Make WordPress Core

Changeset 9116


Ignore:
Timestamp:
10/10/2008 09:40:30 AM (13 years ago)
Author:
azaozz
Message:

Fix escaping of post meta, props DD32, fixes #7768

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/post.php

    r9105 r9116  
    500500    $protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
    501501
    502     $metakeyselect = $wpdb->escape( stripslashes( trim( $_POST['metakeyselect'] ) ) );
    503     $metakeyinput = $wpdb->escape( stripslashes( trim( $_POST['metakeyinput'] ) ) );
    504     $metavalue = maybe_serialize( stripslashes( (trim( $_POST['metavalue'] ) ) ));
    505     $metavalue = $wpdb->escape( $metavalue );
     502    $metakeyselect = stripslashes( trim( $_POST['metakeyselect'] ) );
     503    $metakeyinput = stripslashes( trim( $_POST['metakeyinput'] ) );
     504    $metavalue = maybe_serialize( stripslashes( trim( $_POST['metavalue'] ) ) );
    506505
    507506    if ( ('0' === $metavalue || !empty ( $metavalue ) ) && ((('#NONE#' != $metakeyselect) && !empty ( $metakeyselect) ) || !empty ( $metakeyinput) ) ) {
     
    520519        wp_cache_delete($post_ID, 'post_meta');
    521520
    522         $wpdb->query( $wpdb->prepare("INSERT INTO $wpdb->postmeta
    523             (post_id,meta_key,meta_value ) VALUES (%s, %s, %s)",
    524             $post_ID, $metakey, $metavalue) );
     521        $wpdb->query( $wpdb->prepare("INSERT INTO $wpdb->postmeta (post_id,meta_key,meta_value ) VALUES (%s, %s, %s)", $post_ID, $metakey, $metavalue) );
    525522        return $wpdb->insert_id;
    526523    }
  • trunk/wp-includes/post.php

    r9106 r9116  
    520520    // expected_slashed ($meta_key)
    521521    $meta_key = stripslashes($meta_key);
     522    $meta_value = stripslashes($meta_value);
    522523
    523524    if ( $unique && $wpdb->get_var( $wpdb->prepare( "SELECT meta_key FROM $wpdb->postmeta WHERE meta_key = %s AND post_id = %d", $meta_key, $post_id ) ) )
     
    632633    // expected_slashed ($meta_key)
    633634    $meta_key = stripslashes($meta_key);
     635    $meta_value = stripslashes($meta_value);
    634636
    635637    if ( ! $wpdb->get_var( $wpdb->prepare( "SELECT meta_key FROM $wpdb->postmeta WHERE meta_key = %s AND post_id = %d", $meta_key, $post_id ) ) ) {
Note: See TracChangeset for help on using the changeset viewer.