WordPress.org

Make WordPress Core

Ticket #21767: 21767-prepare-wp_allow_comment.diff

File 21767-prepare-wp_allow_comment.diff, 1.3 KB (added by ryan, 5 years ago)

Use prepare() in wp_allow_comment(). Barely tested.

  • wp-includes/comment.php

     
    671671
    672672        // Simple duplicate check
    673673        // expected_slashed ($comment_post_ID, $comment_author, $comment_author_email, $comment_content)
    674         $dupe = "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND comment_parent = '$comment_parent' AND comment_approved != 'trash' AND ( comment_author = '$comment_author' ";
     674        $dupe = $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_parent = %s AND comment_approved != 'trash' AND ( comment_author = %s ", wp_unslash( $comment_post_ID ), wp_unslash( $comment_parent ), wp_unslash( $comment_author ) );
    675675        if ( $comment_author_email )
    676                 $dupe .= "OR comment_author_email = '$comment_author_email' ";
    677         $dupe .= ") AND comment_content = '$comment_content' LIMIT 1";
     676                $dupe .= $wpdb->prepare( "OR comment_author_email = %s ", wp_unslash( $comment_author_email ) );
     677        $dupe .= $wpdb->prepare( ") AND comment_content = %s LIMIT 1", wp_unslash( $comment_content ) );
    678678        if ( $wpdb->get_var($dupe) ) {
    679679                do_action( 'comment_duplicate_trigger', $commentdata );
    680680                if ( defined('DOING_AJAX') )