Skip to:
Content

bbPress.org

Changeset 4832


Ignore:
Timestamp:
04/05/2013 05:16:53 PM (9 years ago)
Author:
johnjamesjacoby
Message:

Do not prepare() query in bbp_check_for_duplicate() -- 'post_content' is already slashed/escaped in wp_magic_quotes(). Refixes #2185 for trunk/2.3.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/includes/common/functions.php

    r4783 r4832  
    688688    // Simple duplicate check
    689689    // Expected slashed ($post_type, $post_parent, $post_author, $post_content, $anonymous_data)
    690     $query  = $wpdb->prepare( "SELECT ID FROM {$wpdb->posts} {$join} WHERE post_type = '%s' AND post_status != '%s' AND post_author = '%d' AND post_content = '%s' {$where}", $r['post_type'], $r['post_status'], $r['post_author'], $r['post_content'] );
    691     $query .= !empty( $r['post_parent'] ) ? $wpdb->prepare( " AND post_parent = '%d'", $r['post_parent'] ) : '';
     690    // Note: Using $wpdb->prepare() here will double escape the post content.
     691    // @see: http://bbpress.trac.wordpress.org/ticket/2185/
     692    $query  = sprintf( "SELECT ID FROM {$wpdb->posts} {$join} WHERE post_type = '%s' AND post_status != '%s' AND post_author = %d AND post_content = '%s' {$where}", $r['post_type'], $r['post_status'], $r['post_author'], $r['post_content'] );
     693    $query .= !empty( $r['post_parent'] ) ? sprintf( " AND post_parent = %d", $r['post_parent'] ) : '';
    692694    $query .= " LIMIT 1";
    693695    $dupe   = apply_filters( 'bbp_check_for_duplicate_query', $query, $r );
Note: See TracChangeset for help on using the changeset viewer.