Skip to content
This repository was archived by the owner on Jun 15, 2022. It is now read-only.

Commit 0c0cfb9

Browse files
stevegrunwellstevegrunwell
committed
Refactor the meta query portion of search_orders() to use properly-prepared SQL
1 parent f178687 commit 0c0cfb9

File tree

1 file changed

+18
-8
lines changed

1 file changed

+18
-8
lines changed

includes/class-wc-order-data-store-custom-table.php

Lines changed: 18 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -556,24 +556,34 @@ public function search_orders( $term ) {
556556

557557
$order_ids = array();
558558

559+
// Treat a numeric search term as an order ID.
559560
if ( is_numeric( $term ) ) {
560561
$order_ids[] = absint( $term );
561562
}
562563

564+
// Search given post meta columns for the query.
565+
$postmeta_search = array();
566+
563567
/**
564568
* Searches on meta data can be slow - this lets you choose what fields to search.
565569
*
566570
* WooCommerce 2.7.0 added _billing_address and _shipping_address meta which contains all
567571
* address data to make this faster. However, this won't work on older orders unless they
568572
* are updated, so search a few others (expand this using the filter if needed).
569573
*/
570-
$meta_search_fields = array_map( 'wc_clean', apply_filters( 'woocommerce_shop_order_search_fields', array(
571-
// While we are searching the custom table, we will also search meta when filtered for backwards compatibility.
572-
) ) );
573-
574-
$postmeta_search = ! empty( $meta_search_fields ) ? $wpdb->get_col(
575-
$wpdb->prepare( "SELECT DISTINCT p1.post_id FROM {$wpdb->postmeta} p1 WHERE p1.meta_key IN ('" . implode( "','", array_map( 'esc_sql', $meta_search_fields ) ) . "') AND p1.meta_value LIKE '%%%s%%';", wc_clean( $term ) )
576-
) : array();
574+
$meta_search_fields = array_map( 'wc_clean', apply_filters( 'woocommerce_shop_order_search_fields', array() ) );
575+
576+
// If we were given meta fields to search, make it happen.
577+
if ( ! empty( $meta_search_fields ) ) {
578+
$postmeta_search = $wpdb->get_col( $wpdb->prepare( "
579+
SELECT DISTINCT post_id
580+
FROM {$wpdb->postmeta}
581+
WHERE meta_key IN (" . implode( ',', array_fill( 0, count( $meta_search_fields ), '%s' ) ) . ')
582+
AND meta_value LIKE %s
583+
',
584+
array_merge( $meta_search_fields, array( '%' . $wpdb->esc_like( $term ) . '%' ) )
585+
) );
586+
}
577587

578588
return array_unique( array_merge(
579589
$order_ids,
@@ -583,7 +593,7 @@ public function search_orders( $term ) {
583593
SELECT order_id
584594
FROM {$wpdb->prefix}woocommerce_order_items as order_items
585595
WHERE order_item_name LIKE %s
586-
",
596+
",
587597
'%' . $wpdb->esc_like( $term ) . '%'
588598
)
589599
)

0 commit comments

Comments
 (0)