Fix potential SQLi through improper use of API functions.

git-svn-id: https://develop.svn.wordpress.org/trunk@24875 602fd350-edb4-49c9-b593-d223f7449a82

wp-admin/includes/ms.php

@@ -371,7 +371,7 @@ function update_user_status( $id, $pref, $value, $deprecated = null ) {
 	if ( null !== $deprecated )
 		_deprecated_argument( __FUNCTION__, '3.1' );
 
-	$wpdb->update( $wpdb->users, array( $pref => $value ), array( 'ID' => $id ) );
+	$wpdb->update( $wpdb->users, array( sanitize_key( $pref ) => $value ), array( 'ID' => $id ) );
 
 	$user = new WP_User( $id );
 	clean_user_cache( $user );

wp-includes/bookmark.php

@@ -186,7 +186,7 @@ function get_bookmarks($args = '') {
 	}
 
 	if ( ! empty($search) ) {
-		$search = like_escape($search);
+		$search = esc_sql( like_escape( $search ) );
 		$search = " AND ( (link_url LIKE '%$search%') OR (link_name LIKE '%$search%') OR (link_description LIKE '%$search%') ) ";
 	}