WordPress.org

Make WordPress Core


Ignore:
Timestamp:
10/13/2006 12:24:51 AM (15 years ago)
Author:
markjaquith
Message:

Prevent users from entering strings that will be interpreted as serialized arrays/objects on the way out. fixes #2591

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.0/wp-admin/admin-functions.php

    r4376 r4384  
    849849        if ('_' == $entry['meta_key'] { 0 })
    850850            $style .= ' hidden';
     851
     852        if ( is_serialized($entry['meta_value']) ) {
     853            if ( is_serialized_string($entry['meta_value']) ) {
     854                // this is a serialized string, so we should display it
     855                $entry['meta_value'] = maybe_unserialize($entry['meta_value']);
     856            } else {
     857                // this is a serialized array/object so we should NOT display it
     858                --$count;
     859                continue;
     860            }
     861        }
     862
    851863        $entry['meta_key'] = wp_specialchars( $entry['meta_key'], true );
    852864        $entry['meta_value'] = wp_specialchars( $entry['meta_value'], true );
     
    923935    $metakeyselect = $wpdb->escape(stripslashes(trim($_POST['metakeyselect'])));
    924936    $metakeyinput = $wpdb->escape(stripslashes(trim($_POST['metakeyinput'])));
    925     $metavalue = $wpdb->escape(stripslashes(trim($_POST['metavalue'])));
     937    $metavalue = maybe_serialize(stripslashes((trim($_POST['metavalue']))));
     938    $metavalue = $wpdb->escape($metavalue);
    926939
    927940    if ( ('0' === $metavalue || !empty ($metavalue)) && ((('#NONE#' != $metakeyselect) && !empty ($metakeyselect)) || !empty ($metakeyinput)) ) {
     
    951964function update_meta($mid, $mkey, $mvalue) {
    952965    global $wpdb;
    953 
     966    $mvalue = maybe_serialize(stripslashes($mvalue));
     967    $mvalue = $wpdb->escape($mvalue);
     968    $mid = (int) $mid;
    954969    return $wpdb->query("UPDATE $wpdb->postmeta SET meta_key = '$mkey', meta_value = '$mvalue' WHERE meta_id = '$mid'");
    955970}
Note: See TracChangeset for help on using the changeset viewer.