WordPress.org
Get WordPress

Plugin Directory

Changeset 794800


Ignore:
Timestamp:
10/28/2013 01:36:52 PM (12 years ago)
Author:
esserq
Message:

Addressed security vulnerability.

Location:
rockhoist-ratings/trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • rockhoist-ratings/trunk/readme.txt

    r777250 r794800  
    44Requires at least: 3.6
    55Tested up to: 3.6.1
    6 Stable tag: 1.2.1
     6Stable tag: 1.2.2
    77
    88Rockhoist Ratings is a thumbs up/ thumbs down style rating widget for posts.
     
    3131
    3232== Changelog ==
     33
     34= 1.2.2 =
     35* Addressed SQL vulnerability.
    3336
    3437= 1.2.1 =

  • rockhoist-ratings/trunk/rh-ratings.php

    r777562 r794800  
    22/*
    33Plugin Name: Rockhoist Ratings
    4 Version: 1.2.1
    5 Plugin URI: http://blarrr.com/wordpress-ratings-plugin/
     4Version: 1.2.2
     5Plugin URI: https://github.com/slizice/Wordpress-Ratings
    66Description: A YouTube style rating widget for posts.
    77Author: B. Jordan
    8 Author URI: http://about.me/blairjordan
     8Author URI: http://www.github.com/slizice
    99
    1010Copyright (c) 2009
     
    109109
    110110    $wpdb->insert( $wpdb->prefix . 'rh_ratings',
    111         array( 'user_id' => $args['user_ID'],
    112             'post_id' => $args['post_ID'],
    113             'rating' => $args['rating']),
     111        array( 'user_id' => mysql_real_escape_string($args['user_ID']),
     112            'post_id' => mysql_real_escape_string($args['post_ID']),
     113            'rating' => mysql_real_escape_string($args['rating'])),
    114114        array( '%d', '%d', '%s' ) );
    115115}
     
    119119    global $wpdb;
    120120   
    121     $wpdb->query( $wpdb->prepare( 'UPDATE ' . $wpdb->prefix . 'rh_ratings' . ' SET rating = %s WHERE user_id = %d AND post_id = %d', $args['rating'], $args['user_ID'], $args['post_ID'] ) );
     121    $wpdb->query( $wpdb->prepare( 'UPDATE ' . $wpdb->prefix . 'rh_ratings' . ' SET rating = %s WHERE user_id = %d AND post_id = %d', mysql_real_escape_string($args['rating']), mysql_real_escape_string($args['user_ID']), mysql_real_escape_string($args['post_ID']) ) );
    122122
    123123    $wpdb->show_errors();
     
    260260
    261261    // get the submitted parameters
    262     $args = array( 'user_ID' => $current_user->ID,
    263             'post_ID' => intval( $_POST['postID'] ),
    264             'rating' => $_POST['rating'] );
     262    $args = array(  'user_ID' => mysql_real_escape_string($current_user->ID),
     263            'post_ID' => mysql_real_escape_string(intval( $_POST['postID'] )),
     264            'rating' => mysql_real_escape_string($_POST['rating'] ));
    265265
    266266    // save the rating
     
    278278    exit;
    279279}
    280 
Note: See TracChangeset for help on using the changeset viewer.