foppejan2
Forum Replies Created
-
Hi, thanks for the quick reply. We are on v4.8.0 (updated today) and the issue is still present. $wpdb->prepare() is not used in search.php.
Specifically, in wcpt_search__query() (search.php, around line 548 and 558):
// line 548 – phrase like
$esc_keyword_phrase = $wpdb->esc_like($keyword_phrase);
$post_ids = … $wpdb->get_col($query . ” LIKE ‘%$esc_keyword_phrase%'”);
// line 558 – keyword exact/like
$esc_keyword = $wpdb->esc_like($keyword);
$wpdb->esc_like() only escapes %, _, and \ for LIKE wildcards. It does not escape single quotes. The result is interpolated directly into a SQL string without esc_sql() or $wpdb->prepare(), so any search term
containing an apostrophe (e.g. “pinda’s”) causes a SQL syntax error.
The fix is to wrap with esc_sql():
$esc_keyword_phrase = esc_sql($wpdb->esc_like($keyword_phrase));
$esc_keyword = esc_sql($wpdb->esc_like($keyword));
Or better yet, use $wpdb->prepare() with %s placeholders.Forum: Plugins
In reply to: [SpeakOut! Email Petitions] widget ‘submit’ button broken (avada)Forum: Plugins
In reply to: [Like Button Rating ♥ LikeBtn] Top comments!?can you give any indication as to how computationally heavy (and how much of a % increase in render time) sorting comments by like tally is compared to regular sorting? Would it be very noticeable for a site with a comment count that varies between 80 and 500 comments per article, and a few thousand page views per post per day?