sergiotarxz
/
Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Use prepare() for the duplicate comment query in wp_allow_comment(). 

see #21767


git-svn-id: https://develop.svn.wordpress.org/trunk@23973 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Ryan Boren 2013-04-12 13:25:16 +00:00
parent 87a94a7635
commit c3e471a535
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
wp-includes/comment.php
View File

@ -671,10 +671,10 @@ function wp_allow_comment($commentdata) {
// Simple duplicate check // Simple duplicate check
// expected_slashed ($comment_post_ID, $comment_author, $comment_author_email, $comment_content) // expected_slashed ($comment_post_ID, $comment_author, $comment_author_email, $comment_content)
$dupe = "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND comment_parent = '$comment_parent' AND comment_approved != 'trash' AND ( comment_author = '$comment_author' "; $dupe = $wpdb->prepare( "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_parent = %s AND comment_approved != 'trash' AND ( comment_author = %s ", wp_unslash( $comment_post_ID ), wp_unslash( $comment_parent ), wp_unslash( $comment_author ) );
if ( $comment_author_email ) if ( $comment_author_email )
$dupe .= "OR comment_author_email = '$comment_author_email' "; $dupe .= $wpdb->prepare( "OR comment_author_email = %s ", wp_unslash( $comment_author_email ) );
$dupe .= ") AND comment_content = '$comment_content' LIMIT 1"; $dupe .= $wpdb->prepare( ") AND comment_content = %s LIMIT 1", wp_unslash( $comment_content ) );
if ( $wpdb->get_var($dupe) ) { if ( $wpdb->get_var($dupe) ) {
do_action( 'comment_duplicate_trigger', $commentdata ); do_action( 'comment_duplicate_trigger', $commentdata );
if ( defined('DOING_AJAX') ) if ( defined('DOING_AJAX') )