#39380 closed defect (bug) (fixed)
wp_update_comment can cause database error with new filter
Reported by: | dshanske | Owned by: | rachelbaker |
---|---|---|---|
Milestone: | 4.7.1 | Priority: | normal |
Severity: | normal | Version: | 4.6 |
Component: | Comments | Keywords: | has-patch commit |
Focuses: | Cc: |
Description (last modified by )
In 4.6, the comment data array was passed into the edit_comment action. In 4.7, the wp_update_comment_data filter was added to wp_update_comment.
However, wp_array_slice_assoc is called to filter keys out of the array before it is passed to both.
It should be called after and only to filter the data going into the database. By adding a key to the array at the filter you can cause a database error.
By removing extra keys from the data before it hits edit_comment, it also makes it impossible to pass data to be saved as metadata.
Attachments (2)
Change History (12)
#1
@
8 years ago
- Description modified (diff)
- Milestone changed from Awaiting Review to 4.7.1
- Summary changed from wp_update_comment strips data from passed array to wp_update_comment can cause database error with new filter
#3
@
8 years ago
- Milestone changed from 4.7.1 to 4.8
- Type changed from defect (bug) to enhancement
@dshanske Prior to [38674] the sliced data was passed to the database update statement and then the edit_comment
action, this doesn't look like a regression to me. Am I missing something?
I understand that you are approaching this with a specific use-case in mind (updating meta). However, I am not convinced other folks would expect the $data
parameter in the edit_comment
action to differ from the specific keys/values used to update the comment table.
#4
@
8 years ago
@rachelbaker the fact that the filter could add keys to the array and cause a database error when the update is run is still an issue. I tagged it for 4.7.1 for that reason. The slice still should come after the filter for that reason.
Should I split the ticket because I consider that a bug in the filter? I just figured I would address both.
#6
@
8 years ago
@dshanske Yeah, can you create a new ticket for the enhancement? And I will get the bugfix in 4.7.1
#8
@
8 years ago
@rachelbaker Will hold off on a new ticket as #36784 is tagged for 4.8 early and addresses the same use case.
The patch submitted not only makes it so the database error cannot occur which is the more important issue, but preserves any data added to the comment array for the filter and hook.