WordPress.org

Make WordPress Core

Ticket #2458: postmeta_not_escaped.diff

File postmeta_not_escaped.diff, 709 bytes (added by bungeman, 12 years ago)

escapes the id, key, and value when creating post meta data

  • wp-includes/functions.php

     
    429429        if ( is_array($value) || is_object($value) )
    430430                $value = $wpdb->escape(serialize($value));
    431431
    432         $wpdb->query("INSERT INTO $wpdb->postmeta (post_id,meta_key,meta_value) VALUES ('$post_id','$key','$value')");
     432        $e_post_id = $wpdb->escape($post_id);
     433        $e_key = $wpdb->escape($key);
     434        $e_value = $wpdb->escape($value);
     435        $wpdb->query("INSERT INTO $wpdb->postmeta (post_id,meta_key,meta_value) VALUES ('$e_post_id','$e_key','$e_value')");
    433436
    434437        $post_meta_cache['$post_id'][$key][] = $original;
    435438