WordPress.org

Make WordPress Core

Ticket #13580: 13580.2.diff

File 13580.2.diff, 940 bytes (added by ryan, 7 years ago)

Patch with just strip and prepare

  • wp-admin/admin-ajax.php

     
    8383                die('0');
    8484        }
    8585
    86         $s = $_GET['q']; // is this slashed already?
     86        $s = stripslashes( $_GET['q'] );
    8787
    8888        if ( false !== strpos( $s, ',' ) ) {
    8989                $s = explode( ',', $s );
     
    9393        if ( strlen( $s ) < 2 )
    9494                die; // require 2 chars for matching
    9595
    96         $results = $wpdb->get_col( "SELECT t.name FROM $wpdb->term_taxonomy AS tt INNER JOIN $wpdb->terms AS t ON tt.term_id = t.term_id WHERE tt.taxonomy = '$taxonomy' AND t.name LIKE ('%" . $s . "%')" );
     96        $results = $wpdb->get_col( $wpdb->prepare( "SELECT t.name FROM $wpdb->term_taxonomy AS tt INNER JOIN $wpdb->terms AS t ON tt.term_id = t.term_id WHERE tt.taxonomy = %s AND t.name LIKE (%s)", $taxonomy, '%' . like_escape( $s ) . '%' ) );
    9797
    9898        echo join( $results, "\n" );
    9999        die;