Use sanitize_key() instead of esc_sql() when 'escaping' variable DB field names. see #21767.

git-svn-id: https://develop.svn.wordpress.org/trunk@24714 602fd350-edb4-49c9-b593-d223f7449a82
2026-06-28 14:20:15 +00:00 · 2013-07-16 14:21:05 +00:00
parent 25708e95f1
commit 40623f1c68
3 changed files with 9 additions and 9 deletions
--- a/wp-includes/user.php
+++ b/wp-includes/user.php
@@ -393,7 +393,7 @@ class WP_User_Query {

 			$this->query_fields = array();
 			foreach ( $qv['fields'] as $field )
-				$this->query_fields[] = $wpdb->users . '.' . esc_sql( $field );
+				$this->query_fields[] = $wpdb->users . '.' . sanitize_key( $field );
 			$this->query_fields = implode( ',', $this->query_fields );
 		} elseif ( 'all' == $qv['fields'] ) {
 			$this->query_fields = "$wpdb->users.*";