WordPress.org

Plugin Directory

Changeset 1539636


Ignore:
Timestamp:
11/24/16 06:02:50 (4 months ago)
Author:
SriniG
Message:

v2.0.8: Security updates. Preparing SQL queries the recommended way.

Location:
quotes-collection/trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • quotes-collection/trunk/inc/class-quotes-collection-db.php

    r1138881 r1539636  
    101101        if(!$data) return array(); 
    102102        global $allowedposttags; 
    103         // extract($data); 
     103 
    104104        $quote = wp_kses( stripslashes($data['quote']), $allowedposttags ); 
    105105        $author = wp_kses( stripslashes($data['author']), array( 'a' => array( 'href' => array(),'title' => array() ) ) ) ;  
     
    107107        $tags = strip_tags( stripslashes($data['tags']) ); 
    108108         
    109         $quote = "'".esc_sql($quote)."'"; 
    110         $author = $author?"'".esc_sql($author)."'":"NULL"; 
    111         $source = $source?"'".esc_sql($source)."'":"NULL"; 
    112109        $tags = explode(',', $tags); 
    113110        foreach ($tags as $key => $tag) 
    114111            $tags[$key] = trim($tag); 
    115112        $tags = implode(',', $tags); 
    116         $tags = $tags?"'".esc_sql($tags)."'":"NULL"; 
    117113        if( !isset( $data['public'] ) || ( isset( $data['public'] ) && $data['public'] == 'no' ) ) 
    118             $public = "'no'"; 
     114            $public = "no"; 
    119115        else 
    120             $public = "'yes'"; 
     116            $public = "yes"; 
    121117        $data = compact("quote", "author", "source", "tags", "public"); 
    122118        return $data; 
     
    139135 
    140136        extract($quote_data); 
    141         $insert = "INSERT INTO " . $this->table_name . 
     137         
     138        $insert = $this->db->prepare( "INSERT INTO " . $this->table_name . 
    142139            "(`quote`, `author`, `source`, `tags`, `public`, `time_added`)" . 
    143             "VALUES ({$quote}, {$author}, {$source}, {$tags}, {$public}, NOW())"; 
     140            "VALUES (%s, %s, %s, %s, %s, NOW())" , $quote, $author, $source, $tags, $public);    
    144141         
    145142        $result = $this->db->query($insert); 
     
    159156    public function put_quotes($quotes_data = array()) { 
    160157        if(!$quotes_data) return 0; 
     158 
     159        $values = array(); 
     160        $placeholders = array(); 
    161161 
    162162        $insert = "INSERT INTO " . $this->table_name . 
    163163            " (`quote`, `author`, `source`, `tags`, `public`, `time_added`)" . 
    164164            " VALUES "; 
    165         $values = ""; 
    166165 
    167166        foreach($quotes_data as $quote_data) { 
     
    170169            } 
    171170            $quote_data = $this->validate_data($quote_data); 
     171 
    172172            extract($quote_data); 
    173             if($values) $values .= ", "; 
    174             $values .= "({$quote}, {$author}, {$source}, {$tags}, {$public}, NOW())"; 
    175         } 
    176         $insert .= $values; 
     173 
     174            array_push($values, $quote, $author, $source, $tags, $public); 
     175 
     176            $placeholders[] = "(%s, %s, %s, %s, %s, NOW())"; 
     177        } 
     178 
     179        $insert .= implode(', ', $placeholders); 
     180 
     181        $insert = $this->db->prepare($insert, $values); 
     182 
    177183        return $this->db->query($insert); 
    178184    } 
     
    197203        extract($quote_data); 
    198204        $update = "UPDATE " . $this->table_name . " 
    199             SET `quote` = {$quote}, 
    200                 `author` = {$author}, 
    201                 `source` = {$source},  
    202                 `tags` = {$tags}, 
    203                 `public` = {$public},  
     205            SET `quote` = %s, 
     206                `author` = %s, 
     207                `source` = %s,  
     208                `tags` = %s, 
     209                `public` = %s,  
    204210                `time_updated` = NOW() 
    205             WHERE `quote_id` = $quote_id"; 
     211            WHERE `quote_id` = %d"; 
     212        $update = $this->db->prepare( $update, $quote, $author, $source, $tags, $public, $quote_id); 
    206213        return $this->db->query( $update ); 
    207214    } 
     
    231238        if(!$quote_ids) 
    232239            return 0; 
     240 
     241        foreach( $quote_ids as $quote_id ) { 
     242            if(! is_numeric($quote_id) ) 
     243                return 0; 
     244        } 
     245 
    233246        $sql = "DELETE FROM ".$this->table_name 
    234247            ."WHERE quote_id IN (".implode(', ', $quote_ids).")"; 
  • quotes-collection/trunk/inc/class-quotes-collection.php

    r1539083 r1539636  
    1010     
    1111    /** Plugin version **/ 
    12     const PLUGIN_VERSION = '2.0.7'; 
     12    const PLUGIN_VERSION = '2.0.8'; 
    1313 
    1414    public $refresh_link_text; 
  • quotes-collection/trunk/quotes-collection.php

    r1539083 r1539636  
    44 * Plugin URI: http://srinig.com/wordpress/plugins/quotes-collection/ 
    55 * Description: Quotes Collection plugin with Ajax powered Random Quote sidebar widget helps you collect and display your favourite quotes in your WordPress blog/website. 
    6  * Version: 2.0.7 
     6 * Version: 2.0.8 
    77 * Author: Srini G 
    88 * Author URI: http://srinig.com/ 
  • quotes-collection/trunk/readme.txt

    r1539083 r1539636  
    255255==Changelog== 
    256256 
     257* **2016-11-24: Version 2.0.8** 
     258    * Security updates 
     259 
    257260* **2016-11-23: Version 2.0.7** 
    258261    * Security fixes 
     
    488491== Upgrade Notice == 
    489492 
    490 = 2.0.7 = 
     493= 2.0.8 = 
    491494Important security fixes. Upgrade highly recommended. If you upgrade from a version prior to 2.0, you will have to re-add the widget and set the widget options once again after upgrading. 
    492495 
Note: See TracChangeset for help on using the changeset viewer.