Skip to:
Content

bbPress.org


Ignore:
Timestamp:
04/12/2013 05:00:20 PM (10 years ago)
Author:
johnjamesjacoby
Message:

Do a reverse unslashing juke-move when checking topics and replies for duplicates. Even though wp_magic_quotes() may have slashed some things for us, this allows us to properly prepare the query and it's parts with accurately unslashed data. This is mostly to compensate for plugins that may intercept globals or filter query parameters on the fly (like BuddyPress @ mentions.)

See #2185, [WP23973]

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/includes/common/functions.php

    r4838 r4846  
    686686    }
    687687
    688     // Simple duplicate check
    689     // Expected slashed ($post_type, $post_parent, $post_author, $post_content, $anonymous_data)
    690     // Note: Using $wpdb->prepare() here will double escape the post content.
     688    // Unslash strings to pass through $wpdb->prepare()
     689    //
    691690    // @see: http://bbpress.trac.wordpress.org/ticket/2185/
    692     $query  = sprintf( "SELECT ID FROM {$wpdb->posts} {$join} WHERE post_type = '%s' AND post_status != '%s' AND post_author = %d AND post_content = '%s' {$where}", $r['post_type'], $r['post_status'], $r['post_author'], $r['post_content'] );
    693     $query .= !empty( $r['post_parent'] ) ? sprintf( " AND post_parent = %d", $r['post_parent'] ) : '';
     691    // @see: http://core.trac.wordpress.org/changeset/23973/
     692    if ( function_exists( 'wp_unslash' ) ) { // added in WordPress 3.6
     693        $r['post_type']    = wp_unslash( $r['post_type']    );
     694        $r['post_status']  = wp_unslash( $r['post_status']  );
     695        $r['post_content'] = wp_unslash( $r['post_content'] );
     696        $join              = wp_unslash( $join              );
     697        $where             = wp_unslash( $where             );
     698    } else {
     699        $r['post_type']    = stripslashes_deep( $r['post_type']    );
     700        $r['post_status']  = stripslashes_deep( $r['post_status']  );
     701        $r['post_content'] = stripslashes_deep( $r['post_content'] );
     702        $join              = stripslashes_deep( $join              );
     703        $where             = stripslashes_deep( $where             );
     704    }
     705
     706    // Prepare duplicate check query
     707    $query  = $wpdb->prepare( "SELECT ID FROM {$wpdb->posts} {$join} WHERE post_type = %s AND post_status != %s AND post_author = %d AND post_content = %s {$where}", $r['post_type'], $r['post_status'], $r['post_author'], $r['post_content'] );
     708    $query .= !empty( $r['post_parent'] ) ? $wpdb->prepare( " AND post_parent = %d", $r['post_parent'] ) : '';
    694709    $query .= " LIMIT 1";
    695710    $dupe   = apply_filters( 'bbp_check_for_duplicate_query', $query, $r );
Note: See TracChangeset for help on using the changeset viewer.