Fix for deprecated mysql_real_escape_string()

Dave Tate
(@davetee)

7 years, 6 months ago
This plugin is great, but after changing hosts (PHP 5.5) it stopped working for me. The warning “PHP Warning: mysql_real_escape_string(): A link to the server could not be established in ../advanced-custom-sort/acs.php on line 225” ultimately resulted in a SQL syntax error.

Here’s is a fix, which I think would be backwards-compatible:
```
- $group_name = mysql_real_escape_string($group_name);
- $group_id = $wpdb->get_var("SELECT ID FROM $wpdb->posts WHERE post_title = '$group_name' AND post_type = 'acs' LIMIT 1");
+ $group_id = $wpdb->get_var($wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title = '%s' AND post_type = 'acs' LIMIT 1", $group_name));
```
https://wordpress.org/plugins/advanced-custom-sort/

Viewing 4 replies - 1 through 4 (of 4 total)

hanoman

(@solja7)

6 years, 10 months ago

Awesome! That fixed the issue.

@logikal16 I would be happy to add this fix if you have the plugin repo.

Matt Gibbs

(@mgibbs189)

6 years, 10 months ago

@dtateii @Population2 I wouldn’t recommend using this plugin anymore.

For more flexibility, check out the Custom Field Suite plugin (I’m the author). It includes a Relationship field type, which does the exact same thing this plugin does. It also lets you drag-and-drop to reorder items.

Oscar Estepa

(@estepix)

6 years, 9 months ago

+1 to the fix proposed by dtateii

I reached the same conclusion before hitting support. Here is a diff in case it helps:

diff --git a/wp-content/plugins/advanced-custom-sort/acs.php b/wp-content/plugins/advanced-custom-sort/acs.php
index a000a5b..8296248 100644
--- a/wp-content/plugins/advanced-custom-sort/acs.php
+++ b/wp-content/plugins/advanced-custom-sort/acs.php
@@ -222,8 +222,7 @@ class Acs

         $opts = array_merge($defaults, $opts);

-        $group_name = mysql_real_escape_string($group_name);
-        $group_id = $wpdb->get_var("SELECT ID FROM $wpdb->posts WHERE post_title = '$group_name' AND post_type = '
+        $group_id = $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE post_title = '%s' AND post_
         $posts = get_post_meta($group_id, 'post_order', true);
         $array = (array) unserialize($posts);

It would be great to see this fix added to plugin repo.

Oscar Estepa

(@estepix)

6 years, 8 months ago

Please discard my previous diff code, I did not copy it correctly, this one is correct though:

diff --git a/wp-content/plugins/advanced-custom-sort/acs.php b/wp-content/plugins/advanced-custom-sort/acs.php
index a000a5b..c8975fb 100644
--- a/wp-content/plugins/advanced-custom-sort/acs.php
+++ b/wp-content/plugins/advanced-custom-sort/acs.php
@@ -222,10 +222,11 @@ class Acs

         $opts = array_merge($defaults, $opts);

-        $group_name = mysql_real_escape_string($group_name);
-        $group_id = $wpdb->get_var("SELECT ID FROM $wpdb->posts WHERE post_title = '$group_name' AND post_type = 'acs' LIMIT 1");
+        $group_id = $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE post_title = '%s' AND post_type = 'acs' LIMIT 1", $group_name ) );
         $posts = get_post_meta($group_id, 'post_order', true);
         $array = (array) unserialize($posts);
+
+        

         if ($opts['output'] == 'string')
         {

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Fix for deprecated mysql_real_escape_string()’ is closed to new replies.

Views