Opened 8 years ago
Closed 8 years ago
#37093 closed defect (bug) (fixed)
dupe comment check should use AND instead of OR condition in sql query
Reported by: | yashchandra | Owned by: | rachelbaker |
---|---|---|---|
Milestone: | 4.6 | Priority: | normal |
Severity: | normal | Version: | 2.0 |
Component: | Comments | Keywords: | has-patch has-unit-tests |
Focuses: | Cc: |
Description (last modified by )
under includes/comment.php, there is this piece of code in version 4.5.2:
dupe = $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_parent = %s AND comment_approved != 'trash' AND ( comment_author = %s ", wp_unslash( $commentdata['comment_post_ID'] ), wp_unslash( $commentdata['comment_parent'] ), wp_unslash( $commentdata['comment_author'] ) ); if ( $commentdata['comment_author_email'] ) { $dupe .= $wpdb->prepare( "OR comment_author_email = %s ", wp_unslash( $commentdata['comment_author_email'] ) ); } $dupe .= $wpdb->prepare( ") AND comment_content = %s LIMIT 1", wp_unslash( $commentdata['comment_content'] ) );
The OR condition: ( comment_author = %s OR comment_author_email = %s)
will not work if a comment is posted by an author who happens to have the same "comment_author" value as someone else who has already posted the comment and they both post exactly the same comment for some reason. See this example:
Comment 1 --------------- comment_post_id = 100 (example) comment_parent = 0 comment_approved = 'publish' comment_author = "Daniel" comment_author_email = "daniel123@aol.com' Comment 2 -------------- comment_post_id = 100 (example) comment_parent = 0 comment_approved = 'publish' comment_author = "Daniel" comment_author_email = "different_daniel@yahoo.com'
In this case, comment 2 will be rejected as dupe according to the query but this is not a dupe.
Attachments (1)
Change History (5)
#2
@
8 years ago
- Description modified (diff)
Just a quick formatting update to make reading the ticket easier.
#3
@
8 years ago
- Keywords has-patch has-unit-tests added
- Milestone changed from Awaiting Review to 4.6
- Version changed from 4.5.2 to 2.0
In 37093.diff do not flag as a duplicate comment if the comment_author_email
is provided and doesn't match. This reduces the strictness of the duplicate check a little, but does prevent false duplicates for emoji or +1
comments by authors with matching names.
The current logic was introduced all the way back in [2894].
sorry in the example above, I also meant to add that the
comment_content is same for both comments. Only then this is an issue.