WordPress.org

Make WordPress Core

Ticket #2458: postmeta_not_escaped.diff

File postmeta_not_escaped.diff, 709 bytes (added by bungeman, 9 years ago)

escapes the id, key, and value when creating post meta data

  • wp-includes/functions.php

     
    429429        if ( is_array($value) || is_object($value) ) 
    430430                $value = $wpdb->escape(serialize($value)); 
    431431 
    432         $wpdb->query("INSERT INTO $wpdb->postmeta (post_id,meta_key,meta_value) VALUES ('$post_id','$key','$value')"); 
     432        $e_post_id = $wpdb->escape($post_id); 
     433        $e_key = $wpdb->escape($key); 
     434        $e_value = $wpdb->escape($value); 
     435        $wpdb->query("INSERT INTO $wpdb->postmeta (post_id,meta_key,meta_value) VALUES ('$e_post_id','$e_key','$e_value')"); 
    433436 
    434437        $post_meta_cache['$post_id'][$key][] = $original; 
    435438