Skip to:
Content

bbPress.org

Ticket #2185: 2185.patch

File 2185.patch, 1.2 KB (added by johnjamesjacoby, 9 years ago)
  • includes/common/functions.php

     
    687687
    688688        // Simple duplicate check
    689689        // Expected slashed ($post_type, $post_parent, $post_author, $post_content, $anonymous_data)
    690         $query  = $wpdb->prepare( "SELECT ID FROM {$wpdb->posts} {$join} WHERE post_type = '%s' AND post_status != '%s' AND post_author = '%d' AND post_content = '%s' {$where}", $r['post_type'], $r['post_status'], $r['post_author'], $r['post_content'] );
    691         $query .= !empty( $r['post_parent'] ) ? $wpdb->prepare( " AND post_parent = '%d'", $r['post_parent'] ) : '';
     690        // Note: Using $wpdb->prepare() here will double escape the post content.
     691        // @see: http://bbpress.trac.wordpress.org/ticket/2185/
     692        $query  = sprintf( "SELECT ID FROM {$wpdb->posts} {$join} WHERE post_type = '%s' AND post_status != '%s' AND post_author = %d AND post_content = '%s' {$where}", $r['post_type'], $r['post_status'], $r['post_author'], $r['post_content'] );
     693        $query .= !empty( $r['post_parent'] ) ? sprintf( " AND post_parent = %d", $r['post_parent'] ) : '';
    692694        $query .= " LIMIT 1";
    693695        $dupe   = apply_filters( 'bbp_check_for_duplicate_query', $query, $r );
    694696