Make WordPress Core

Changeset 24875


Ignore:
Timestamp:
07/29/2013 06:16:47 PM (11 years ago)
Author:
duck_
Message:

Fix potential SQLi through improper use of API functions.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/ms.php

    r24813 r24875  
    372372        _deprecated_argument( __FUNCTION__, '3.1' );
    373373
    374     $wpdb->update( $wpdb->users, array( $pref => $value ), array( 'ID' => $id ) );
     374    $wpdb->update( $wpdb->users, array( sanitize_key( $pref ) => $value ), array( 'ID' => $id ) );
    375375
    376376    $user = new WP_User( $id );
  • trunk/wp-includes/bookmark.php

    r21829 r24875  
    187187
    188188    if ( ! empty($search) ) {
    189         $search = like_escape($search);
     189        $search = esc_sql( like_escape( $search ) );
    190190        $search = " AND ( (link_url LIKE '%$search%') OR (link_name LIKE '%$search%') OR (link_description LIKE '%$search%') ) ";
    191191    }
Note: See TracChangeset for help on using the changeset viewer.