 * @since 1.5.0 394 * 395 * @var string 396 */ 397 public $postmeta; 398 399 /** 400 * WordPress Posts table. 401 * 402 * @since 1.5.0 403 * 404 * @var string 405 */ 406 public $posts; 407 408 /** 409 * WordPress Terms table. 410 * 411 * @since 2.3.0 412 * 413 * @var string 414 */ 415 public $terms; 416 417 /** 418 * WordPress Term Relationships table. 419 * 420 * @since 2.3.0 421 * 422 * @var string 423 */ 424 public $term_relationships; 425 426 /** 427 * WordPress Term Taxonomy table. 428 * 429 * @since 2.3.0 430 * 431 * @var string 432 */ 433 public $term_taxonomy; 434 435 /** 436 * WordPress Term Meta table. 437 * 438 * @since 4.4.0 439 * 440 * @var string 441 */ 442 public $termmeta; 443 444 // 445 // Global and Multisite tables 446 // 447 448 /** 449 * WordPress User Metadata table. 450 * 451 * @since 2.3.0 452 * 453 * @var string 454 */ 455 public $usermeta; 456 457 /** 458 * WordPress Users table. 459 * 460 * @since 1.5.0 461 * 462 * @var string 463 */ 464 public $users; 465 466 /** 467 * Multisite Blogs table. 468 * 469 * @since 3.0.0 470 * 471 * @var string 472 */ 473 public $blogs; 474 475 /** 476 * Multisite Blog Metadata table. 477 * 478 * @since 5.1.0 479 * 480 * @var string 481 */ 482 public $blogmeta; 483 484 /** 485 * Multisite Registration Log table. 486 * 487 * @since 3.0.0 488 * 489 * @var string 490 */ 491 public $registration_log; 492 493 /** 494 * Multisite Signups table. 495 * 496 * @since 3.0.0 497 * 498 * @var string 499 */ 500 public $signups; 501 502 /** 503 * Multisite Sites table. 504 * 505 * @since 3.0.0 506 * 507 * @var string 508 */ 509 public $site; 510 511 /** 512 * Multisite Sitewide Terms table. 513 * 514 * @since 3.0.0 515 * 516 * @var string 517 */ 518 public $sitecategories; 519 520 /** 521 * Multisite Site Metadata table. 522 * 523 * @since 3.0.0 524 * 525 * @var string 526 */ 527 public $sitemeta; 528 529 /** 530 * Format specifiers for DB columns. 531 * 532 * Columns not listed here default to %s. Initialized during WP load. 533 * Keys are column names, values are format types: 'ID' => '%d'. 534 * 535 * @since 2.8.0 536 * 537 * @see wpdb::prepare() 538 * @see wpdb::insert() 539 * @see wpdb::update() 540 * @see wpdb::delete() 541 * @see wp_set_wpdb_vars() 542 * @var array 543 */ 544 public $field_types = array(); 545 546 /** 547 * Database table columns charset. 548 * 549 * @since 2.2.0 550 * 551 * @var string 552 */ 553 public $charset; 554 555 /** 556 * Database table columns collate. 557 * 558 * @since 2.2.0 559 * 560 * @var string 561 */ 562 public $collate; 563 564 /** 565 * Database Username. 566 * 567 * @since 2.9.0 568 * 569 * @var string 570 */ 571 protected $dbuser; 572 573 /** 574 * Database Password. 575 * 576 * @since 3.1.0 577 * 578 * @var string 579 */ 580 protected $dbpassword; 581 582 /** 583 * Database Name. 584 * 585 * @since 3.1.0 586 * 587 * @var string 588 */ 589 protected $dbname; 590 591 /** 592 * Database Host. 593 * 594 * @since 3.1.0 595 * 596 * @var string 597 */ 598 protected $dbhost; 599 600 /** 601 * Database handle. 602 * 603 * Possible values: 604 * 605 * - `mysqli` instance during normal operation 606 * - `null` if the connection is yet to be made or has been closed 607 * - `false` if the connection has failed 608 * 609 * @since 0.71 610 * 611 * @var mysqli|false|null 612 */ 613 protected $dbh; 614 615 /** 616 * A textual description of the last query/get_row/get_var call. 617 * 618 * @since 3.0.0 619 * 620 * @var string 621 */ 622 public $func_call; 623 624 /** 625 * Whether MySQL is used as the database engine. 626 * 627 * Set in wpdb::db_connect() to true, by default. This is used when checking 628 * against the required MySQL version for WordPress. Normally, a replacement 629 * database drop-in (db.php) will skip these checks, but setting this to true 630 * will force the checks to occur. 631 * 632 * @since 3.3.0 633 * 634 * @var bool 635 */ 636 public $is_mysql = null; 637 638 /** 639 * A list of incompatible SQL modes. 640 * 641 * @since 3.9.0 642 * 643 * @var string[] 644 */ 645 protected $incompatible_modes = array( 646 'NO_ZERO_DATE', 647 'ONLY_FULL_GROUP_BY', 648 'STRICT_TRANS_TABLES', 649 'STRICT_ALL_TABLES', 650 'TRADITIONAL', 651 'ANSI', 652 ); 653 654 /** 655 * Backward compatibility, where wpdb::prepare() has not quoted formatted/argnum placeholders. 656 * 657 * This is often used for table/field names (before %i was supported), and sometimes string formatting, e.g. 658 * 659 * $wpdb->prepare( 'WHERE `%1$s` = "%2$s something %3$s" OR %1$s = "%4$-10s"', 'field_1', 'a', 'b', 'c' ); 660 * 661 * But it's risky, e.g. forgetting to add quotes, resulting in SQL Injection vulnerabilities: 662 * 663 * $wpdb->prepare( 'WHERE (id = %1s) OR (id = %2$s)', $_GET['id'], $_GET['id'] ); // ?id=id 664 * 665 * This feature is preserved while plugin authors update their code to use safer approaches: 666 * 667 * $_GET['key'] = 'a`b'; 668 * 669 * $wpdb->prepare( 'WHERE %1s = %s', $_GET['key'], $_GET['value'] ); // WHERE a`b = 'value' 670 * $wpdb->prepare( 'WHERE `%1$s` = "%2$s"', $_GET['key'], $_GET['value'] ); // WHERE `a`b` = "value" 671 * 672 * $wpdb->prepare( 'WHERE %i = %s', $_GET['key'], $_GET['value'] ); // WHERE `a``b` = 'value' 673 * 674 * While changing to false will be fine for queries not using formatted/argnum placeholders, 675 * any remaining cases are most likely going to result in SQL errors (good, in a way): 676 * 677 * $wpdb->prepare( 'WHERE %1$s = "%2$-10s"', 'my_field', 'my_value' ); 678 * true = WHERE my_field = "my_value " 679 * false = WHERE 'my_field' = "'my_value '" 680 * 681 * But there may be some queries that result in an SQL Injection vulnerability: 682 * 683 * $wpdb->prepare( 'WHERE id = %1$s', $_GET['id'] ); // ?id=id 684 * 685 * So there may need to be a `_doing_it_wrong()` phase, after we know everyone can use 686 * identifier placeholders (%i), but before this feature is disabled or removed. 687 * 688 * @since 6.2.0 689 * @var bool 690 */ 691 private $allow_unsafe_unquoted_parameters = true; 692 693 /** 694 * Whether to use the mysqli extension over mysql. This is no longer used as the mysql 695 * extension is no longer supported. 696 * 697 * Default true. 698 * 699 * @since 3.9.0 700 * @since 6.4.0 This property was removed. 701 * @since 6.4.1 This property was reinstated and its default value was changed to true. 702 * The property is no longer used in core but may be accessed externally. 703 * 704 * @var bool 705 */ 706 private $use_mysqli = true; 707 708 /** 709 * Whether we've managed to successfully connect at some point. 710 * 711 * @since 3.9.0 712 * 713 * @var bool 714 */ 715 private $has_connected = false; 716 717 /** 718 * Time when the last query was performed. 719 * 720 * Only set when `SAVEQUERIES` is defined and truthy. 721 * 722 * @since 1.5.0 723 * 724 * @var float 725 */ 726 public $time_start = null; 727 728 /** 729 * The last SQL error that was encountered. 730 * 731 * @since 2.5.0 732 * 733 * @var WP_Error|string 734 */ 735 public $error = null; 736 737 /** 738 * Connects to the database server and selects a database. 739 * 740 * Does the actual setting up 741 * of the class properties and connection to the database. 742 * 743 * @since 2.0.8 744 * 745 * @link https://core.trac.wordpress.org/ticket/3354 746 * 747 * @param string $dbuser Database user. 748 * @param string $dbpassword Database password. 749 * @param string $dbname Database name. 750 * @param string $dbhost Database host. 751 */ 752 public function __construct( $dbuser, $dbpassword, $dbname, $dbhost ) { 753 if ( WP_DEBUG && WP_DEBUG_DISPLAY ) { 754 $this->show_errors(); 755 } 756 757 $this->dbuser = $dbuser; 758 $this->dbpassword = $dbpassword; 759 $this->dbname = $dbname; 760 $this->dbhost = $dbhost; 761 762 // wp-config.php creation will manually connect when ready. 763 if ( defined( 'WP_SETUP_CONFIG' ) ) { 764 return; 765 } 766 767 $this->db_connect(); 768 } 769 770 /** 771 * Makes private properties readable for backward compatibility. 772 * 773 * @since 3.5.0 774 * 775 * @param string $name The private member to get, and optionally process. 776 * @return mixed The private member. 777 */ 778 public function __get( $name ) { 779 if ( 'col_info' === $name ) { 780 $this->load_col_info(); 781 } 782 783 return $this->$name; 784 } 785 786 /** 787 * Makes private properties settable for backward compatibility. 788 * 789 * @since 3.5.0 790 * 791 * @param string $name The private member to set. 792 * @param mixed $value The value to set. 793 */ 794 public function __set( $name, $value ) { 795 $protected_members = array( 796 'col_meta', 797 'table_charset', 798 'check_current_query', 799 'allow_unsafe_unquoted_parameters', 800 ); 801 if ( in_array( $name, $protected_members, true ) ) { 802 return; 803 } 804 $this->$name = $value; 805 } 806 807 /** 808 * Makes private properties check-able for backward compatibility. 809 * 810 * @since 3.5.0 811 * 812 * @param string $name The private member to check. 813 * @return bool If the member is set or not. 814 */ 815 public function __isset( $name ) { 816 return isset( $this->$name ); 817 } 818 819 /** 820 * Makes private properties un-settable for backward compatibility. 821 * 822 * @since 3.5.0 823 * 824 * @param string $name The private member to unset 825 */ 826 public function __unset( $name ) { 827 unset( $this->$name ); 828 } 829 830 /** 831 * Sets $this->charset and $this->collate. 832 * 833 * @since 3.1.0 834 */ 835 public function init_charset() { 836 $charset = ''; 837 $collate = ''; 838 839 if ( function_exists( 'is_multisite' ) && is_multisite() ) { 840 $charset = 'utf8'; 841 if ( defined( 'DB_COLLATE' ) && DB_COLLATE ) { 842 $collate = DB_COLLATE; 843 } else { 844 $collate = 'utf8_general_ci'; 845 } 846 } elseif ( defined( 'DB_COLLATE' ) ) { 847 $collate = DB_COLLATE; 848 } 849 850 if ( defined( 'DB_CHARSET' ) ) { 851 $charset = DB_CHARSET; 852 } 853 854 $charset_collate = $this->determine_charset( $charset, $collate ); 855 856 $this->charset = $charset_collate['charset']; 857 $this->collate = $charset_collate['collate']; 858 } 859 860 /** 861 * Determines the best charset and collation to use given a charset and collation. 862 * 863 * For example, when able, utf8mb4 should be used instead of utf8. 864 * 865 * @since 4.6.0 866 * 867 * @param string $charset The character set to check. 868 * @param string $collate The collation to check. 869 * @return array { 870 * The most appropriate character set and collation to use. 871 * 872 * @type string $charset Character set. 873 * @type string $collate Collation. 874 * } 875 */ 876 public function determine_charset( $charset, $collate ) { 877 if ( ( ! ( $this->dbh instanceof mysqli ) ) || empty( $this->dbh ) ) { 878 return compact( 'charset', 'collate' ); 879 } 880 881 if ( 'utf8' === $charset ) { 882 $charset = 'utf8mb4'; 883 } 884 885 if ( 'utf8mb4' === $charset ) { 886 // _general_ is outdated, so we can upgrade it to _unicode_, instead. 887 if ( ! $collate || 'utf8_general_ci' === $collate ) { 888 $collate = 'utf8mb4_unicode_ci'; 889 } else { 890 $collate = str_replace( 'utf8_', 'utf8mb4_', $collate ); 891 } 892 } 893 894 // _unicode_520_ is a better collation, we should use that when it's available. 895 if ( $this->has_cap( 'utf8mb4_520' ) && 'utf8mb4_unicode_ci' === $collate ) { 896 $collate = 'utf8mb4_unicode_520_ci'; 897 } 898 899 return compact( 'charset', 'collate' ); 900 } 901 902 /** 903 * Sets the connection's character set. 904 * 905 * @since 3.1.0 906 * 907 * @param mysqli $dbh The connection returned by `mysqli_connect()`. 908 * @param string $charset Optional. The character set. Default null. 909 * @param string $collate Optional. The collation. Default null. 910 */ 911 public function set_charset( $dbh, $charset = null, $collate = null ) { 912 if ( ! isset( $charset ) ) { 913 $charset = $this->charset; 914 } 915 if ( ! isset( $collate ) ) { 916 $collate = $this->collate; 917 } 918 if ( $this->has_cap( 'collation' ) && ! empty( $charset ) ) { 919 $set_charset_succeeded = true; 920 921 if ( function_exists( 'mysqli_set_charset' ) && $this->has_cap( 'set_charset' ) ) { 922 $set_charset_succeeded = mysqli_set_charset( $dbh, $charset ); 923 } 924 925 if ( $set_charset_succeeded ) { 926 $query = $this->prepare( 'SET NAMES %s', $charset ); 927 if ( ! empty( $collate ) ) { 928 $query .= $this->prepare( ' COLLATE %s', $collate ); 929 } 930 mysqli_query( $dbh, $query ); 931 } 932 } 933 } 934 935 /** 936 * Changes the current SQL mode, and ensures its WordPress compatibility. 937 * 938 * If no modes are passed, it will ensure the current MySQL server modes are compatible. 939 * 940 * @since 3.9.0 941 * 942 * @param array $modes Optional. A list of SQL modes to set. Default empty array. 943 */ 944 public function set_sql_mode( $modes = array() ) { 945 if ( empty( $modes ) ) { 946 $res = mysqli_query( $this->dbh, 'SELECT @@SESSION.sql_mode' ); 947 948 if ( empty( $res ) ) { 949 return; 950 } 951 952 $modes_array = mysqli_fetch_array( $res ); 953 954 if ( empty( $modes_array[0] ) ) { 955 return; 956 } 957 958 $modes_str = $modes_array[0]; 959 960 if ( empty( $modes_str ) ) { 961 return; 962 } 963 964 $modes = explode( ',', $modes_str ); 965 } 966 967 $modes = array_change_key_case( $modes, CASE_UPPER ); 968 969 /** 970 * Filters the list of incompatible SQL modes to exclude. 971 * 972 * @since 3.9.0 973 * 974 * @param array $incompatible_modes An array of incompatible modes. 975 */ 976 $incompatible_modes = (array) apply_filters( 'incompatible_sql_modes', $this->incompatible_modes ); 977 978 foreach ( $modes as $i => $mode ) { 979 if ( in_array( $mode, $incompatible_modes, true ) ) { 980 unset( $modes[ $i ] ); 981 } 982 } 983 984 $modes_str = implode( ',', $modes ); 985 986 mysqli_query( $this->dbh, "SET SESSION sql_mode='$modes_str'" ); 987 } 988 989 /** 990 * Sets the table prefix for the WordPress tables. 991 * 992 * @since 2.5.0 993 * 994 * @param string $prefix Alphanumeric name for the new prefix. 995 * @param bool $set_table_names Optional. Whether the table names, e.g. wpdb::$posts, 996 * should be updated or not. Default true. 997 * @return string|WP_Error Old prefix or WP_Error on error. 998 */ 999 public function set_prefix( $prefix, $set_table_names = true ) { 1000 1001 if ( preg_match( '|[^a-z0-9_]|i', $prefix ) ) { 1002 return new WP_Error( 'invalid_db_prefix', 'Invalid database prefix' ); 1003 } 1004 1005 $old_prefix = is_multisite() ? '' : $prefix; 1006 1007 if ( isset( $this->base_prefix ) ) { 1008 $old_prefix = $this->base_prefix; 1009 } 1010 1011 $this->base_prefix = $prefix; 1012 1013 if ( $set_table_names ) { 1014 foreach ( $this->tables( 'global' ) as $table => $prefixed_table ) { 1015 $this->$table = $prefixed_table; 1016 } 1017 1018 if ( is_multisite() && empty( $this->blogid ) ) { 1019 return $old_prefix; 1020 } 1021 1022 $this->prefix = $this->get_blog_prefix(); 1023 1024 foreach ( $this->tables( 'blog' ) as $table => $prefixed_table ) { 1025 $this->$table = $prefixed_table; 1026 } 1027 1028 foreach ( $this->tables( 'old' ) as $table => $prefixed_table ) { 1029 $this->$table = $prefixed_table; 1030 } 1031 } 1032 return $old_prefix; 1033 } 1034 1035 /** 1036 * Sets blog ID. 1037 * 1038 * @since 3.0.0 1039 * 1040 * @param int $blog_id 1041 * @param int $network_id Optional. Network ID. Default 0. 1042 * @return int Previous blog ID. 1043 */ 1044 public function set_blog_id( $blog_id, $network_id = 0 ) { 1045 if ( ! empty( $network_id ) ) { 1046 $this->siteid = $network_id; 1047 } 1048 1049 $old_blog_id = $this->blogid; 1050 $this->blogid = $blog_id; 1051 1052 $this->prefix = $this->get_blog_prefix(); 1053 1054 foreach ( $this->tables( 'blog' ) as $table => $prefixed_table ) { 1055 $this->$table = $prefixed_table; 1056 } 1057 1058 foreach ( $this->tables( 'old' ) as $table => $prefixed_table ) { 1059 $this->$table = $prefixed_table; 1060 } 1061 1062 return $old_blog_id; 1063 } 1064 1065 /** 1066 * Gets blog prefix. 1067 * 1068 * @since 3.0.0 1069 * 1070 * @param int $blog_id Optional. Blog ID to retrieve the table prefix for. 1071 * Defaults to the current blog ID. 1072 * @return string Blog prefix. 1073 */ 1074 public function get_blog_prefix( $blog_id = null ) { 1075 if ( is_multisite() ) { 1076 if ( null === $blog_id ) { 1077 $blog_id = $this->blogid; 1078 } 1079 1080 $blog_id = (int) $blog_id; 1081 1082 if ( defined( 'MULTISITE' ) && ( 0 === $blog_id || 1 === $blog_id ) ) { 1083 return $this->base_prefix; 1084 } else { 1085 return $this->base_prefix . $blog_id . '_'; 1086 } 1087 } else { 1088 return $this->base_prefix; 1089 } 1090 } 1091 1092 /** 1093 * Returns an array of WordPress tables. 1094 * 1095 * Also allows for the `CUSTOM_USER_TABLE` and `CUSTOM_USER_META_TABLE` to override the WordPress users 1096 * and usermeta tables that would otherwise be determined by the prefix. 1097 * 1098 * The `$scope` argument can take one of the following: 1099 * 1100 * - 'all' - returns 'all' and 'global' tables. No old tables are returned. 1101 * - 'blog' - returns the blog-level tables for the queried blog. 1102 * - 'global' - returns the global tables for the installation, returning multisite tables only on multisite. 1103 * - 'ms_global' - returns the multisite global tables, regardless if current installation is multisite. 1104 * - 'old' - returns tables which are deprecated. 1105 * 1106 * @since 3.0.0 1107 * @since 6.1.0 `old` now includes deprecated multisite global tables only on multisite. 1108 * 1109 * @uses wpdb::$tables 1110 * @uses wpdb::$old_tables 1111 * @uses wpdb::$global_tables 1112 * @uses wpdb::$ms_global_tables 1113 * @uses wpdb::$old_ms_global_tables 1114 * 1115 * @param string $scope Optional. Possible values include 'all', 'global', 'ms_global', 'blog', 1116 * or 'old' tables. Default 'all'. 1117 * @param bool $prefix Optional. Whether to include table prefixes. If blog prefix is requested, 1118 * then the custom users and usermeta tables will be mapped. Default true. 1119 * @param int $blog_id Optional. The blog_id to prefix. Used only when prefix is requested. 1120 * Defaults to `wpdb::$blogid`. 1121 * @return string[] Table names. When a prefix is requested, the key is the unprefixed table name. 1122 */ 1123 public function tables( $scope = 'all', $prefix = true, $blog_id = 0 ) { 1124 switch ( $scope ) { 1125 case 'all': 1126 $tables = array_merge( $this->global_tables, $this->tables ); 1127 if ( is_multisite() ) { 1128 $tables = array_merge( $tables, $this->ms_global_tables ); 1129 } 1130 break; 1131 case 'blog': 1132 $tables = $this->tables; 1133 break; 1134 case 'global': 1135 $tables = $this->global_tables; 1136 if ( is_multisite() ) { 1137 $tables = array_merge( $tables, $this->ms_global_tables ); 1138 } 1139 break; 1140 case 'ms_global': 1141 $tables = $this->ms_global_tables; 1142 break; 1143 case 'old': 1144 $tables = $this->old_tables; 1145 if ( is_multisite() ) { 1146 $tables = array_merge( $tables, $this->old_ms_global_tables ); 1147 } 1148 break; 1149 default: 1150 return array(); 1151 } 1152 1153 if ( $prefix ) { 1154 if ( ! $blog_id ) { 1155 $blog_id = $this->blogid; 1156 } 1157 $blog_prefix = $this->get_blog_prefix( $blog_id ); 1158 $base_prefix = $this->base_prefix; 1159 $global_tables = array_merge( $this->global_tables, $this->ms_global_tables ); 1160 foreach ( $tables as $k => $table ) { 1161 if ( in_array( $table, $global_tables, true ) ) { 1162 $tables[ $table ] = $base_prefix . $table; 1163 } else { 1164 $tables[ $table ] = $blog_prefix . $table; 1165 } 1166 unset( $tables[ $k ] ); 1167 } 1168 1169 if ( isset( $tables['users'] ) && defined( 'CUSTOM_USER_TABLE' ) ) { 1170 $tables['users'] = CUSTOM_USER_TABLE; 1171 } 1172 1173 if ( isset( $tables['usermeta'] ) && defined( 'CUSTOM_USER_META_TABLE' ) ) { 1174 $tables['usermeta'] = CUSTOM_USER_META_TABLE; 1175 } 1176 } 1177 1178 return $tables; 1179 } 1180 1181 /** 1182 * Selects a database using the current or provided database connection. 1183 * 1184 * The database name will be changed based on the current database connection. 1185 * On failure, the execution will bail and display a DB error. 1186 * 1187 * @since 0.71 1188 * 1189 * @param string $db Database name. 1190 * @param mysqli $dbh Optional. Database connection. 1191 * Defaults to the current database handle. 1192 */ 1193 public function select( $db, $dbh = null ) { 1194 if ( is_null( $dbh ) ) { 1195 $dbh = $this->dbh; 1196 } 1197 1198 $success = mysqli_select_db( $dbh, $db ); 1199 1200 if ( ! $success ) { 1201 $this->ready = false; 1202 if ( ! did_action( 'template_redirect' ) ) { 1203 wp_load_translations_early(); 1204 1205 $message = '<h1>' . __( 'Cannot select database' ) . "</h1>\n"; 1206 1207 $message .= '<p>' . sprintf( 1208 /* translators: %s: Database name. */ 1209 __( 'The database server could be connected to (which means your username and password is okay) but the %s database could not be selected.' ), 1210 '<code>' . htmlspecialchars( $db, ENT_QUOTES ) . '</code>' 1211 ) . "</p>\n"; 1212 1213 $message .= "<ul>\n"; 1214 $message .= '<li>' . __( 'Are you sure it exists?' ) . "</li>\n"; 1215 1216 $message .= '<li>' . sprintf( 1217 /* translators: 1: Database user, 2: Database name. */ 1218 __( 'Does the user %1$s have permission to use the %2$s database?' ), 1219 '<code>' . htmlspecialchars( $this->dbuser, ENT_QUOTES ) . '</code>', 1220 '<code>' . htmlspecialchars( $db, ENT_QUOTES ) . '</code>' 1221 ) . "</li>\n"; 1222 1223 $message .= '<li>' . sprintf( 1224 /* translators: %s: Database name. */ 1225 __( 'On some systems the name of your database is prefixed with your username, so it would be like <code>username_%1$s</code>. Could that be the problem?' ), 1226 htmlspecialchars( $db, ENT_QUOTES ) 1227 ) . "</li>\n"; 1228 1229 $message .= "</ul>\n"; 1230 1231 $message .= '<p>' . sprintf( 1232 /* translators: %s: Support forums URL. */ 1233 __( 'If you do not know how to set up a database you should <strong>contact your host</strong>. If all else fails you may find help at the <a href="%s">WordPress support forums</a>.' ), 1234 __( 'https://wordpress.org/support/forums/' ) 1235 ) . "</p>\n"; 1236 1237 $this->bail( $message, 'db_select_fail' ); 1238 } 1239 } 1240 } 1241 1242 /** 1243 * Do not use, deprecated. 1244 * 1245 * Use esc_sql() or wpdb::prepare() instead. 1246 * 1247 * @since 2.8.0 1248 * @deprecated 3.6.0 Use wpdb::prepare() 1249 * @see wpdb::prepare() 1250 * @see esc_sql() 1251 * 1252 * @param string $data 1253 * @return string 1254 */ 1255 public function _weak_escape( $data ) { 1256 if ( func_num_args() === 1 && function_exists( '_deprecated_function' ) ) { 1257 _deprecated_function( __METHOD__, '3.6.0', 'wpdb::prepare() or esc_sql()' ); 1258 } 1259 return addslashes( $data ); 1260 } 1261 1262 /** 1263 * Real escape using mysqli_real_escape_string(). 1264 * 1265 * @since 2.8.0 1266 * 1267 * @see mysqli_real_escape_string() 1268 * 1269 * @param string $data String to escape. 1270 * @return string Escaped string. 1271 */ 1272 public function _real_escape( $data ) { 1273 if ( ! is_scalar( $data ) ) { 1274 return ''; 1275 } 1276 1277 if ( $this->dbh ) { 1278 $escaped = mysqli_real_escape_string( $this->dbh, $data ); 1279 } else { 1280 $class = get_class( $this ); 1281 1282 wp_load_translations_early(); 1283 /* translators: %s: Database access abstraction class, usually wpdb or a class extending wpdb. */ 1284 _doing_it_wrong( $class, sprintf( __( '%s must set a database connection for use with escaping.' ), $class ), '3.6.0' ); 1285 1286 $escaped = addslashes( $data ); 1287 } 1288 1289 return $this->add_placeholder_escape( $escaped ); 1290 } 1291 1292 /** 1293 * Escapes data. Works on arrays. 1294 * 1295 * @since 2.8.0 1296 * 1297 * @uses wpdb::_real_escape() 1298 * 1299 * @param string|array $data Data to escape. 1300 * @return string|array Escaped data, in the same type as supplied. 1301 */ 1302 public function _escape( $data ) { 1303 if ( is_array( $data ) ) { 1304 foreach ( $data as $k => $v ) { 1305 if ( is_array( $v ) ) { 1306 $data[ $k ] = $this->_escape( $v ); 1307 } else { 1308 $data[ $k ] = $this->_real_escape( $v ); 1309 } 1310 } 1311 } else { 1312 $data = $this->_real_escape( $data ); 1313 } 1314 1315 return $data; 1316 } 1317 1318 /** 1319 * Do not use, deprecated. 1320 * 1321 * Use esc_sql() or wpdb::prepare() instead. 1322 * 1323 * @since 0.71 1324 * @deprecated 3.6.0 Use wpdb::prepare() 1325 * @see wpdb::prepare() 1326 * @see esc_sql() 1327 * 1328 * @param string|array $data Data to escape. 1329 * @return string|array Escaped data, in the same type as supplied. 1330 */ 1331 public function escape( $data ) { 1332 if ( func_num_args() === 1 && function_exists( '_deprecated_function' ) ) { 1333 _deprecated_function( __METHOD__, '3.6.0', 'wpdb::prepare() or esc_sql()' ); 1334 } 1335 if ( is_array( $data ) ) { 1336 foreach ( $data as $k => $v ) { 1337 if ( is_array( $v ) ) { 1338 $data[ $k ] = $this->escape( $v, 'recursive' ); 1339 } else { 1340 $data[ $k ] = $this->_weak_escape( $v, 'internal' ); 1341 } 1342 } 1343 } else { 1344 $data = $this->_weak_escape( $data, 'internal' ); 1345 } 1346 1347 return $data; 1348 } 1349 1350 /** 1351 * Escapes content by reference for insertion into the database, for security. 1352 * 1353 * @uses wpdb::_real_escape() 1354 * 1355 * @since 2.3.0 1356 * 1357 * @param string $data String to escape. 1358 */ 1359 public function escape_by_ref( &$data ) { 1360 if ( ! is_float( $data ) ) { 1361 $data = $this->_real_escape( $data ); 1362 } 1363 } 1364 1365 /** 1366 * Quotes an identifier for a MySQL database, e.g. table/field names. 1367 * 1368 * @since 6.2.0 1369 * 1370 * @param string $identifier Identifier to escape. 1371 * @return string Escaped identifier. 1372 */ 1373 public function quote_identifier( $identifier ) { 1374 return '`' . $this->_escape_identifier_value( $identifier ) . '`'; 1375 } 1376 1377 /** 1378 * Escapes an identifier value without adding the surrounding quotes. 1379 * 1380 * - Permitted characters in quoted identifiers include the full Unicode 1381 * Basic Multilingual Plane (BMP), except U+0000. 1382 * - To quote the identifier itself, you need to double the character, e.g. `a``b`. 1383 * 1384 * @since 6.2.0 1385 * 1386 * @link https://dev.mysql.com/doc/refman/8.0/en/identifiers.html 1387 * 1388 * @param string $identifier Identifier to escape. 1389 * @return string Escaped identifier. 1390 */ 1391 private function _escape_identifier_value( $identifier ) { 1392 return str_replace( '`', '``', $identifier ); 1393 } 1394 1395 /** 1396 * Prepares a SQL query for safe execution. 1397 * 1398 * Uses `sprintf()`-like syntax. The following placeholders can be used in the query string: 1399 * 1400 * - `%d` (integer) 1401 * - `%f` (float) 1402 * - `%s` (string) 1403 * - `%i` (identifier, e.g. table/field names) 1404 * 1405 * All placeholders MUST be left unquoted in the query string. A corresponding argument 1406 * MUST be passed for each placeholder. 1407 * 1408 * Note: There is one exception to the above: for compatibility with old behavior, 1409 * numbered or formatted string placeholders (eg, `%1$s`, `%5s`) will not have quotes 1410 * added by this function, so should be passed with appropriate quotes around them. 1411 * 1412 * Literal percentage signs (`%`) in the query string must be written as `%%`. Percentage wildcards 1413 * (for example, to use in LIKE syntax) must be passed via a substitution argument containing 1414 * the complete LIKE string, these cannot be inserted directly in the query string. 1415 * Also see wpdb::esc_like(). 1416 * 1417 * Arguments may be passed as individual arguments to the method, or as a single array 1418 * containing all arguments. A combination of the two is not supported. 1419 * 1420 * Examples: 1421 * 1422 * $wpdb->prepare( 1423 * "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d OR `other_field` LIKE %s", 1424 * array( 'foo', 1337, '%bar' ) 1425 * ); 1426 * 1427 * $wpdb->prepare( 1428 * "SELECT DATE_FORMAT(`field`, '%%c') FROM `table` WHERE `column` = %s", 1429 * 'foo' 1430 * ); 1431 * 1432 * @since 2.3.0 1433 * @since 5.3.0 Formalized the existing and already documented `...$args` parameter 1434 * by updating the function signature. The second parameter was changed 1435 * from `$args` to `...$args`. 1436 * @since 6.2.0 Added `%i` for identifiers, e.g. table or field names. 1437 * Check support via `wpdb::has_cap( 'identifier_placeholders' )`. 1438 * This preserves compatibility with `sprintf()`, as the C version uses 1439 * `%d` and `$i` as a signed integer, whereas PHP only supports `%d`. 1440 * 1441 * @link https://www.php.net/sprintf Description of syntax. 1442 * 1443 * @param string $query Query statement with `sprintf()`-like placeholders. 1444 * @param array|mixed $args The array of variables to substitute into the query's placeholders 1445 * if being called with an array of arguments, or the first variable 1446 * to substitute into the query's placeholders if being called with 1447 * individual arguments. 1448 * @param mixed ...$args Further variables to substitute into the query's placeholders 1449 * if being called with individual arguments. 1450 * @return string|void Sanitized query string, if there is a query to prepare. 1451 */ 1452 public function prepare( $query, ...$args ) { 1453 if ( is_null( $query ) ) { 1454 return; 1455 } 1456 1457 /* 1458 * This is not meant to be foolproof -- but it will catch obviously incorrect usage. 1459 * 1460 * Note: str_contains() is not used here, as this file can be included 1461 * directly outside of WordPress core, e.g. by HyperDB, in which case 1462 * the polyfills from wp-includes/compat.php are not loaded. 1463 */ 1464 if ( false === strpos( $query, '%' ) ) { 1465 wp_load_translations_early(); 1466 _doing_it_wrong( 1467 'wpdb::prepare', 1468 sprintf( 1469 /* translators: %s: wpdb::prepare() */ 1470 __( 'The query argument of %s must have a placeholder.' ), 1471 'wpdb::prepare()' 1472 ), 1473 '3.9.0' 1474 ); 1475 } 1476 1477 /* 1478 * Specify the formatting allowed in a placeholder. The following are allowed: 1479 * 1480 * - Sign specifier, e.g. $+d 1481 * - Numbered placeholders, e.g. %1$s 1482 * - Padding specifier, including custom padding characters, e.g. %05s, %'#5s 1483 * - Alignment specifier, e.g. %05-s 1484 * - Precision specifier, e.g. %.2f 1485 */ 1486 $allowed_format = '(?:[1-9][0-9]*[$])?[-+0-9]*(?: |0|\'.)?[-+0-9]*(?:\.[0-9]+)?'; 1487 1488 /* 1489 * If a %s placeholder already has quotes around it, removing the existing quotes 1490 * and re-inserting them ensures the quotes are consistent. 1491 * 1492 * For backward compatibility, this is only applied to %s, and not to placeholders like %1$s, 1493 * which are frequently used in the middle of longer strings, or as table name placeholders. 1494 */ 1495 $query = str_replace( "'%s'", '%s', $query ); // Strip any existing single quotes. 1496 $query = str_replace( '"%s"', '%s', $query ); // Strip any existing double quotes. 1497 1498 // Escape any unescaped percents (i.e. anything unrecognised). 1499 $query = preg_replace( "/%(?:%|$|(?!($allowed_format)?[sdfFi]))/", '%%\\1', $query ); 1500 1501 // Extract placeholders from the query. 1502 $split_query = preg_split( "/(^|[^%]|(?:%%)+)(%(?:$allowed_format)?[sdfFi])/", $query, -1, PREG_SPLIT_DELIM_CAPTURE ); 1503 1504 $split_query_count = count( $split_query ); 1505 1506 /* 1507 * Split always returns with 1 value before the first placeholder (even with $query = "%s"), 1508 * then 3 additional values per placeholder. 1509 */ 1510 $placeholder_count = ( ( $split_query_count - 1 ) / 3 ); 1511 1512 // If args were passed as an array, as in vsprintf(), move them up. 1513 $passed_as_array = ( isset( $args[0] ) && is_array( $args[0] ) && 1 === count( $args ) ); 1514 if ( $passed_as_array ) { 1515 $args = $args[0]; 1516 } 1517 1518 $new_query = ''; 1519 $key = 2; // Keys 0 and 1 in $split_query contain values before the first placeholder. 1520 $arg_id = 0; 1521 $arg_identifiers = array(); 1522 $arg_strings = array(); 1523 1524 while ( $key < $split_query_count ) { 1525 $placeholder = $split_query[ $key ]; 1526 1527 $format = substr( $placeholder, 1, -1 ); 1528 $type = substr( $placeholder, -1 ); 1529 1530 if ( 'f' === $type && true === $this->allow_unsafe_unquoted_parameters 1531 /* 1532 * Note: str_ends_with() is not used here, as this file can be included 1533 * directly outside of WordPress core, e.g. by HyperDB, in which case 1534 * the polyfills from wp-includes/compat.php are not loaded. 1535 */ 1536 && '%' === substr( $split_query[ $key - 1 ], -1, 1 ) 1537 ) { 1538 1539 /* 1540 * Before WP 6.2 the "force floats to be locale-unaware" RegEx didn't 1541 * convert "%%%f" to "%%%F" (note the uppercase F). 1542 * This was because it didn't check to see if the leading "%" was escaped. 1543 * And because the "Escape any unescaped percents" RegEx used "[sdF]" in its 1544 * negative lookahead assertion, when there was an odd number of "%", it added 1545 * an extra "%", to give the fully escaped "%%%%f" (not a placeholder). 1546 */ 1547 1548 $s = $split_query[ $key - 2 ] . $split_query[ $key - 1 ]; 1549 $k = 1; 1550 $l = strlen( $s ); 1551 while ( $k <= $l && '%' === $s[ $l - $k ] ) { 1552 ++$k; 1553 } 1554 1555 $placeholder = '%' . ( $k % 2 ? '%' : '' ) . $format . $type; 1556 1557 --$placeholder_count; 1558 1559 } else { 1560 1561 // Force floats to be locale-unaware. 1562 if ( 'f' === $type ) { 1563 $type = 'F'; 1564 $placeholder = '%' . $format . $type; 1565 } 1566 1567 if ( 'i' === $type ) { 1568 $placeholder = '`%' . $format . 's`'; 1569 // Using a simple strpos() due to previous checking (e.g. $allowed_format). 1570 $argnum_pos = strpos( $format, '$' ); 1571 1572 if ( false !== $argnum_pos ) { 1573 // sprintf() argnum starts at 1, $arg_id from 0. 1574 $arg_identifiers[] = ( ( (int) substr( $format, 0, $argnum_pos ) ) - 1 ); 1575 } else { 1576 $arg_identifiers[] = $arg_id; 1577 } 1578 } elseif ( 'd' !== $type && 'F' !== $type ) { 1579 /* 1580 * i.e. ( 's' === $type ), where 'd' and 'F' keeps $placeholder unchanged, 1581 * and we ensure string escaping is used as a safe default (e.g. even if 'x'). 1582 */ 1583 $argnum_pos = strpos( $format, '$' ); 1584 1585 if ( false !== $argnum_pos ) { 1586 $arg_strings[] = ( ( (int) substr( $format, 0, $argnum_pos ) ) - 1 ); 1587 } else { 1588 $arg_strings[] = $arg_id; 1589 } 1590 1591 /* 1592 * Unquoted strings for backward compatibility (dangerous). 1593 * First, "numbered or formatted string placeholders (eg, %1$s, %5s)". 1594 * Second, if "%s" has a "%" before it, even if it's unrelated (e.g. "LIKE '%%%s%%'"). 1595 */ 1596 if ( true !== $this->allow_unsafe_unquoted_parameters 1597 /* 1598 * Note: str_ends_with() is not used here, as this file can be included 1599 * directly outside of WordPress core, e.g. by HyperDB, in which case 1600 * the polyfills from wp-includes/compat.php are not loaded. 1601 */ 1602 || ( '' === $format && '%' !== substr( $split_query[ $key - 1 ], -1, 1 ) ) 1603 ) { 1604 $placeholder = "'%" . $format . "s'"; 1605 } 1606 } 1607 } 1608 1609 // Glue (-2), any leading characters (-1), then the new $placeholder. 1610 $new_query .= $split_query[ $key - 2 ] . $split_query[ $key - 1 ] . $placeholder; 1611 1612 $key += 3; 1613 ++$arg_id; 1614 } 1615 1616 // Replace $query; and add remaining $query characters, or index 0 if there were no placeholders. 1617 $query = $new_query . $split_query[ $key - 2 ]; 1618 1619 $dual_use = array_intersect( $arg_identifiers, $arg_strings ); 1620 1621 if ( count( $dual_use ) > 0 ) { 1622 wp_load_translations_early(); 1623 1624 $used_placeholders = array(); 1625 1626 $key = 2; 1627 $arg_id = 0; 1628 // Parse again (only used when there is an error). 1629 while ( $key < $split_query_count ) { 1630 $placeholder = $split_query[ $key ]; 1631 1632 $format = substr( $placeholder, 1, -1 ); 1633 1634 $argnum_pos = strpos( $format, '$' ); 1635 1636 if ( false !== $argnum_pos ) { 1637 $arg_pos = ( ( (int) substr( $format, 0, $argnum_pos ) ) - 1 ); 1638 } else { 1639 $arg_pos = $arg_id; 1640 } 1641 1642 $used_placeholders[ $arg_pos ][] = $placeholder; 1643 1644 $key += 3; 1645 ++$arg_id; 1646 } 1647 1648 $conflicts = array(); 1649 foreach ( $dual_use as $arg_pos ) { 1650 $conflicts[] = implode( ' and ', $used_placeholders[ $arg_pos ] ); 1651 } 1652 1653 _doing_it_wrong( 1654 'wpdb::prepare', 1655 sprintf( 1656 /* translators: %s: A list of placeholders found to be a problem. */ 1657 __( 'Arguments cannot be prepared as both an Identifier and Value. Found the following conflicts: %s' ), 1658 implode( ', ', $conflicts ) 1659 ), 1660 '6.2.0' 1661 ); 1662 1663 return; 1664 } 1665 1666 $args_count = count( $args ); 1667 1668 if ( $args_count !== $placeholder_count ) { 1669 if ( 1 === $placeholder_count && $passed_as_array ) { 1670 /* 1671 * If the passed query only expected one argument, 1672 * but the wrong number of arguments was sent as an array, bail. 1673 */ 1674 wp_load_translations_early(); 1675 _doing_it_wrong( 1676 'wpdb::prepare', 1677 __( 'The query only expected one placeholder, but an array of multiple placeholders was sent.' ), 1678 '4.9.0' 1679 ); 1680 1681 return; 1682 } else { 1683 /* 1684 * If we don't have the right number of placeholders, 1685 * but they were passed as individual arguments, 1686 * or we were expecting multiple arguments in an array, throw a warning. 1687 */ 1688 wp_load_translations_early(); 1689 _doing_it_wrong( 1690 'wpdb::prepare', 1691 sprintf( 1692 /* translators: 1: Number of placeholders, 2: Number of arguments passed. */ 1693 __( 'The query does not contain the correct number of placeholders (%1$d) for the number of arguments passed (%2$d).' ), 1694 $placeholder_count, 1695 $args_count 1696 ), 1697 '4.8.3' 1698 ); 1699 1700 /* 1701 * If we don't have enough arguments to match the placeholders, 1702 * return an empty string to avoid a fatal error on PHP 8. 1703 */ 1704 if ( $args_count < $placeholder_count ) { 1705 $max_numbered_placeholder = 0; 1706 1707 for ( $i = 2, $l = $split_query_count; $i < $l; $i += 3 ) { 1708 // Assume a leading number is for a numbered placeholder, e.g. '%3$s'. 1709 $argnum = (int) substr( $split_query[ $i ], 1 ); 1710 1711 if ( $max_numbered_placeholder < $argnum ) { 1712 $max_numbered_placeholder = $argnum; 1713 } 1714 } 1715 1716 if ( ! $max_numbered_placeholder || $args_count < $max_numbered_placeholder ) { 1717 return ''; 1718 } 1719 } 1720 } 1721 } 1722 1723 $args_escaped = array(); 1724 1725 foreach ( $args as $i => $value ) { 1726 if ( in_array( $i, $arg_identifiers, true ) ) { 1727 $args_escaped[] = $this->_escape_identifier_value( $value ); 1728 } elseif ( is_int( $value ) || is_float( $value ) ) { 1729 $args_escaped[] = $value; 1730 } else { 1731 if ( ! is_scalar( $value ) && ! is_null( $value ) ) { 1732 wp_load_translations_early(); 1733 _doing_it_wrong( 1734 'wpdb::prepare', 1735 sprintf( 1736 /* translators: %s: Value type. */ 1737 __( 'Unsupported value type (%s).' ), 1738 gettype( $value ) 1739 ), 1740 '4.8.2' 1741 ); 1742 1743 // Preserving old behavior, where values are escaped as strings. 1744 $value = ''; 1745 } 1746 1747 $args_escaped[] = $this->_real_escape( $value ); 1748 } 1749 } 1750 1751 $query = vsprintf( $query, $args_escaped ); 1752 1753 return $this->add_placeholder_escape( $query ); 1754 } 1755 1756 /** 1757 * First half of escaping for `LIKE` special characters `%` and `_` before preparing for SQL. 1758 * 1759 * Use this only before wpdb::prepare() or esc_sql(). Reversing the order is very bad for security. 1760 * 1761 * Example Prepared Statement: 1762 * 1763 * $wild = '%'; 1764 * $find = 'only 43% of planets'; 1765 * $like = $wild . $wpdb->esc_like( $find ) . $wild; 1766 * $sql = $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE post_content LIKE %s", $like ); 1767 * 1768 * Example Escape Chain: 1769 * 1770 * $sql = esc_sql( $wpdb->esc_like( $input ) ); 1771 * 1772 * @since 4.0.0 1773 * 1774 * @param string $text The raw text to be escaped. The input typed by the user 1775 * should have no extra or deleted slashes. 1776 * @return string Text in the form of a LIKE phrase. The output is not SQL safe. 1777 * Call wpdb::prepare() or wpdb::_real_escape() next. 1778 */ 1779 public function esc_like( $text ) { 1780 return addcslashes( $text, '_%\\' ); 1781 } 1782 1783 /** 1784 * Prints SQL/DB error. 1785 * 1786 * @since 0.71 1787 * 1788 * @global array $EZSQL_ERROR Stores error information of query and error string. 1789 * 1790 * @param string $str The error to display. 1791 * @return void|false Void if the showing of errors is enabled, false if disabled. 1792 */ 1793 public function print_error( $str = '' ) { 1794 global $EZSQL_ERROR; 1795 1796 if ( ! $str ) { 1797 $str = mysqli_error( $this->dbh ); 1798 } 1799 1800 $EZSQL_ERROR[] = array( 1801 'query' => $this->last_query, 1802 'error_str' => $str, 1803 ); 1804 1805 if ( $this->suppress_errors ) { 1806 return false; 1807 } 1808 1809 $caller = $this->get_caller(); 1810 if ( $caller ) { 1811 // Not translated, as this will only appear in the error log. 1812 $error_str = sprintf( 'WordPress database error %1$s for query %2$s made by %3$s', $str, $this->last_query, $caller ); 1813 } else { 1814 $error_str = sprintf( 'WordPress database error %1$s for query %2$s', $str, $this->last_query ); 1815 } 1816 1817 error_log( $error_str ); 1818 1819 // Are we showing errors? 1820 if ( ! $this->show_errors ) { 1821 return false; 1822 } 1823 1824 wp_load_translations_early(); 1825 1826 // If there is an error then take note of it. 1827 if ( is_multisite() ) { 1828 $msg = sprintf( 1829 "%s [%s]\n%s\n", 1830 __( 'WordPress database error:' ), 1831 $str, 1832 $this->last_query 1833 ); 1834 1835 if ( defined( 'ERRORLOGFILE' ) ) { 1836 error_log( $msg, 3, ERRORLOGFILE ); 1837 } 1838 if ( defined( 'DIEONDBERROR' ) ) { 1839 wp_die( $msg ); 1840 } 1841 } else { 1842 $str = htmlspecialchars( $str, ENT_QUOTES ); 1843 $query = htmlspecialchars( $this->last_query, ENT_QUOTES ); 1844 1845 printf( 1846 '<div id="error"><p class="wpdberror"><strong>%s</strong> [%s]<br /><code>%s</code></p></div>', 1847 __( 'WordPress database error:' ), 1848 $str, 1849 $query 1850 ); 1851 } 1852 } 1853 1854 /** 1855 * Enables showing of database errors. 1856 * 1857 * This function should be used only to enable showing of errors. 1858 * wpdb::hide_errors() should be used instead for hiding errors. 1859 * 1860 * @since 0.71 1861 * 1862 * @see wpdb::hide_errors() 1863 * 1864 * @param bool $show Optional. Whether to show errors. Default true. 1865 * @return bool Whether showing of errors was previously active. 1866 */ 1867 public function show_errors( $show = true ) { 1868 $errors = $this->show_errors; 1869 $this->show_errors = $show; 1870 return $errors; 1871 } 1872 1873 /** 1874 * Disables showing of database errors. 1875 * 1876 * By default database errors are not shown. 1877 * 1878 * @since 0.71 1879 * 1880 * @see wpdb::show_errors() 1881 * 1882 * @return bool Whether showing of errors was previously active. 1883 */ 1884 public function hide_errors() { 1885 $show = $this->show_errors; 1886 $this->show_errors = false; 1887 return $show; 1888 } 1889 1890 /** 1891 * Enables or disables suppressing of database errors. 1892 * 1893 * By default database errors are suppressed. 1894 * 1895 * @since 2.5.0 1896 * 1897 * @see wpdb::hide_errors() 1898 * 1899 * @param bool $suppress Optional. Whether to suppress errors. Default true. 1900 * @return bool Whether suppressing of errors was previously active. 1901 */ 1902 public function suppress_errors( $suppress = true ) { 1903 $errors = $this->suppress_errors; 1904 $this->suppress_errors = (bool) $suppress; 1905 return $errors; 1906 } 1907 1908 /** 1909 * Kills cached query results. 1910 * 1911 * @since 0.71 1912 */ 1913 public function flush() { 1914 $this->last_result = array(); 1915 $this->col_info = null; 1916 $this->last_query = null; 1917 $this->rows_affected = 0; 1918 $this->num_rows = 0; 1919 $this->last_error = ''; 1920 1921 if ( $this->result instanceof mysqli_result ) { 1922 mysqli_free_result( $this->result ); 1923 $this->result = null; 1924 1925 // Confidence check before using the handle. 1926 if ( empty( $this->dbh ) || ! ( $this->dbh instanceof mysqli ) ) { 1927 return; 1928 } 1929 1930 // Clear out any results from a multi-query. 1931 while ( mysqli_more_results( $this->dbh ) ) { 1932 mysqli_next_result( $this->dbh ); 1933 } 1934 } 1935 } 1936 1937 /** 1938 * Connects to and selects database. 1939 * 1940 * If `$allow_bail` is false, the lack of database connection will need to be handled manually. 1941 * 1942 * @since 3.0.0 1943 * @since 3.9.0 $allow_bail parameter added. 1944 * 1945 * @param bool $allow_bail Optional. Allows the function to bail. Default true. 1946 * @return bool True with a successful connection, false on failure. 1947 */ 1948 public function db_connect( $allow_bail = true ) { 1949 $this->is_mysql = true; 1950 1951 $client_flags = defined( 'MYSQL_CLIENT_FLAGS' ) ? MYSQL_CLIENT_FLAGS : 0; 1952 1953 /* 1954 * Set the MySQLi error reporting off because WordPress handles its own. 1955 * This is due to the default value change from `MYSQLI_REPORT_OFF` 1956 * to `MYSQLI_REPORT_ERROR|MYSQLI_REPORT_STRICT` in PHP 8.1. 1957 */ 1958 mysqli_report( MYSQLI_REPORT_OFF ); 1959 1960 $this->dbh = mysqli_init(); 1961 1962 $host = $this->dbhost; 1963 $port = null; 1964 $socket = null; 1965 $is_ipv6 = false; 1966 1967 $host_data = $this->parse_db_host( $this->dbhost ); 1968 if ( $host_data ) { 1969 list( $host, $port, $socket, $is_ipv6 ) = $host_data; 1970 } 1971 1972 /* 1973 * If using the `mysqlnd` library, the IPv6 address needs to be enclosed 1974 * in square brackets, whereas it doesn't while using the `libmysqlclient` library. 1975 * @see https://bugs.php.net/bug.php?id=67563 1976 */ 1977 if ( $is_ipv6 && extension_loaded( 'mysqlnd' ) ) { 1978 $host = "[$host]"; 1979 } 1980 1981 if ( WP_DEBUG ) { 1982 mysqli_real_connect( $this->dbh, $host, $this->dbuser, $this->dbpassword, null, $port, $socket, $client_flags ); 1983 } else { 1984 // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged 1985 @mysqli_real_connect( $this->dbh, $host, $this->dbuser, $this->dbpassword, null, $port, $socket, $client_flags ); 1986 } 1987 1988 if ( $this->dbh->connect_errno ) { 1989 $this->dbh = null; 1990 } 1991 1992 if ( ! $this->dbh && $allow_bail ) { 1993 wp_load_translations_early(); 1994 1995 // Load custom DB error template, if present. 1996 if ( file_exists( WP_CONTENT_DIR . '/db-error.php' ) ) { 1997 require_once WP_CONTENT_DIR . '/db-error.php'; 1998 die(); 1999 } 2000 2001 $message = '<h1>' . __( 'Error establishing a database connection' ) . "</h1>\n"; 2002 2003 $message .= '<p>' . sprintf( 2004 /* translators: 1: wp-config.php, 2: Database host. */ 2005 __( 'This either means that the username and password information in your %1$s file is incorrect or that contact with the database server at %2$s could not be established. This could mean your host’s database server is down.' ), 2006 '<code>wp-config.php</code>', 2007 '<code>' . htmlspecialchars( $this->dbhost, ENT_QUOTES ) . '</code>' 2008 ) . "</p>\n"; 2009 2010 $message .= "<ul>\n"; 2011 $message .= '<li>' . __( 'Are you sure you have the correct username and password?' ) . "</li>\n"; 2012 $message .= '<li>' . __( 'Are you sure you have typed the correct hostname?' ) . "</li>\n"; 2013 $message .= '<li>' . __( 'Are you sure the database server is running?' ) . "</li>\n"; 2014 $message .= "</ul>\n"; 2015 2016 $message .= '<p>' . sprintf( 2017 /* translators: %s: Support forums URL. */ 2018 __( 'If you are unsure what these terms mean you should probably contact your host. If you still need help you can always visit the <a href="%s">WordPress support forums</a>.' ), 2019 __( 'https://wordpress.org/support/forums/' ) 2020 ) . "</p>\n"; 2021 2022 $this->bail( $message, 'db_connect_fail' ); 2023 2024 return false; 2025 } elseif ( $this->dbh ) { 2026 if ( ! $this->has_connected ) { 2027 $this->init_charset(); 2028 } 2029 2030 $this->has_connected = true; 2031 2032 $this->set_charset( $this->dbh ); 2033 2034 $this->ready = true; 2035 $this->set_sql_mode(); 2036 $this->select( $this->dbname, $this->dbh ); 2037 2038 return true; 2039 } 2040 2041 return false; 2042 } 2043 2044 /** 2045 * Parses the DB_HOST setting to interpret it for mysqli_real_connect(). 2046 * 2047 * mysqli_real_connect() doesn't support the host param including a port or socket 2048 * like mysql_connect() does. This duplicates how mysql_connect() detects a port 2049 * and/or socket file. 2050 * 2051 * @since 4.9.0 2052 * 2053 * @param string $host The DB_HOST setting to parse. 2054 * @return array|false { 2055 * Array containing the host, the port, the socket and 2056 * whether it is an IPv6 address, in that order. 2057 * False if the host couldn't be parsed. 2058 * 2059 * @type string $0 Host name. 2060 * @type string|null $1 Port. 2061 * @type string|null $2 Socket. 2062 * @type bool $3 Whether it is an IPv6 address. 2063 * } 2064 */ 2065 public function parse_db_host( $host ) { 2066 $socket = null; 2067 $is_ipv6 = false; 2068 2069 // First peel off the socket parameter from the right, if it exists. 2070 $socket_pos = strpos( $host, ':/' ); 2071 if ( false !== $socket_pos ) { 2072 $socket = substr( $host, $socket_pos + 1 ); 2073 $host = substr( $host, 0, $socket_pos ); 2074 } 2075 2076 /* 2077 * We need to check for an IPv6 address first. 2078 * An IPv6 address will always contain at least two colons. 2079 */ 2080 if ( substr_count( $host, ':' ) > 1 ) { 2081 $pattern = '#^(?:\[)?(?P<host>[0-9a-fA-F:]+)(?:\]:(?P<port>[\d]+))?#'; 2082 $is_ipv6 = true; 2083 } else { 2084 // We seem to be dealing with an IPv4 address. 2085 $pattern = '#^(?P<host>[^:/]*)(?::(?P<port>[\d]+))?#'; 2086 } 2087 2088 $matches = array(); 2089 $result = preg_match( $pattern, $host, $matches ); 2090 2091 if ( 1 !== $result ) { 2092 // Couldn't parse the address, bail. 2093 return false; 2094 } 2095 2096 $host = ! empty( $matches['host'] ) ? $matches['host'] : ''; 2097 // MySQLi port cannot be a string; must be null or an integer. 2098 $port = ! empty( $matches['port'] ) ? absint( $matches['port'] ) : null; 2099 2100 return array( $host, $port, $socket, $is_ipv6 ); 2101 } 2102 2103 /** 2104 * Checks that the connection to the database is still up. If not, try to reconnect. 2105 * 2106 * If this function is unable to reconnect, it will forcibly die, or if called 2107 * after the {@see 'template_redirect'} hook has been fired, return false instead. 2108 * 2109 * If `$allow_bail` is false, the lack of database connection will need to be handled manually. 2110 * 2111 * @since 3.9.0 2112 * 2113 * @param bool $allow_bail Optional. Allows the function to bail. Default true. 2114 * @return bool|void True if the connection is up. 2115 */ 2116 public function check_connection( $allow_bail = true ) { 2117 // Check if the connection is alive. 2118 if ( ! empty( $this->dbh ) && mysqli_query( $this->dbh, 'DO 1' ) !== false ) { 2119 return true; 2120 } 2121 2122 $error_reporting = false; 2123 2124 // Disable warnings, as we don't want to see a multitude of "unable to connect" messages. 2125 if ( WP_DEBUG ) { 2126 $error_reporting = error_reporting(); 2127 error_reporting( $error_reporting & ~E_WARNING ); 2128 } 2129 2130 for ( $tries = 1; $tries <= $this->reconnect_retries; $tries++ ) { 2131 /* 2132 * On the last try, re-enable warnings. We want to see a single instance 2133 * of the "unable to connect" message on the bail() screen, if it appears. 2134 */ 2135 if ( $this->reconnect_retries === $tries && WP_DEBUG ) { 2136 error_reporting( $error_reporting ); 2137 } 2138 2139 if ( $this->db_connect( false ) ) { 2140 if ( $error_reporting ) { 2141 error_reporting( $error_reporting ); 2142 } 2143 2144 return true; 2145 } 2146 2147 sleep( 1 ); 2148 } 2149 2150 /* 2151 * If template_redirect has already happened, it's too late for wp_die()/dead_db(). 2152 * Let's just return and hope for the best. 2153 */ 2154 if ( did_action( 'template_redirect' ) ) { 2155 return false; 2156 } 2157 2158 if ( ! $allow_bail ) { 2159 return false; 2160 } 2161 2162 wp_load_translations_early(); 2163 2164 $message = '<h1>' . __( 'Error reconnecting to the database' ) . "</h1>\n"; 2165 2166 $message .= '<p>' . sprintf( 2167 /* translators: %s: Database host. */ 2168 __( 'This means that the contact with the database server at %s was lost. This could mean your host’s database server is down.' ), 2169 '<code>' . htmlspecialchars( $this->dbhost, ENT_QUOTES ) . '</code>' 2170 ) . "</p>\n"; 2171 2172 $message .= "<ul>\n"; 2173 $message .= '<li>' . __( 'Are you sure the database server is running?' ) . "</li>\n"; 2174 $message .= '<li>' . __( 'Are you sure the database server is not under particularly heavy load?' ) . "</li>\n"; 2175 $message .= "</ul>\n"; 2176 2177 $message .= '<p>' . sprintf( 2178 /* translators: %s: Support forums URL. */ 2179 __( 'If you are unsure what these terms mean you should probably contact your host. If you still need help you can always visit the <a href="%s">WordPress support forums</a>.' ), 2180 __( 'https://wordpress.org/support/forums/' ) 2181 ) . "</p>\n"; 2182 2183 // We weren't able to reconnect, so we better bail. 2184 $this->bail( $message, 'db_connect_fail' ); 2185 2186 /* 2187 * Call dead_db() if bail didn't die, because this database is no more. 2188 * It has ceased to be (at least temporarily). 2189 */ 2190 dead_db(); 2191 } 2192 2193 /** 2194 * Performs a database query, using current database connection. 2195 * 2196 * More information can be found on the documentation page. 2197 * 2198 * @since 0.71 2199 * 2200 * @link https://developer.wordpress.org/reference/classes/wpdb/ 2201 * 2202 * @param string $query Database query. 2203 * @return int|bool Boolean true for CREATE, ALTER, TRUNCATE and DROP queries. Number of rows 2204 * affected/selected for all other queries. Boolean false on error. 2205 */ 2206 public function query( $query ) { 2207 if ( ! $this->ready ) { 2208 $this->check_current_query = true; 2209 return false; 2210 } 2211 2212 /** 2213 * Filters the database query. 2214 * 2215 * Some queries are made before the plugins have been loaded, 2216 * and thus cannot be filtered with this method. 2217 * 2218 * @since 2.1.0 2219 * 2220 * @param string $query Database query. 2221 */ 2222 $query = apply_filters( 'query', $query ); 2223 2224 if ( ! $query ) { 2225 $this->insert_id = 0; 2226 return false; 2227 } 2228 2229 $this->flush(); 2230 2231 // Log how the function was called. 2232 $this->func_call = "\$db->query(\"$query\")"; 2233 2234 // If we're writing to the database, make sure the query will write safely. 2235 if ( $this->check_current_query && ! $this->check_ascii( $query ) ) { 2236 $stripped_query = $this->strip_invalid_text_from_query( $query ); 2237 /* 2238 * strip_invalid_text_from_query() can perform queries, so we need 2239 * to flush again, just to make sure everything is clear. 2240 */ 2241 $this->flush(); 2242 if ( $stripped_query !== $query ) { 2243 $this->insert_id = 0; 2244 $this->last_query = $query; 2245 2246 wp_load_translations_early(); 2247 2248 $this->last_error = __( 'WordPress database error: Could not perform query because it contains invalid data.' ); 2249 2250 return false; 2251 } 2252 } 2253 2254 $this->check_current_query = true; 2255 2256 // Keep track of the last query for debug. 2257 $this->last_query = $query; 2258 2259 $this->_do_query( $query ); 2260 2261 // Database server has gone away, try to reconnect. 2262 $mysql_errno = 0; 2263 2264 if ( $this->dbh instanceof mysqli ) { 2265 $mysql_errno = mysqli_errno( $this->dbh ); 2266 } else { 2267 /* 2268 * $dbh is defined, but isn't a real connection. 2269 * Something has gone horribly wrong, let's try a reconnect. 2270 */ 2271 $mysql_errno = 2006; 2272 } 2273 2274 if ( empty( $this->dbh ) || 2006 === $mysql_errno ) { 2275 if ( $this->check_connection() ) { 2276 $this->_do_query( $query ); 2277 } else { 2278 $this->insert_id = 0; 2279 return false; 2280 } 2281 } 2282 2283 // If there is an error then take note of it. 2284 if ( $this->dbh instanceof mysqli ) { 2285 $this->last_error = mysqli_error( $this->dbh ); 2286 } else { 2287 $this->last_error = __( 'Unable to retrieve the error message from MySQL' ); 2288 } 2289 2290 if ( $this->last_error ) { 2291 // Clear insert_id on a subsequent failed insert. 2292 if ( $this->insert_id && preg_match( '/^\s*(insert|replace)\s/i', $query ) ) { 2293 $this->insert_id = 0; 2294 } 2295 2296 $this->print_error(); 2297 return false; 2298 } 2299 2300 if ( preg_match( '/^\s*(create|alter|truncate|drop)\s/i', $query ) ) { 2301 $return_val = $this->result; 2302 } elseif ( preg_match( '/^\s*(insert|delete|update|replace)\s/i', $query ) ) { 2303 $this->rows_affected = mysqli_affected_rows( $this->dbh ); 2304 2305 // Take note of the insert_id. 2306 if ( preg_match( '/^\s*(insert|replace)\s/i', $query ) ) { 2307 $this->insert_id = mysqli_insert_id( $this->dbh ); 2308 } 2309 2310 // Return number of rows affected. 2311 $return_val = $this->rows_affected; 2312 } else { 2313 $num_rows = 0; 2314 2315 if ( $this->result instanceof mysqli_result ) { 2316 while ( $row = mysqli_fetch_object( $this->result ) ) { 2317 $this->last_result[ $num_rows ] = $row; 2318 ++$num_rows; 2319 } 2320 } 2321 2322 // Log and return the number of rows selected. 2323 $this->num_rows = $num_rows; 2324 $return_val = $num_rows; 2325 } 2326 2327 return $return_val; 2328 } 2329 2330 /** 2331 * Internal function to perform the mysqli_query() call. 2332 * 2333 * @since 3.9.0 2334 * 2335 * @see wpdb::query() 2336 * 2337 * @param string $query The query to run. 2338 */ 2339 private function _do_query( $query ) { 2340 if ( defined( 'SAVEQUERIES' ) && SAVEQUERIES ) { 2341 $this->timer_start(); 2342 } 2343 2344 if ( ! empty( $this->dbh ) ) { 2345 $this->result = mysqli_query( $this->dbh, $query ); 2346 } 2347 2348 ++$this->num_queries; 2349 2350 if ( defined( 'SAVEQUERIES' ) && SAVEQUERIES ) { 2351 $this->log_query( 2352 $query, 2353 $this->timer_stop(), 2354 $this->get_caller(), 2355 $this->time_start, 2356 array() 2357 ); 2358 } 2359 } 2360 2361 /** 2362 * Logs query data. 2363 * 2364 * @since 5.3.0 2365 * 2366 * @param string $query The query's SQL. 2367 * @param float $query_time Total time spent on the query, in seconds. 2368 * @param string $query_callstack Comma-separated list of the calling functions. 2369 * @param float $query_start Unix timestamp of the time at the start of the query. 2370 * @param array $query_data Custom query data. 2371 */ 2372 public function log_query( $query, $query_time, $query_callstack, $query_start, $query_data ) { 2373 /** 2374 * Filters the custom data to log alongside a query. 2375 * 2376 * Caution should be used when modifying any of this data, it is recommended that any additional 2377 * information you need to store about a query be added as a new associative array element. 2378 * 2379 * @since 5.3.0 2380 * 2381 * @param array $query_data Custom query data. 2382 * @param string $query The query's SQL. 2383 * @param float $query_time Total time spent on the query, in seconds. 2384 * @param string $query_callstack Comma-separated list of the calling functions. 2385 * @param float $query_start Unix timestamp of the time at the start of the query. 2386 */ 2387 $query_data = apply_filters( 'log_query_custom_data', $query_data, $query, $query_time, $query_callstack, $query_start ); 2388 2389 $this->queries[] = array( 2390 $query, 2391 $query_time, 2392 $query_callstack, 2393 $query_start, 2394 $query_data, 2395 ); 2396 } 2397 2398 /** 2399 * Generates and returns a placeholder escape string for use in queries returned by ::prepare(). 2400 * 2401 * @since 4.8.3 2402 * 2403 * @return string String to escape placeholders. 2404 */ 2405 public function placeholder_escape() { 2406 static $placeholder; 2407 2408 if ( ! $placeholder ) { 2409 // If ext/hash is not present, compat.php's hash_hmac() does not support sha256. 2410 $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1'; 2411 // Old WP installs may not have AUTH_SALT defined. 2412 $salt = defined( 'AUTH_SALT' ) && AUTH_SALT ? AUTH_SALT : (string) rand(); 2413 2414 $placeholder = '{' . hash_hmac( $algo, uniqid( $salt, true ), $salt ) . '}'; 2415 } 2416 2417 /* 2418 * Add the filter to remove the placeholder escaper. Uses priority 0, so that anything 2419 * else attached to this filter will receive the query with the placeholder string removed. 2420 */ 2421 if ( false === has_filter( 'query', array( $this, 'remove_placeholder_escape' ) ) ) { 2422 add_filter( 'query', array( $this, 'remove_placeholder_escape' ), 0 ); 2423 } 2424 2425 return $placeholder; 2426 } 2427 2428 /** 2429 * Adds a placeholder escape string, to escape anything that resembles a printf() placeholder. 2430 * 2431 * @since 4.8.3 2432 * 2433 * @param string $query The query to escape. 2434 * @return string The query with the placeholder escape string inserted where necessary. 2435 */ 2436 public function add_placeholder_escape( $query ) { 2437 /* 2438 * To prevent returning anything that even vaguely resembles a placeholder, 2439 * we clobber every % we can find. 2440 */ 2441 return str_replace( '%', $this->placeholder_escape(), $query ); 2442 } 2443 2444 /** 2445 * Removes the placeholder escape strings from a query. 2446 * 2447 * @since 4.8.3 2448 * 2449 * @param string $query The query from which the placeholder will be removed. 2450 * @return string The query with the placeholder removed. 2451 */ 2452 public function remove_placeholder_escape( $query ) { 2453 return str_replace( $this->placeholder_escape(), '%', $query ); 2454 } 2455 2456 /** 2457 * Inserts a row into the table. 2458 * 2459 * Examples: 2460 * 2461 * $wpdb->insert( 2462 * 'table', 2463 * array( 2464 * 'column1' => 'foo', 2465 * 'column2' => 'bar', 2466 * ) 2467 * ); 2468 * $wpdb->insert( 2469 * 'table', 2470 * array( 2471 * 'column1' => 'foo', 2472 * 'column2' => 1337, 2473 * ), 2474 * array( 2475 * '%s', 2476 * '%d', 2477 * ) 2478 * ); 2479 * 2480 * @since 2.5.0 2481 * 2482 * @see wpdb::prepare() 2483 * @see wpdb::$field_types 2484 * @see wp_set_wpdb_vars() 2485 * 2486 * @param string $table Table name. 2487 * @param array $data Data to insert (in column => value pairs). 2488 * Both `$data` columns and `$data` values should be "raw" (neither should be SQL escaped). 2489 * Sending a null value will cause the column to be set to NULL - the corresponding 2490 * format is ignored in this case. 2491 * @param string[]|string $format Optional. An array of formats to be mapped to each of the value in `$data`. 2492 * If string, that format will be used for all of the values in `$data`. 2493 * A format is one of '%d', '%f', '%s' (integer, float, string). 2494 * If omitted, all values in `$data` will be treated as strings unless otherwise 2495 * specified in wpdb::$field_types. Default null. 2496 * @return int|false The number of rows inserted, or false on error. 2497 */ 2498 public function insert( $table, $data, $format = null ) { 2499 return $this->_insert_replace_helper( $table, $data, $format, 'INSERT' ); 2500 } 2501 2502 /** 2503 * Replaces a row in the table or inserts it if it does not exist, based on a PRIMARY KEY or a UNIQUE index. 2504 * 2505 * A REPLACE works exactly like an INSERT, except that if an old row in the table has the same value as a new row 2506 * for a PRIMARY KEY or a UNIQUE index, the old row is deleted before the new row is inserted. 2507 * 2508 * Examples: 2509 * 2510 * $wpdb->replace( 2511 * 'table', 2512 * array( 2513 * 'ID' => 123, 2514 * 'column1' => 'foo', 2515 * 'column2' => 'bar', 2516 * ) 2517 * ); 2518 * $wpdb->replace( 2519 * 'table', 2520 * array( 2521 * 'ID' => 456, 2522 * 'column1' => 'foo', 2523 * 'column2' => 1337, 2524 * ), 2525 * array( 2526 * '%d', 2527 * '%s', 2528 * '%d', 2529 * ) 2530 * ); 2531 * 2532 * @since 3.0.0 2533 * 2534 * @see wpdb::prepare() 2535 * @see wpdb::$field_types 2536 * @see wp_set_wpdb_vars() 2537 * 2538 * @param string $table Table name. 2539 * @param array $data Data to insert (in column => value pairs). 2540 * Both `$data` columns and `$data` values should be "raw" (neither should be SQL escaped). 2541 * A primary key or unique index is required to perform a replace operation. 2542 * Sending a null value will cause the column to be set to NULL - the corresponding 2543 * format is ignored in this case. 2544 * @param string[]|string $format Optional. An array of formats to be mapped to each of the value in `$data`. 2545 * If string, that format will be used for all of the values in `$data`. 2546 * A format is one of '%d', '%f', '%s' (integer, float, string). 2547 * If omitted, all values in `$data` will be treated as strings unless otherwise 2548 * specified in wpdb::$field_types. Default null. 2549 * @return int|false The number of rows affected, or false on error. 2550 */ 2551 public function replace( $table, $data, $format = null ) { 2552 return $this->_insert_replace_helper( $table, $data, $format, 'REPLACE' ); 2553 } 2554 2555 /** 2556 * Helper function for insert and replace. 2557 * 2558 * Runs an insert or replace query based on `$type` argument. 2559 * 2560 * @since 3.0.0 2561 * 2562 * @see wpdb::prepare() 2563 * @see wpdb::$field_types 2564 * @see wp_set_wpdb_vars() 2565 * 2566 * @param string $table Table name. 2567 * @param array $data Data to insert (in column => value pairs). 2568 * Both `$data` columns and `$data` values should be "raw" (neither should be SQL escaped). 2569 * Sending a null value will cause the column to be set to NULL - the corresponding 2570 * format is ignored in this case. 2571 * @param string[]|string $format Optional. An array of formats to be mapped to each of the value in `$data`. 2572 * If string, that format will be used for all of the values in `$data`. 2573 * A format is one of '%d', '%f', '%s' (integer, float, string). 2574 * If omitted, all values in `$data` will be treated as strings unless otherwise 2575 * specified in wpdb::$field_types. Default null. 2576 * @param string $type Optional. Type of operation. Either 'INSERT' or 'REPLACE'. 2577 * Default 'INSERT'. 2578 * @return int|false The number of rows affected, or false on error. 2579 */ 2580 public function _insert_replace_helper( $table, $data, $format = null, $type = 'INSERT' ) { 2581 $this->insert_id = 0; 2582 2583 if ( ! in_array( strtoupper( $type ), array( 'REPLACE', 'INSERT' ), true ) ) { 2584 return false; 2585 } 2586 2587 $data = $this->process_fields( $table, $data, $format ); 2588 if ( false === $data ) { 2589 return false; 2590 } 2591 2592 $formats = array(); 2593 $values = array(); 2594 foreach ( $data as $value ) { 2595 if ( is_null( $value['value'] ) ) { 2596 $formats[] = 'NULL'; 2597 continue; 2598 } 2599 2600 $formats[] = $value['format']; 2601 $values[] = $value['value']; 2602 } 2603 2604 $fields = '`' . implode( '`, `', array_keys( $data ) ) . '`'; 2605 $formats = implode( ', ', $formats ); 2606 2607 $sql = "$type INTO `$table` ($fields) VALUES ($formats)"; 2608 2609 $this->check_current_query = false; 2610 return $this->query( $this->prepare( $sql, $values ) ); 2611 } 2612 2613 /** 2614 * Updates a row in the table. 2615 * 2616 * Examples: 2617 * 2618 * $wpdb->update( 2619 * 'table', 2620 * array( 2621 * 'column1' => 'foo', 2622 * 'column2' => 'bar', 2623 * ), 2624 * array( 2625 * 'ID' => 1, 2626 * ) 2627 * ); 2628 * $wpdb->update( 2629 * 'table', 2630 * array( 2631 * 'column1' => 'foo', 2632 * 'column2' => 1337, 2633 * ), 2634 * array( 2635 * 'ID' => 1, 2636 * ), 2637 * array( 2638 * '%s', 2639 * '%d', 2640 * ), 2641 * array( 2642 * '%d', 2643 * ) 2644 * ); 2645 * 2646 * @since 2.5.0 2647 * 2648 * @see wpdb::prepare() 2649 * @see wpdb::$field_types 2650 * @see wp_set_wpdb_vars() 2651 * 2652 * @param string $table Table name. 2653 * @param array $data Data to update (in column => value pairs). 2654 * Both $data columns and $data values should be "raw" (neither should be SQL escaped). 2655 * Sending a null value will cause the column to be set to NULL - the corresponding 2656 * format is ignored in this case. 2657 * @param array $where A named array of WHERE clauses (in column => value pairs). 2658 * Multiple clauses will be joined with ANDs. 2659 * Both $where columns and $where values should be "raw". 2660 * Sending a null value will create an IS NULL comparison - the corresponding 2661 * format will be ignored in this case. 2662 * @param string[]|string $format Optional. An array of formats to be mapped to each of the values in $data. 2663 * If string, that format will be used for all of the values in $data. 2664 * A format is one of '%d', '%f', '%s' (integer, float, string). 2665 * If omitted, all values in $data will be treated as strings unless otherwise 2666 * specified in wpdb::$field_types. Default null. 2667 * @param string[]|string $where_format Optional. An array of formats to be mapped to each of the values in $where. 2668 * If string, that format will be used for all of the items in $where. 2669 * A format is one of '%d', '%f', '%s' (integer, float, string). 2670 * If omitted, all values in $where will be treated as strings unless otherwise 2671 * specified in wpdb::$field_types. Default null. 2672 * @return int|false The number of rows updated, or false on error. 2673 */ 2674 public function update( $table, $data, $where, $format = null, $where_format = null ) { 2675 if ( ! is_array( $data ) || ! is_array( $where ) ) { 2676 return false; 2677 } 2678 2679 $data = $this->process_fields( $table, $data, $format ); 2680 if ( false === $data ) { 2681 return false; 2682 } 2683 $where = $this->process_fields( $table, $where, $where_format ); 2684 if ( false === $where ) { 2685 return false; 2686 } 2687 2688 $fields = array(); 2689 $conditions = array(); 2690 $values = array(); 2691 foreach ( $data as $field => $value ) { 2692 if ( is_null( $value['value'] ) ) { 2693 $fields[] = "`$field` = NULL"; 2694 continue; 2695 } 2696 2697 $fields[] = "`$field` = " . $value['format']; 2698 $values[] = $value['value']; 2699 } 2700 foreach ( $where as $field => $value ) { 2701 if ( is_null( $value['value'] ) ) { 2702 $conditions[] = "`$field` IS NULL"; 2703 continue; 2704 } 2705 2706 $conditions[] = "`$field` = " . $value['format']; 2707 $values[] = $value['value']; 2708 } 2709 2710 $fields = implode( ', ', $fields ); 2711 $conditions = implode( ' AND ', $conditions ); 2712 2713 $sql = "UPDATE `$table` SET $fields WHERE $conditions"; 2714 2715 $this->check_current_query = false; 2716 return $this->query( $this->prepare( $sql, $values ) ); 2717 } 2718 2719 /** 2720 * Deletes a row in the table. 2721 * 2722 * Examples: 2723 * 2724 * $wpdb->delete( 2725 * 'table', 2726 * array( 2727 * 'ID' => 1, 2728 * ) 2729 * ); 2730 * $wpdb->delete( 2731 * 'table', 2732 * array( 2733 * 'ID' => 1, 2734 * ), 2735 * array( 2736 * '%d', 2737 * ) 2738 * ); 2739 * 2740 * @since 3.4.0 2741 * 2742 * @see wpdb::prepare() 2743 * @see wpdb::$field_types 2744 * @see wp_set_wpdb_vars() 2745 * 2746 * @param string $table Table name. 2747 * @param array $where A named array of WHERE clauses (in column => value pairs). 2748 * Multiple clauses will be joined with ANDs. 2749 * Both $where columns and $where values should be "raw". 2750 * Sending a null value will create an IS NULL comparison - the corresponding 2751 * format will be ignored in this case. 2752 * @param string[]|string $where_format Optional. An array of formats to be mapped to each of the values in $where. 2753 * If string, that format will be used for all of the items in $where. 2754 * A format is one of '%d', '%f', '%s' (integer, float, string). 2755 * If omitted, all values in $data will be treated as strings unless otherwise 2756 * specified in wpdb::$field_types. Default null. 2757 * @return int|false The number of rows deleted, or false on error. 2758 */ 2759 public function delete( $table, $where, $where_format = null ) { 2760 if ( ! is_array( $where ) ) { 2761 return false; 2762 } 2763 2764 $where = $this->process_fields( $table, $where, $where_format ); 2765 if ( false === $where ) { 2766 return false; 2767 } 2768 2769 $conditions = array(); 2770 $values = array(); 2771 foreach ( $where as $field => $value ) { 2772 if ( is_null( $value['value'] ) ) { 2773 $conditions[] = "`$field` IS NULL"; 2774 continue; 2775 } 2776 2777 $conditions[] = "`$field` = " . $value['format']; 2778 $values[] = $value['value']; 2779 } 2780 2781 $conditions = implode( ' AND ', $conditions ); 2782 2783 $sql = "DELETE FROM `$table` WHERE $conditions"; 2784 2785 $this->check_current_query = false; 2786 return $this->query( $this->prepare( $sql, $values ) ); 2787 } 2788 2789 /** 2790 * Processes arrays of field/value pairs and field formats. 2791 * 2792 * This is a helper method for wpdb's CRUD methods, which take field/value pairs 2793 * for inserts, updates, and where clauses. This method first pairs each value 2794 * with a format. Then it determines the charset of that field, using that 2795 * to determine if any invalid text would be stripped. If text is stripped, 2796 * then field processing is rejected and the query fails. 2797 * 2798 * @since 4.2.0 2799 * 2800 * @param string $table Table name. 2801 * @param array $data Array of values keyed by their field names. 2802 * @param string[]|string $format Formats or format to be mapped to the values in the data. 2803 * @return array|false An array of fields that contain paired value and formats. 2804 * False for invalid values. 2805 */ 2806 protected function process_fields( $table, $data, $format ) { 2807 $data = $this->process_field_formats( $data, $format ); 2808 if ( false === $data ) { 2809 return false; 2810 } 2811 2812 $data = $this->process_field_charsets( $data, $table ); 2813 if ( false === $data ) { 2814 return false; 2815 } 2816 2817 $data = $this->process_field_lengths( $data, $table ); 2818 if ( false === $data ) { 2819 return false; 2820 } 2821 2822 $converted_data = $this->strip_invalid_text( $data ); 2823 2824 if ( $data !== $converted_data ) { 2825 2826 $problem_fields = array(); 2827 foreach ( $data as $field => $value ) { 2828 if ( $value !== $converted_data[ $field ] ) { 2829 $problem_fields[] = $field; 2830 } 2831 } 2832 2833 wp_load_translations_early(); 2834 2835 if ( 1 === count( $problem_fields ) ) { 2836 $this->last_error = sprintf( 2837 /* translators: %s: Database field where the error occurred. */ 2838 __( 'WordPress database error: Processing the value for the following field failed: %s. The supplied value may be too long or contains invalid data.' ), 2839 reset( $problem_fields ) 2840 ); 2841 } else { 2842 $this->last_error = sprintf( 2843 /* translators: %s: Database fields where the error occurred. */ 2844 __( 'WordPress database error: Processing the values for the following fields failed: %s. The supplied values may be too long or contain invalid data.' ), 2845 implode( ', ', $problem_fields ) 2846 ); 2847 } 2848 2849 return false; 2850 } 2851 2852 return $data; 2853 } 2854 2855 /** 2856 * Prepares arrays of value/format pairs as passed to wpdb CRUD methods. 2857 * 2858 * @since 4.2.0 2859 * 2860 * @param array $data Array of values keyed by their field names. 2861 * @param string[]|string $format Formats or format to be mapped to the values in the data. 2862 * @return array { 2863 * Array of values and formats keyed by their field names. 2864 * 2865 * @type mixed $value The value to be formatted. 2866 * @type string $format The format to be mapped to the value. 2867 * } 2868 */ 2869 protected function process_field_formats( $data, $format ) { 2870 $formats = (array) $format; 2871 $original_formats = $formats; 2872 2873 foreach ( $data as $field => $value ) { 2874 $value = array( 2875 'value' => $value, 2876 'format' => '%s', 2877 ); 2878 2879 if ( ! empty( $format ) ) { 2880 $value['format'] = array_shift( $formats ); 2881 if ( ! $value['format'] ) { 2882 $value['format'] = reset( $original_formats ); 2883 } 2884 } elseif ( isset( $this->field_types[ $field ] ) ) { 2885 $value['format'] = $this->field_types[ $field ]; 2886 } 2887 2888 $data[ $field ] = $value; 2889 } 2890 2891 return $data; 2892 } 2893 2894 /** 2895 * Adds field charsets to field/value/format arrays generated by wpdb::process_field_formats(). 2896 * 2897 * @since 4.2.0 2898 * 2899 * @param array $data { 2900 * Array of values and formats keyed by their field names, 2901 * as it comes from the wpdb::process_field_formats() method. 2902 * 2903 * @type array ...$0 { 2904 * Value and format for this field. 2905 * 2906 * @type mixed $value The value to be formatted. 2907 * @type string $format The format to be mapped to the value. 2908 * } 2909 * } 2910 * @param string $table Table name. 2911 * @return array|false { 2912 * The same array of data with additional 'charset' keys, or false if 2913 * the charset for the table cannot be found. 2914 * 2915 * @type array ...$0 { 2916 * Value, format, and charset for this field. 2917 * 2918 * @type mixed $value The value to be formatted. 2919 * @type string $format The format to be mapped to the value. 2920 * @type string|false $charset The charset to be used for the value. 2921 * } 2922 * } 2923 */ 2924 protected function process_field_charsets( $data, $table ) { 2925 foreach ( $data as $field => $value ) { 2926 if ( '%d' === $value['format'] || '%f' === $value['format'] ) { 2927 /* 2928 * We can skip this field if we know it isn't a string. 2929 * This checks %d/%f versus ! %s because its sprintf() could take more. 2930 */ 2931 $value['charset'] = false; 2932 } else { 2933 $value['charset'] = $this->get_col_charset( $table, $field ); 2934 if ( is_wp_error( $value['charset'] ) ) { 2935 return false; 2936 } 2937 } 2938 2939 $data[ $field ] = $value; 2940 } 2941 2942 return $data; 2943 } 2944 2945 /** 2946 * For string fields, records the maximum string length that field can safely save. 2947 * 2948 * @since 4.2.1 2949 * 2950 * @param array $data { 2951 * Array of values, formats, and charsets keyed by their field names, 2952 * as it comes from the wpdb::process_field_charsets() method. 2953 * 2954 * @type array ...$0 { 2955 * Value, format, and charset for this field. 2956 * 2957 * @type mixed $value The value to be formatted. 2958 * @type string $format The format to be mapped to the value. 2959 * @type string|false $charset The charset to be used for the value. 2960 * } 2961 * } 2962 * @param string $table Table name. 2963 * @return array|false { 2964 * The same array of data with additional 'length' keys, or false if 2965 * information for the table cannot be found. 2966 * 2967 * @type array ...$0 { 2968 * Value, format, charset, and length for this field. 2969 * 2970 * @type mixed $value The value to be formatted. 2971 * @type string $format The format to be mapped to the value. 2972 * @type string|false $charset The charset to be used for the value. 2973 * @type array|false $length { 2974 * Information about the maximum length of the value. 2975 * False if the column has no length. 2976 * 2977 * @type string $type One of 'byte' or 'char'. 2978 * @type int $length The column length. 2979 * } 2980 * } 2981 * } 2982 */ 2983 protected function process_field_lengths( $data, $table ) { 2984 foreach ( $data as $field => $value ) { 2985 if ( '%d' === $value['format'] || '%f' === $value['format'] ) { 2986 /* 2987 * We can skip this field if we know it isn't a string. 2988 * This checks %d/%f versus ! %s because its sprintf() could take more. 2989 */ 2990 $value['length'] = false; 2991 } else { 2992 $value['length'] = $this->get_col_length( $table, $field ); 2993 if ( is_wp_error( $value['length'] ) ) { 2994 return false; 2995 } 2996 } 2997 2998 $data[ $field ] = $value; 2999 } 3000 3001 return $data; 3002 } 3003 3004 /** 3005 * Retrieves one value from the database. 3006 * 3007 * Executes a SQL query and returns the value from the SQL result. 3008 * If the SQL result contains more than one column and/or more than one row, 3009 * the value in the column and row specified is returned. If $query is null, 3010 * the value in the specified column and row from the previous SQL result is returned. 3011 * 3012 * @since 0.71 3013 * 3014 * @param string|null $query Optional. SQL query. Defaults to null, use the result from the previous query. 3015 * @param int $x Optional. Column of value to return. Indexed from 0. Default 0. 3016 * @param int $y Optional. Row of value to return. Indexed from 0. Default 0. 3017 * @return string|null Database query result (as string), or null on failure. 3018 */ 3019 public function get_var( $query = null, $x = 0, $y = 0 ) { 3020 $this->func_call = "\$db->get_var(\"$query\", $x, $y)"; 3021 3022 if ( $query ) { 3023 if ( $this->check_current_query && $this->check_safe_collation( $query ) ) { 3024 $this->check_current_query = false; 3025 } 3026 3027 $this->query( $query ); 3028 } 3029 3030 // Extract var out of cached results based on x,y vals. 3031 if ( ! empty( $this->last_result[ $y ] ) ) { 3032 $values = array_values( get_object_vars( $this->last_result[ $y ] ) ); 3033 } 3034 3035 // If there is a value return it, else return null. 3036 return ( isset( $values[ $x ] ) && '' !== $values[ $x ] ) ? $values[ $x ] : null; 3037 } 3038 3039 /** 3040 * Retrieves one row from the database. 3041 * 3042 * Executes a SQL query and returns the row from the SQL result. 3043 * 3044 * @since 0.71 3045 * 3046 * @param string|null $query SQL query. 3047 * @param string $output Optional. The required return type. One of OBJECT, ARRAY_A, or ARRAY_N, which 3048 * correspond to an stdClass object, an associative array, or a numeric array, 3049 * respectively. Default OBJECT. 3050 * @param int $y Optional. Row to return. Indexed from 0. Default 0. 3051 * @return array|object|null|void Database query result in format specified by $output or null on failure. 3052 */ 3053 public function get_row( $query = null, $output = OBJECT, $y = 0 ) { 3054 $this->func_call = "\$db->get_row(\"$query\",$output,$y)"; 3055 3056 if ( $query ) { 3057 if ( $this->check_current_query && $this->check_safe_collation( $query ) ) { 3058 $this->check_current_query = false; 3059 } 3060 3061 $this->query( $query ); 3062 } else { 3063 return null; 3064 } 3065 3066 if ( ! isset( $this->last_result[ $y ] ) ) { 3067 return null; 3068 } 3069 3070 if ( OBJECT === $output ) { 3071 return $this->last_result[ $y ] ? $this->last_result[ $y ] : null; 3072 } elseif ( ARRAY_A === $output ) { 3073 return $this->last_result[ $y ] ? get_object_vars( $this->last_result[ $y ] ) : null; 3074 } elseif ( ARRAY_N === $output ) { 3075 return $this->last_result[ $y ] ? array_values( get_object_vars( $this->last_result[ $y ] ) ) : null; 3076 } elseif ( OBJECT === strtoupper( $output ) ) { 3077 // Back compat for OBJECT being previously case-insensitive. 3078 return $this->last_result[ $y ] ? $this->last_result[ $y ] : null; 3079 } else { 3080 $this->print_error( ' $db->get_row(string query, output type, int offset) -- Output type must be one of: OBJECT, ARRAY_A, ARRAY_N' ); 3081 } 3082 } 3083 3084 /** 3085 * Retrieves one column from the database. 3086 * 3087 * Executes a SQL query and returns the column from the SQL result. 3088 * If the SQL result contains more than one column, the column specified is returned. 3089 * If $query is null, the specified column from the previous SQL result is returned. 3090 * 3091 * @since 0.71 3092 * 3093 * @param string|null $query Optional. SQL query. Defaults to previous query. 3094 * @param int $x Optional. Column to return. Indexed from 0. Default 0. 3095 * @return array Database query result. Array indexed from 0 by SQL result row number. 3096 */ 3097 public function get_col( $query = null, $x = 0 ) { 3098 if ( $query ) { 3099 if ( $this->check_current_query && $this->check_safe_collation( $query ) ) { 3100 $this->check_current_query = false; 3101 } 3102 3103 $this->query( $query ); 3104 } 3105 3106 $new_array = array(); 3107 // Extract the column values. 3108 if ( $this->last_result ) { 3109 for ( $i = 0, $j = count( $this->last_result ); $i < $j; $i++ ) { 3110 $new_array[ $i ] = $this->get_var( null, $x, $i ); 3111 } 3112 } 3113 return $new_array; 3114 } 3115 3116 /** 3117 * Retrieves an entire SQL result set from the database (i.e., many rows). 3118 * 3119 * Executes a SQL query and returns the entire SQL result. 3120 * 3121 * @since 0.71 3122 * 3123 * @param string $query SQL query. 3124 * @param string $output Optional. Any of ARRAY_A | ARRAY_N | OBJECT | OBJECT_K constants. 3125 * With one of the first three, return an array of rows indexed 3126 * from 0 by SQL result row number. Each row is an associative array 3127 * (column => value, ...), a numerically indexed array (0 => value, ...), 3128 * or an object ( ->column = value ), respectively. With OBJECT_K, 3129 * return an associative array of row objects keyed by the value 3130 * of each row's first column's value. Duplicate keys are discarded. 3131 * Default OBJECT. 3132 * @return array|object|null Database query results. 3133 */ 3134 public function get_results( $query = null, $output = OBJECT ) { 3135 $this->func_call = "\$db->get_results(\"$query\", $output)"; 3136 3137 if ( $query ) { 3138 if ( $this->check_current_query && $this->check_safe_collation( $query ) ) { 3139 $this->check_current_query = false; 3140 } 3141 3142 $this->query( $query ); 3143 } else { 3144 return null; 3145 } 3146 3147 $new_array = array(); 3148 if ( OBJECT === $output ) { 3149 // Return an integer-keyed array of row objects. 3150 return $this->last_result; 3151 } elseif ( OBJECT_K === $output ) { 3152 /* 3153 * Return an array of row objects with keys from column 1. 3154 * (Duplicates are discarded.) 3155 */ 3156 if ( $this->last_result ) { 3157 foreach ( $this->last_result as $row ) { 3158 $var_by_ref = get_object_vars( $row ); 3159 $key = array_shift( $var_by_ref ); 3160 if ( ! isset( $new_array[ $key ] ) ) { 3161 $new_array[ $key ] = $row; 3162 } 3163 } 3164 } 3165 return $new_array; 3166 } elseif ( ARRAY_A === $output || ARRAY_N === $output ) { 3167 // Return an integer-keyed array of... 3168 if ( $this->last_result ) { 3169 if ( ARRAY_N === $output ) { 3170 foreach ( (array) $this->last_result as $row ) { 3171 // ...integer-keyed row arrays. 3172 $new_array[] = array_values( get_object_vars( $row ) ); 3173 } 3174 } else { 3175 foreach ( (array) $this->last_result as $row ) { 3176 // ...column name-keyed row arrays. 3177 $new_array[] = get_object_vars( $row ); 3178 } 3179 } 3180 } 3181 return $new_array; 3182 } elseif ( strtoupper( $output ) === OBJECT ) { 3183 // Back compat for OBJECT being previously case-insensitive. 3184 return $this->last_result; 3185 } 3186 return null; 3187 } 3188 3189 /** 3190 * Retrieves the character set for the given table. 3191 * 3192 * @since 4.2.0 3193 * 3194 * @param string $table Table name. 3195 * @return string|WP_Error Table character set, WP_Error object if it couldn't be found. 3196 */ 3197 protected function get_table_charset( $table ) { 3198 $tablekey = strtolower( $table ); 3199 3200 /** 3201 * Filters the table charset value before the DB is checked. 3202 * 3203 * Returning a non-null value from the filter will effectively short-circuit 3204 * checking the DB for the charset, returning that value instead. 3205 * 3206 * @since 4.2.0 3207 * 3208 * @param string|WP_Error|null $charset The character set to use, WP_Error object 3209 * if it couldn't be found. Default null. 3210 * @param string $table The name of the table being checked. 3211 */ 3212 $charset = apply_filters( 'pre_get_table_charset', null, $table ); 3213 if ( null !== $charset ) { 3214 return $charset; 3215 } 3216 3217 if ( isset( $this->table_charset[ $tablekey ] ) ) { 3218 return $this->table_charset[ $tablekey ]; 3219 } 3220 3221 $charsets = array(); 3222 $columns = array(); 3223 3224 $table_parts = explode( '.', $table ); 3225 $table = '`' . implode( '`.`', $table_parts ) . '`'; 3226 $results = $this->get_results( "SHOW FULL COLUMNS FROM $table" ); 3227 if ( ! $results ) { 3228 return new WP_Error( 'wpdb_get_table_charset_failure', __( 'Could not retrieve table charset.' ) ); 3229 } 3230 3231 foreach ( $results as $column ) { 3232 $columns[ strtolower( $column->Field ) ] = $column; 3233 } 3234 3235 $this->col_meta[ $tablekey ] = $columns; 3236 3237 foreach ( $columns as $column ) { 3238 if ( ! empty( $column->Collation ) ) { 3239 list( $charset ) = explode( '_', $column->Collation ); 3240 3241 $charsets[ strtolower( $charset ) ] = true; 3242 } 3243 3244 list( $type ) = explode( '(', $column->Type ); 3245 3246 // A binary/blob means the whole query gets treated like this. 3247 if ( in_array( strtoupper( $type ), array( 'BINARY', 'VARBINARY', 'TINYBLOB', 'MEDIUMBLOB', 'BLOB', 'LONGBLOB' ), true ) ) { 3248 $this->table_charset[ $tablekey ] = 'binary'; 3249 return 'binary'; 3250 } 3251 } 3252 3253 // utf8mb3 is an alias for utf8. 3254 if ( isset( $charsets['utf8mb3'] ) ) { 3255 $charsets['utf8'] = true; 3256 unset( $charsets['utf8mb3'] ); 3257 } 3258 3259 // Check if we have more than one charset in play. 3260 $count = count( $charsets ); 3261 if ( 1 === $count ) { 3262 $charset = key( $charsets ); 3263 } elseif ( 0 === $count ) { 3264 // No charsets, assume this table can store whatever. 3265 $charset = false; 3266 } else { 3267 // More than one charset. Remove latin1 if present and recalculate. 3268 unset( $charsets['latin1'] ); 3269 $count = count( $charsets ); 3270 if ( 1 === $count ) { 3271 // Only one charset (besides latin1). 3272 $charset = key( $charsets ); 3273 } elseif ( 2 === $count && isset( $charsets['utf8'], $charsets['utf8mb4'] ) ) { 3274 // Two charsets, but they're utf8 and utf8mb4, use utf8. 3275 $charset = 'utf8'; 3276 } else { 3277 // Two mixed character sets. ascii. 3278 $charset = 'ascii'; 3279 } 3280 } 3281 3282 $this->table_charset[ $tablekey ] = $charset; 3283 return $charset; 3284 } 3285 3286 /** 3287 * Retrieves the character set for the given column. 3288 * 3289 * @since 4.2.0 3290 * 3291 * @param string $table Table name. 3292 * @param string $column Column name. 3293 * @return string|false|WP_Error Column character set as a string. False if the column has 3294 * no character set. WP_Error object if there was an error. 3295 */ 3296 public function get_col_charset( $table, $column ) { 3297 $tablekey = strtolower( $table ); 3298 $columnkey = strtolower( $column ); 3299 3300 /** 3301 * Filters the column charset value before the DB is checked. 3302 * 3303 * Passing a non-null value to the filter will short-circuit 3304 * checking the DB for the charset, returning that value instead. 3305 * 3306 * @since 4.2.0 3307 * 3308 * @param string|null|false|WP_Error $charset The character set to use. Default null. 3309 * @param string $table The name of the table being checked. 3310 * @param string $column The name of the column being checked. 3311 */ 3312 $charset = apply_filters( 'pre_get_col_charset', null, $table, $column ); 3313 if ( null !== $charset ) { 3314 return $charset; 3315 } 3316 3317 // Skip this entirely if this isn't a MySQL database. 3318 if ( empty( $this->is_mysql ) ) { 3319 return false; 3320 } 3321 3322 if ( empty( $this->table_charset[ $tablekey ] ) ) { 3323 // This primes column information for us. 3324 $table_charset = $this->get_table_charset( $table ); 3325 if ( is_wp_error( $table_charset ) ) { 3326 return $table_charset; 3327 } 3328 } 3329 3330 // If still no column information, return the table charset. 3331 if ( empty( $this->col_meta[ $tablekey ] ) ) { 3332 return $this->table_charset[ $tablekey ]; 3333 } 3334 3335 // If this column doesn't exist, return the table charset. 3336 if ( empty( $this->col_meta[ $tablekey ][ $columnkey ] ) ) { 3337 return $this->table_charset[ $tablekey ]; 3338 } 3339 3340 // Return false when it's not a string column. 3341 if ( empty( $this->col_meta[ $tablekey ][ $columnkey ]->Collation ) ) { 3342 return false; 3343 } 3344 3345 list( $charset ) = explode( '_', $this->col_meta[ $tablekey ][ $columnkey ]->Collation ); 3346 return $charset; 3347 } 3348 3349 /** 3350 * Retrieves the maximum string length allowed in a given column. 3351 * 3352 * The length may either be specified as a byte length or a character length. 3353 * 3354 * @since 4.2.1 3355 * 3356 * @param string $table Table name. 3357 * @param string $column Column name. 3358 * @return array|false|WP_Error { 3359 * Array of column length information, false if the column has no length (for 3360 * example, numeric column), WP_Error object if there was an error. 3361 * 3362 * @type string $type One of 'byte' or 'char'. 3363 * @type int $length The column length. 3364 * } 3365 */ 3366 public function get_col_length( $table, $column ) { 3367 $tablekey = strtolower( $table ); 3368 $columnkey = strtolower( $column ); 3369 3370 // Skip this entirely if this isn't a MySQL database. 3371 if ( empty( $this->is_mysql ) ) { 3372 return false; 3373 } 3374 3375 if ( empty( $this->col_meta[ $tablekey ] ) ) { 3376 // This primes column information for us. 3377 $table_charset = $this->get_table_charset( $table ); 3378 if ( is_wp_error( $table_charset ) ) { 3379 return $table_charset; 3380 } 3381 } 3382 3383 if ( empty( $this->col_meta[ $tablekey ][ $columnkey ] ) ) { 3384 return false; 3385 } 3386 3387 $typeinfo = explode( '(', $this->col_meta[ $tablekey ][ $columnkey ]->Type ); 3388 3389 $type = strtolower( $typeinfo[0] ); 3390 if ( ! empty( $typeinfo[1] ) ) { 3391 $length = trim( $typeinfo[1], ')' ); 3392 } else { 3393 $length = false; 3394 } 3395 3396 switch ( $type ) { 3397 case 'char': 3398 case 'varchar': 3399 return array( 3400 'type' => 'char', 3401 'length' => (int) $length, 3402 ); 3403 3404 case 'binary': 3405 case 'varbinary': 3406 return array( 3407 'type' => 'byte', 3408 'length' => (int) $length, 3409 ); 3410 3411 case 'tinyblob': 3412 case 'tinytext': 3413 return array( 3414 'type' => 'byte', 3415 'length' => 255, // 2^8 - 1 3416 ); 3417 3418 case 'blob': 3419 case 'text': 3420 return array( 3421 'type' => 'byte', 3422 'length' => 65535, // 2^16 - 1 3423 ); 3424 3425 case 'mediumblob': 3426 case 'mediumtext': 3427 return array( 3428 'type' => 'byte', 3429 'length' => 16777215, // 2^24 - 1 3430 ); 3431 3432 case 'longblob': 3433 case 'longtext': 3434 return array( 3435 'type' => 'byte', 3436 'length' => 4294967295, // 2^32 - 1 3437 ); 3438 3439 default: 3440 return false; 3441 } 3442 } 3443 3444 /** 3445 * Checks if a string is ASCII. 3446 * 3447 * The negative regex is faster for non-ASCII strings, as it allows 3448 * the search to finish as soon as it encounters a non-ASCII character. 3449 * 3450 * @since 4.2.0 3451 * 3452 * @param string $input_string String to check. 3453 * @return bool True if ASCII, false if not. 3454 */ 3455 protected function check_ascii( $input_string ) { 3456 if ( function_exists( 'mb_check_encoding' ) ) { 3457 if ( mb_check_encoding( $input_string, 'ASCII' ) ) { 3458 return true; 3459 } 3460 } elseif ( ! preg_match( '/[^\x00-\x7F]/', $input_string ) ) { 3461 return true; 3462 } 3463 3464 return false; 3465 } 3466 3467 /** 3468 * Checks if the query is accessing a collation considered safe on the current version of MySQL. 3469 * 3470 * @since 4.2.0 3471 * 3472 * @param string $query The query to check. 3473 * @return bool True if the collation is safe, false if it isn't. 3474 */ 3475 protected function check_safe_collation( $query ) { 3476 if ( $this->checking_collation ) { 3477 return true; 3478 } 3479 3480 // We don't need to check the collation for queries that don't read data. 3481 $query = ltrim( $query, "\r\n\t (" ); 3482 if ( preg_match( '/^(?:SHOW|DESCRIBE|DESC|EXPLAIN|CREATE)\s/i', $query ) ) { 3483 return true; 3484 } 3485 3486 // All-ASCII queries don't need extra checking. 3487 if ( $this->check_ascii( $query ) ) { 3488 return true; 3489 } 3490 3491 $table = $this->get_table_from_query( $query ); 3492 if ( ! $table ) { 3493 return false; 3494 } 3495 3496 $this->checking_collation = true; 3497 $collation = $this->get_table_charset( $table ); 3498 $this->checking_collation = false; 3499 3500 // Tables with no collation, or latin1 only, don't need extra checking. 3501 if ( false === $collation || 'latin1' === $collation ) { 3502 return true; 3503 } 3504 3505 $table = strtolower( $table ); 3506 if ( empty( $this->col_meta[ $table ] ) ) { 3507 return false; 3508 } 3509 3510 // If any of the columns don't have one of these collations, it needs more confidence checking. 3511 $safe_collations = array( 3512 'utf8_bin', 3513 'utf8_general_ci', 3514 'utf8mb3_bin', 3515 'utf8mb3_general_ci', 3516 'utf8mb4_bin', 3517 'utf8mb4_general_ci', 3518 ); 3519 3520 foreach ( $this->col_meta[ $table ] as $col ) { 3521 if ( empty( $col->Collation ) ) { 3522 continue; 3523 } 3524 3525 if ( ! in_array( $col->Collation, $safe_collations, true ) ) { 3526 return false; 3527 } 3528 } 3529 3530 return true; 3531 } 3532 3533 /** 3534 * Strips any invalid characters based on value/charset pairs. 3535 * 3536 * @since 4.2.0 3537 * 3538 * @param array $data Array of value arrays. Each value array has the keys 'value', 'charset', and 'length'. 3539 * An optional 'ascii' key can be set to false to avoid redundant ASCII checks. 3540 * @return array|WP_Error The $data parameter, with invalid characters removed from each value. 3541 * This works as a passthrough: any additional keys such as 'field' are 3542 * retained in each value array. If we cannot remove invalid characters, 3543 * a WP_Error object is returned. 3544 */ 3545 protected function strip_invalid_text( $data ) { 3546 $db_check_string = false; 3547 3548 foreach ( $data as &$value ) { 3549 $charset = $value['charset']; 3550 3551 if ( is_array( $value['length'] ) ) { 3552 $length = $value['length']['length']; 3553 $truncate_by_byte_length = 'byte' === $value['length']['type']; 3554 } else { 3555 $length = false; 3556 /* 3557 * Since we have no length, we'll never truncate. Initialize the variable to false. 3558 * True would take us through an unnecessary (for this case) codepath below. 3559 */ 3560 $truncate_by_byte_length = false; 3561 } 3562 3563 // There's no charset to work with. 3564 if ( false === $charset ) { 3565 continue; 3566 } 3567 3568 // Column isn't a string. 3569 if ( ! is_string( $value['value'] ) ) { 3570 continue; 3571 } 3572 3573 $needs_validation = true; 3574 if ( 3575 // latin1 can store any byte sequence. 3576 'latin1' === $charset 3577 || 3578 // ASCII is always OK. 3579 ( ! isset( $value['ascii'] ) && $this->check_ascii( $value['value'] ) ) 3580 ) { 3581 $truncate_by_byte_length = true; 3582 $needs_validation = false; 3583 } 3584 3585 if ( $truncate_by_byte_length ) { 3586 mbstring_binary_safe_encoding(); 3587 if ( false !== $length && strlen( $value['value'] ) > $length ) { 3588 $value['value'] = substr( $value['value'], 0, $length ); 3589 } 3590 reset_mbstring_encoding(); 3591 3592 if ( ! $needs_validation ) { 3593 continue; 3594 } 3595 } 3596 3597 // utf8 can be handled by regex, which is a bunch faster than a DB lookup. 3598 if ( ( 'utf8' === $charset || 'utf8mb3' === $charset || 'utf8mb4' === $charset ) && function_exists( 'mb_strlen' ) ) { 3599 $regex = '/ 3600 ( 3601 (?: [\x00-\x7F] # single-byte sequences 0xxxxxxx 3602 | [\xC2-\xDF][\x80-\xBF] # double-byte sequences 110xxxxx 10xxxxxx 3603 | \xE0[\xA0-\xBF][\x80-\xBF] # triple-byte sequences 1110xxxx 10xxxxxx * 2 3604 | [\xE1-\xEC][\x80-\xBF]{2} 3605 | \xED[\x80-\x9F][\x80-\xBF] 3606 | [\xEE-\xEF][\x80-\xBF]{2}'; 3607 3608 if ( 'utf8mb4' === $charset ) { 3609 $regex .= ' 3610 | \xF0[\x90-\xBF][\x80-\xBF]{2} # four-byte sequences 11110xxx 10xxxxxx * 3 3611 | [\xF1-\xF3][\x80-\xBF]{3} 3612 | \xF4[\x80-\x8F][\x80-\xBF]{2} 3613 '; 3614 } 3615 3616 $regex .= '){1,40} # ...one or more times 3617 ) 3618 | . # anything else 3619 /x'; 3620 $value['value'] = preg_replace( $regex, '$1', $value['value'] ); 3621 3622 if ( false !== $length && mb_strlen( $value['value'], 'UTF-8' ) > $length ) { 3623 $value['value'] = mb_substr( $value['value'], 0, $length, 'UTF-8' ); 3624 } 3625 continue; 3626 } 3627 3628 // We couldn't use any local conversions, send it to the DB. 3629 $value['db'] = true; 3630 $db_check_string = true; 3631 } 3632 unset( $value ); // Remove by reference. 3633 3634 if ( $db_check_string ) { 3635 $queries = array(); 3636 foreach ( $data as $col => $value ) { 3637 if ( ! empty( $value['db'] ) ) { 3638 // We're going to need to truncate by characters or bytes, depending on the length value we have. 3639 if ( isset( $value['length']['type'] ) && 'byte' === $value['length']['type'] ) { 3640 // Using binary causes LEFT() to truncate by bytes. 3641 $charset = 'binary'; 3642 } else { 3643 $charset = $value['charset']; 3644 } 3645 3646 if ( $this->charset ) { 3647 $connection_charset = $this->charset; 3648 } else { 3649 $connection_charset = mysqli_character_set_name( $this->dbh ); 3650 } 3651 3652 if ( is_array( $value['length'] ) ) { 3653 $length = sprintf( '%.0f', $value['length']['length'] ); 3654 $queries[ $col ] = $this->prepare( "CONVERT( LEFT( CONVERT( %s USING $charset ), $length ) USING $connection_charset )", $value['value'] ); 3655 } elseif ( 'binary' !== $charset ) { 3656 // If we don't have a length, there's no need to convert binary - it will always return the same result. 3657 $queries[ $col ] = $this->prepare( "CONVERT( CONVERT( %s USING $charset ) USING $connection_charset )", $value['value'] ); 3658 } 3659 3660 unset( $data[ $col ]['db'] ); 3661 } 3662 } 3663 3664 $sql = array(); 3665 foreach ( $queries as $column => $query ) { 3666 if ( ! $query ) { 3667 continue; 3668 } 3669 3670 $sql[] = $query . " AS x_$column"; 3671 } 3672 3673 $this->check_current_query = false; 3674 $row = $this->get_row( 'SELECT ' . implode( ', ', $sql ), ARRAY_A ); 3675 if ( ! $row ) { 3676 return new WP_Error( 'wpdb_strip_invalid_text_failure', __( 'Could not strip invalid text.' ) ); 3677 } 3678 3679 foreach ( array_keys( $data ) as $column ) { 3680 if ( isset( $row[ "x_$column" ] ) ) { 3681 $data[ $column ]['value'] = $row[ "x_$column" ]; 3682 } 3683 } 3684 } 3685 3686 return $data; 3687 } 3688 3689 /** 3690 * Strips any invalid characters from the query. 3691 * 3692 * @since 4.2.0 3693 * 3694 * @param string $query Query to convert. 3695 * @return string|WP_Error The converted query, or a WP_Error object if the conversion fails. 3696 */ 3697 protected function strip_invalid_text_from_query( $query ) { 3698 // We don't need to check the collation for queries that don't read data. 3699 $trimmed_query = ltrim( $query, "\r\n\t (" ); 3700 if ( preg_match( '/^(?:SHOW|DESCRIBE|DESC|EXPLAIN|CREATE)\s/i', $trimmed_query ) ) { 3701 return $query; 3702 } 3703 3704 $table = $this->get_table_from_query( $query ); 3705 if ( $table ) { 3706 $charset = $this->get_table_charset( $table ); 3707 if ( is_wp_error( $charset ) ) { 3708 return $charset; 3709 } 3710 3711 // We can't reliably strip text from tables containing binary/blob columns. 3712 if ( 'binary' === $charset ) { 3713 return $query; 3714 } 3715 } else { 3716 $charset = $this->charset; 3717 } 3718 3719 $data = array( 3720 'value' => $query, 3721 'charset' => $charset, 3722 'ascii' => false, 3723 'length' => false, 3724 ); 3725 3726 $data = $this->strip_invalid_text( array( $data ) ); 3727 if ( is_wp_error( $data ) ) { 3728 return $data; 3729 } 3730 3731 return $data[0]['value']; 3732 } 3733 3734 /** 3735 * Strips any invalid characters from the string for a given table and column. 3736 * 3737 * @since 4.2.0 3738 * 3739 * @param string $table Table name. 3740 * @param string $column Column name. 3741 * @param string $value The text to check. 3742 * @return string|WP_Error The converted string, or a WP_Error object if the conversion fails. 3743 */ 3744 public function strip_invalid_text_for_column( $table, $column, $value ) { 3745 if ( ! is_string( $value ) ) { 3746 return $value; 3747 } 3748 3749 $charset = $this->get_col_charset( $table, $column ); 3750 if ( ! $charset ) { 3751 // Not a string column. 3752 return $value; 3753 } elseif ( is_wp_error( $charset ) ) { 3754 // Bail on real errors. 3755 return $charset; 3756 } 3757 3758 $data = array( 3759 $column => array( 3760 'value' => $value, 3761 'charset' => $charset, 3762 'length' => $this->get_col_length( $table, $column ), 3763 ), 3764 ); 3765 3766 $data = $this->strip_invalid_text( $data ); 3767 if ( is_wp_error( $data ) ) { 3768 return $data; 3769 } 3770 3771 return $data[ $column ]['value']; 3772 } 3773 3774 /** 3775 * Finds the first table name referenced in a query. 3776 * 3777 * @since 4.2.0 3778 * 3779 * @param string $query The query to search. 3780 * @return string|false The table name found, or false if a table couldn't be found. 3781 */ 3782 protected function get_table_from_query( $query ) { 3783 // Remove characters that can legally trail the table name. 3784 $query = rtrim( $query, ';/-#' ); 3785 3786 // Allow (select...) union [...] style queries. Use the first query's table name. 3787 $query = ltrim( $query, "\r\n\t (" ); 3788 3789 // Strip everything between parentheses except nested selects. 3790 $query = preg_replace( '/\((?!\s*select)[^(]*?\)/is', '()', $query ); 3791 3792 // Quickly match most common queries. 3793 if ( preg_match( 3794 '/^\s*(?:' 3795 . 'SELECT.*?\s+FROM' 3796 . '|INSERT(?:\s+LOW_PRIORITY|\s+DELAYED|\s+HIGH_PRIORITY)?(?:\s+IGNORE)?(?:\s+INTO)?' 3797 . '|REPLACE(?:\s+LOW_PRIORITY|\s+DELAYED)?(?:\s+INTO)?' 3798 . '|UPDATE(?:\s+LOW_PRIORITY)?(?:\s+IGNORE)?' 3799 . '|DELETE(?:\s+LOW_PRIORITY|\s+QUICK|\s+IGNORE)*(?:.+?FROM)?' 3800 . ')\s+((?:[0-9a-zA-Z$_.`-]|[\xC2-\xDF][\x80-\xBF])+)/is', 3801 $query, 3802 $maybe 3803 ) ) { 3804 return str_replace( '`', '', $maybe[1] ); 3805 } 3806 3807 // SHOW TABLE STATUS and SHOW TABLES WHERE Name = 'wp_posts' 3808 if ( preg_match( '/^\s*SHOW\s+(?:TABLE\s+STATUS|(?:FULL\s+)?TABLES).+WHERE\s+Name\s*=\s*("|\')((?:[0-9a-zA-Z$_.-]|[\xC2-\xDF][\x80-\xBF])+)\\1/is', $query, $maybe ) ) { 3809 return $maybe[2]; 3810 } 3811 3812 /* 3813 * SHOW TABLE STATUS LIKE and SHOW TABLES LIKE 'wp\_123\_%' 3814 * This quoted LIKE operand seldom holds a full table name. 3815 * It is usually a pattern for matching a prefix so we just 3816 * strip the trailing % and unescape the _ to get 'wp_123_' 3817 * which drop-ins can use for routing these SQL statements. 3818 */ 3819 if ( preg_match( '/^\s*SHOW\s+(?:TABLE\s+STATUS|(?:FULL\s+)?TABLES)\s+(?:WHERE\s+Name\s+)?LIKE\s*("|\')((?:[\\\\0-9a-zA-Z$_.-]|[\xC2-\xDF][\x80-\xBF])+)%?\\1/is', $query, $maybe ) ) { 3820 return str_replace( '\\_', '_', $maybe[2] ); 3821 } 3822 3823 // Big pattern for the rest of the table-related queries. 3824 if ( preg_match( 3825 '/^\s*(?:' 3826 . '(?:EXPLAIN\s+(?:EXTENDED\s+)?)?SELECT.*?\s+FROM' 3827 . '|DESCRIBE|DESC|EXPLAIN|HANDLER' 3828 . '|(?:LOCK|UNLOCK)\s+TABLE(?:S)?' 3829 . '|(?:RENAME|OPTIMIZE|BACKUP|RESTORE|CHECK|CHECKSUM|ANALYZE|REPAIR).*\s+TABLE' 3830 . '|TRUNCATE(?:\s+TABLE)?' 3831 . '|CREATE(?:\s+TEMPORARY)?\s+TABLE(?:\s+IF\s+NOT\s+EXISTS)?' 3832 . '|ALTER(?:\s+IGNORE)?\s+TABLE' 3833 . '|DROP\s+TABLE(?:\s+IF\s+EXISTS)?' 3834 . '|CREATE(?:\s+\w+)?\s+INDEX.*\s+ON' 3835 . '|DROP\s+INDEX.*\s+ON' 3836 . '|LOAD\s+DATA.*INFILE.*INTO\s+TABLE' 3837 . '|(?:GRANT|REVOKE).*ON\s+TABLE' 3838 . '|SHOW\s+(?:.*FROM|.*TABLE)' 3839 . ')\s+\(*\s*((?:[0-9a-zA-Z$_.`-]|[\xC2-\xDF][\x80-\xBF])+)\s*\)*/is', 3840 $query, 3841 $maybe 3842 ) ) { 3843 return str_replace( '`', '', $maybe[1] ); 3844 } 3845 3846 return false; 3847 } 3848 3849 /** 3850 * Loads the column metadata from the last query. 3851 * 3852 * @since 3.5.0 3853 */ 3854 protected function load_col_info() { 3855 if ( $this->col_info ) { 3856 return; 3857 } 3858 3859 $num_fields = mysqli_num_fields( $this->result ); 3860 3861 for ( $i = 0; $i < $num_fields; $i++ ) { 3862 $this->col_info[ $i ] = mysqli_fetch_field( $this->result ); 3863 } 3864 } 3865 3866 /** 3867 * Retrieves column metadata from the last query. 3868 * 3869 * @since 0.71 3870 * 3871 * @param string $info_type Optional. Possible values include 'name', 'table', 'def', 'max_length', 3872 * 'not_null', 'primary_key', 'multiple_key', 'unique_key', 'numeric', 3873 * 'blob', 'type', 'unsigned', 'zerofill'. Default 'name'. 3874 * @param int $col_offset Optional. 0: col name. 1: which table the col's in. 2: col's max length. 3875 * 3: if the col is numeric. 4: col's type. Default -1. 3876 * @return mixed Column results. 3877 */ 3878 public function get_col_info( $info_type = 'name', $col_offset = -1 ) { 3879 $this->load_col_info(); 3880 3881 if ( $this->col_info ) { 3882 if ( -1 === $col_offset ) { 3883 $i = 0; 3884 $new_array = array(); 3885 foreach ( (array) $this->col_info as $col ) { 3886 $new_array[ $i ] = $col->{$info_type}; 3887 ++$i; 3888 } 3889 return $new_array; 3890 } else { 3891 return $this->col_info[ $col_offset ]->{$info_type}; 3892 } 3893 } 3894 } 3895 3896 /** 3897 * Starts the timer, for debugging purposes. 3898 * 3899 * @since 1.5.0 3900 * 3901 * @return true 3902 */ 3903 public function timer_start() { 3904 $this->time_start = microtime( true ); 3905 return true; 3906 } 3907 3908 /** 3909 * Stops the debugging timer. 3910 * 3911 * @since 1.5.0 3912 * 3913 * @return float Total time spent on the query, in seconds. 3914 */ 3915 public function timer_stop() { 3916 return ( microtime( true ) - $this->time_start ); 3917 } 3918 3919 /** 3920 * Wraps errors in a nice header and footer and dies. 3921 * 3922 * Will not die if wpdb::$show_errors is false. 3923 * 3924 * @since 1.5.0 3925 * 3926 * @param string $message The error message. 3927 * @param string $error_code Optional. A computer-readable string to identify the error. 3928 * Default '500'. 3929 * @return void|false Void if the showing of errors is enabled, false if disabled. 3930 */ 3931 public function bail( $message, $error_code = '500' ) { 3932 if ( $this->show_errors ) { 3933 $error = ''; 3934 3935 if ( $this->dbh instanceof mysqli ) { 3936 $error = mysqli_error( $this->dbh ); 3937 } elseif ( mysqli_connect_errno() ) { 3938 $error = mysqli_connect_error(); 3939 } 3940 3941 if ( $error ) { 3942 $message = '<p><code>' . $error . "</code></p>\n" . $message; 3943 } 3944 3945 wp_die( $message ); 3946 } else { 3947 if ( class_exists( 'WP_Error', false ) ) { 3948 $this->error = new WP_Error( $error_code, $message ); 3949 } else { 3950 $this->error = $message; 3951 } 3952 3953 return false; 3954 } 3955 } 3956 3957 /** 3958 * Closes the current database connection. 3959 * 3960 * @since 4.5.0 3961 * 3962 * @return bool True if the connection was successfully closed, 3963 * false if it wasn't, or if the connection doesn't exist. 3964 */ 3965 public function close() { 3966 if ( ! $this->dbh ) { 3967 return false; 3968 } 3969 3970 $closed = mysqli_close( $this->dbh ); 3971 3972 if ( $closed ) { 3973 $this->dbh = null; 3974 $this->ready = false; 3975 $this->has_connected = false; 3976 } 3977 3978 return $closed; 3979 } 3980 3981 /** 3982 * Determines whether MySQL database is at least the required minimum version. 3983 * 3984 * @since 2.5.0 3985 * 3986 * @global string $required_mysql_version The required MySQL version string. 3987 * @return void|WP_Error 3988 */ 3989 public function check_database_version() { 3990 global $required_mysql_version; 3991 $wp_version = wp_get_wp_version(); 3992 3993 // Make sure the server has the required MySQL version. 3994 if ( version_compare( $this->db_version(), $required_mysql_version, '<' ) ) { 3995 /* translators: 1: WordPress version number, 2: Minimum required MySQL version number. */ 3996 return new WP_Error( 'database_version', sprintf( __( '<strong>Error:</strong> WordPress %1$s requires MySQL %2$s or higher' ), $wp_version, $required_mysql_version ) ); 3997 } 3998 } 3999 4000 /** 4001 * Determines whether the database supports collation. 4002 * 4003 * Called when WordPress is generating the table scheme. 4004 * 4005 * Use `wpdb::has_cap( 'collation' )`. 4006 * 4007 * @since 2.5.0 4008 * @deprecated 3.5.0 Use wpdb::has_cap() 4009 * 4010 * @return bool True if collation is supported, false if not. 4011 */ 4012 public function supports_collation() { 4013 _deprecated_function( __FUNCTION__, '3.5.0', 'wpdb::has_cap( \'collation\' )' ); 4014 return $this->has_cap( 'collation' ); 4015 } 4016 4017 /** 4018 * Retrieves the database character collate. 4019 * 4020 * @since 3.5.0 4021 * 4022 * @return string The database character collate. 4023 */ 4024 public function get_charset_collate() { 4025 $charset_collate = ''; 4026 4027 if ( ! empty( $this->charset ) ) { 4028 $charset_collate = "DEFAULT CHARACTER SET $this->charset"; 4029 } 4030 if ( ! empty( $this->collate ) ) { 4031 $charset_collate .= " COLLATE $this->collate"; 4032 } 4033 4034 return $charset_collate; 4035 } 4036 4037 /** 4038 * Determines whether the database or WPDB supports a particular feature. 4039 * 4040 * Capability sniffs for the database server and current version of WPDB. 4041 * 4042 * Database sniffs are based on the version of MySQL the site is using. 4043 * 4044 * WPDB sniffs are added as new features are introduced to allow theme and plugin 4045 * developers to determine feature support. This is to account for drop-ins which may 4046 * introduce feature support at a different time to WordPress. 4047 * 4048 * @since 2.7.0 4049 * @since 4.1.0 Added support for the 'utf8mb4' feature. 4050 * @since 4.6.0 Added support for the 'utf8mb4_520' feature. 4051 * @since 6.2.0 Added support for the 'identifier_placeholders' feature. 4052 * @since 6.6.0 The `utf8mb4` feature now always returns true. 4053 * 4054 * @see wpdb::db_version() 4055 * 4056 * @param string $db_cap The feature to check for. Accepts 'collation', 'group_concat', 4057 * 'subqueries', 'set_charset', 'utf8mb4', 'utf8mb4_520', 4058 * or 'identifier_placeholders'. 4059 * @return bool True when the database feature is supported, false otherwise. 4060 */ 4061 public function has_cap( $db_cap ) { 4062 $db_version = $this->db_version(); 4063 $db_server_info = $this->db_server_info(); 4064 4065 /* 4066 * Account for MariaDB version being prefixed with '5.5.5-' on older PHP versions. 4067 * 4068 * Note: str_contains() is not used here, as this file can be included 4069 * directly outside of WordPress core, e.g. by HyperDB, in which case 4070 * the polyfills from wp-includes/compat.php are not loaded. 4071 */ 4072 if ( '5.5.5' === $db_version && false !== strpos( $db_server_info, 'MariaDB' ) 4073 && PHP_VERSION_ID < 80016 // PHP 8.0.15 or older. 4074 ) { 4075 // Strip the '5.5.5-' prefix and set the version to the correct value. 4076 $db_server_info = preg_replace( '/^5\.5\.5-(.*)/', '$1', $db_server_info ); 4077 $db_version = preg_replace( '/[^0-9.].*/', '', $db_server_info ); 4078 } 4079 4080 switch ( strtolower( $db_cap ) ) { 4081 case 'collation': // @since 2.5.0 4082 case 'group_concat': // @since 2.7.0 4083 case 'subqueries': // @since 2.7.0 4084 return version_compare( $db_version, '4.1', '>=' ); 4085 case 'set_charset': 4086 return version_compare( $db_version, '5.0.7', '>=' ); 4087 case 'utf8mb4': // @since 4.1.0 4088 return true; 4089 case 'utf8mb4_520': // @since 4.6.0 4090 return version_compare( $db_version, '5.6', '>=' ); 4091 case 'identifier_placeholders': // @since 6.2.0 4092 /* 4093 * As of WordPress 6.2, wpdb::prepare() supports identifiers via '%i', 4094 * e.g. table/field names. 4095 */ 4096 return true; 4097 } 4098 4099 return false; 4100 } 4101 4102 /** 4103 * Retrieves a comma-separated list of the names of the functions that called wpdb. 4104 * 4105 * @since 2.5.0 4106 * 4107 * @return string Comma-separated list of the calling functions. 4108 */ 4109 public function get_caller() { 4110 return wp_debug_backtrace_summary( __CLASS__ ); 4111 } 4112 4113 /** 4114 * Retrieves the database server version. 4115 * 4116 * @since 2.7.0 4117 * 4118 * @return string|null Version number on success, null on failure. 4119 */ 4120 public function db_version() { 4121 return preg_replace( '/[^0-9.].*/', '', $this->db_server_info() ); 4122 } 4123 4124 /** 4125 * Returns the version of the MySQL server. 4126 * 4127 * @since 5.5.0 4128 * 4129 * @return string Server version as a string. 4130 */ 4131 public function db_server_info() { 4132 return mysqli_get_server_info( $this->dbh ); 4133 } 4134 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
Generated : Sat Dec 21 08:20:01 2024 | Cross-referenced by PHPXref |