broken SQL queries (no escaping) | WordPress.org

Resolved JasonWoof
(@jasonwoof)

7 years, 9 months ago
The code in this plugin doesn’t escape values before inserting them into SQL, so it breaks if you have plugins that add anything with single quotes to thumbnails something something. Anyway, near the bottom of category-thumbnails.php replace this line:
```
$wpdb->query(sprintf('UPDATE <code>%sterm_taxonomy</code> SET
```
term_thu
```
with this:
```
if ($data !== NULL) {
$data = base64_decode($data);
}
$wpdb->update(
$wpdb->prefix . ‘term_taxonomy’,
array(‘term_thumbnail’ => $data),
array(‘term_id’ => $category)
);
`

And now maybe the plugin will start working, and you own’t accidentally bork your entire database.

https://wordpress.org/plugins/category-thumbnails/

Viewing 1 replies (of 1 total)

Plugin Author Patrick
(@hovida)

6 years, 11 months ago

Thanks for the update 🙂

Had update the code, Plugin-Update coming soon.

Viewing 1 replies (of 1 total)

The topic ‘broken SQL queries (no escaping)’ is closed to new replies.

In: Plugins
1 reply
1 participant
Last reply from: JasonWoof
Last activity: 6 years, 11 months ago
Status: resolved