WordPress.org

Make WordPress Core

Ticket #13580: 13580.2.diff

File 13580.2.diff, 940 bytes (added by ryan, 3 years ago)

Patch with just strip and prepare

  • wp-admin/admin-ajax.php

     
    8383                die('0'); 
    8484        } 
    8585 
    86         $s = $_GET['q']; // is this slashed already? 
     86        $s = stripslashes( $_GET['q'] ); 
    8787 
    8888        if ( false !== strpos( $s, ',' ) ) { 
    8989                $s = explode( ',', $s ); 
     
    9393        if ( strlen( $s ) < 2 ) 
    9494                die; // require 2 chars for matching 
    9595 
    96         $results = $wpdb->get_col( "SELECT t.name FROM $wpdb->term_taxonomy AS tt INNER JOIN $wpdb->terms AS t ON tt.term_id = t.term_id WHERE tt.taxonomy = '$taxonomy' AND t.name LIKE ('%" . $s . "%')" ); 
     96        $results = $wpdb->get_col( $wpdb->prepare( "SELECT t.name FROM $wpdb->term_taxonomy AS tt INNER JOIN $wpdb->terms AS t ON tt.term_id = t.term_id WHERE tt.taxonomy = %s AND t.name LIKE (%s)", $taxonomy, '%' . like_escape( $s ) . '%' ) ); 
    9797 
    9898        echo join( $results, "\n" ); 
    9999        die;