Opened 12 years ago
Closed 12 years ago
#4758 closed defect (bug) (fixed)
bp_forums_reply_exists misses to escape in db query
Reported by: | wpdennis | Owned by: | |
---|---|---|---|
Milestone: | 1.7 | Priority: | high |
Severity: | major | Version: | 1.6.1 |
Component: | Forums | Keywords: | dev-feedback |
Cc: |
Description
The function bp_forums_reply_exists adds a filter to get_posts_where without escaping the specified value:
// BB_Query's post_text parameter does a MATCH, while we need exact matches add_filter( 'get_posts_where', create_function( '$q', 'return $q . " AND p.post_text = \'' . $text . '\'";' ) );
In http://buddypress.trac.wordpress.org/browser/trunk/bp-forums/bp-forums-functions.php on line 366.
Since it´s a public function it seems to be a security risk. I found it, because a post ending with the smiley ":\" will throw a mysql error (the backslash escapes the ' in the query).
Suggestion for escaping:
global $wpdb; add_filter( 'get_posts_where', create_function( '$q', 'return $q . " AND p.post_text = \'' . $wpdb->escape($text) . '\'";' ) );
Attachments (3)
Change History (10)
#1
@
12 years ago
- Milestone changed from Awaiting Review to 1.6.3
- Priority changed from normal to high
#4
@
12 years ago
- Resolution fixed deleted
- Status changed from closed to reopened
Hi, i think you need to check this ticket again, as if i have a forum reply like :
"l ' apostrophe"
then i have "an error in your SQL syntax"
the problem seems to be that "l ' apostrophe" is becoming
l \\' apostrophe
if i stripslashes the $text before $wpdb->escape( $text ) then the error disappears...
Good find. Thanks very much for reporting it.