Make WordPress Core

Changeset 23973


Ignore:
Timestamp:
04/12/2013 01:25:16 PM (11 years ago)
Author:
ryan
Message:

Use prepare() for the duplicate comment query in wp_allow_comment().

see #21767

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/comment.php

    r23591 r23973  
    672672    // Simple duplicate check
    673673    // expected_slashed ($comment_post_ID, $comment_author, $comment_author_email, $comment_content)
    674     $dupe = "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND comment_parent = '$comment_parent' AND comment_approved != 'trash' AND ( comment_author = '$comment_author' ";
     674    $dupe = $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_parent = %s AND comment_approved != 'trash' AND ( comment_author = %s ", wp_unslash( $comment_post_ID ), wp_unslash( $comment_parent ), wp_unslash( $comment_author ) );
    675675    if ( $comment_author_email )
    676         $dupe .= "OR comment_author_email = '$comment_author_email' ";
    677     $dupe .= ") AND comment_content = '$comment_content' LIMIT 1";
     676        $dupe .= $wpdb->prepare( "OR comment_author_email = %s ", wp_unslash( $comment_author_email ) );
     677    $dupe .= $wpdb->prepare( ") AND comment_content = %s LIMIT 1", wp_unslash( $comment_content ) );
    678678    if ( $wpdb->get_var($dupe) ) {
    679679        do_action( 'comment_duplicate_trigger', $commentdata );
Note: See TracChangeset for help on using the changeset viewer.