WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#37093 closed defect (bug) (fixed)

dupe comment check should use AND instead of OR condition in sql query

Reported by: yashchandra Owned by: rachelbaker
Milestone: 4.6 Priority: normal
Severity: normal Version: 2.0
Component: Comments Keywords: has-patch has-unit-tests
Focuses: Cc:

Description (last modified by dd32)

under includes/comment.php, there is this piece of code in version 4.5.2:

dupe = $wpdb->prepare(
		"SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_parent = %s AND comment_approved != 'trash' AND ( comment_author = %s ",
		wp_unslash( $commentdata['comment_post_ID'] ),
		wp_unslash( $commentdata['comment_parent'] ),
		wp_unslash( $commentdata['comment_author'] )
	);
	if ( $commentdata['comment_author_email'] ) {
		$dupe .= $wpdb->prepare(
			"OR comment_author_email = %s ",
			wp_unslash( $commentdata['comment_author_email'] )
		);
	}
	$dupe .= $wpdb->prepare(
		") AND comment_content = %s LIMIT 1",
		wp_unslash( $commentdata['comment_content'] )
	);

The OR condition: ( comment_author = %s OR comment_author_email = %s) will not work if a comment is posted by an author who happens to have the same "comment_author" value as someone else who has already posted the comment and they both post exactly the same comment for some reason. See this example:

Comment 1
---------------
comment_post_id = 100 (example)
comment_parent = 0
comment_approved = 'publish'
comment_author = "Daniel"
comment_author_email = "daniel123@aol.com'

Comment 2
--------------
comment_post_id = 100 (example)
comment_parent = 0
comment_approved = 'publish'
comment_author = "Daniel"
comment_author_email = "different_daniel@yahoo.com'

In this case, comment 2 will be rejected as dupe according to the query but this is not a dupe.

Attachments (1)

37093.diff (2.7 KB) - added by rachelbaker 3 years ago.

Download all attachments as: .zip

Change History (5)

#1 @yashchandra
3 years ago

sorry in the example above, I also meant to add that the

comment_content is same for both comments. Only then this is an issue.

#2 @dd32
3 years ago

  • Description modified (diff)

Just a quick formatting update to make reading the ticket easier.

@rachelbaker
3 years ago

#3 @rachelbaker
3 years ago

  • Keywords has-patch has-unit-tests added
  • Milestone changed from Awaiting Review to 4.6
  • Version changed from 4.5.2 to 2.0

In 37093.diff do not flag as a duplicate comment if the comment_author_email is provided and doesn't match. This reduces the strictness of the duplicate check a little, but does prevent false duplicates for emoji or +1 comments by authors with matching names.

The current logic was introduced all the way back in [2894].

#4 @rachelbaker
3 years ago

  • Owner set to rachelbaker
  • Resolution set to fixed
  • Status changed from new to closed

In 37713:

Comments: Do not flag a comment as a duplicate if the comment_author_email is provided but not a match.

This reduces the strictness of the duplicate check a little, but does prevent false duplicates for emoji or +1 comments by authors with matching names. The current logic was introduced all the way back in [2894].

Fixes #37093.

Note: See TracTickets for help on using tickets.