Make WordPress Core


Ignore:
Timestamp:
10/12/2006 11:54:36 PM (17 years ago)
Author:
markjaquith
Message:

Prevent users from entering strings that will be interpreted as serialized arrays/objects on the way out. fixes #2591

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/admin-functions.php

    r4355 r4382  
    982982        if ('_' == $entry['meta_key'] { 0 })
    983983            $style .= ' hidden';
     984
     985        if ( is_serialized($entry['meta_value']) ) {
     986            if ( 's' == $entry['meta_value']{0} ) {
     987                // this is a serialized string, so we should display it
     988                $entry['meta_value'] = maybe_unserialize($entry['meta_value']);
     989            } else {
     990                // this is a serialized array/object so we should NOT display it
     991                --$count;
     992                continue;
     993            }
     994        }
     995
    984996        $key_js = js_escape($entry['meta_key']);
    985997        $entry['meta_key'] = wp_specialchars( $entry['meta_key'], true );
     
    10571069    $metakeyselect = $wpdb->escape(stripslashes(trim($_POST['metakeyselect'])));
    10581070    $metakeyinput = $wpdb->escape(stripslashes(trim($_POST['metakeyinput'])));
    1059     $metavalue = $wpdb->escape(stripslashes(trim($_POST['metavalue'])));
     1071    $metavalue = prepare_data(stripslashes((trim($_POST['metavalue']))));
     1072    $metavalue = $wpdb->escape($metavalue);
    10601073
    10611074    if ( ('0' === $metavalue || !empty ($metavalue)) && ((('#NONE#' != $metakeyselect) && !empty ($metakeyselect)) || !empty ($metakeyinput)) ) {
     
    10881101function update_meta($mid, $mkey, $mvalue) {
    10891102    global $wpdb;
     1103    if ( is_serialized(stripslashes($mvalue)) ) // $mvalue looks to be already serialized, so we should serialize it again to prevent the data from coming out in a different form than it came in
     1104        $mvalue = serialize($mvalue);
    10901105    $mid = (int) $mid;
    1091 
    10921106    return $wpdb->query("UPDATE $wpdb->postmeta SET meta_key = '$mkey', meta_value = '$mvalue' WHERE meta_id = '$mid'");
    10931107}
Note: See TracChangeset for help on using the changeset viewer.