Support » Plugin: Advanced Custom Sort » Fix for deprecated mysql_real_escape_string()

  • This plugin is great, but after changing hosts (PHP 5.5) it stopped working for me. The warning “PHP Warning: mysql_real_escape_string(): A link to the server could not be established in ../advanced-custom-sort/acs.php on line 225” ultimately resulted in a SQL syntax error.

    Here’s is a fix, which I think would be backwards-compatible:

    - $group_name = mysql_real_escape_string($group_name);
    - $group_id = $wpdb->get_var("SELECT ID FROM $wpdb->posts WHERE post_title = '$group_name' AND post_type = 'acs' LIMIT 1");
    + $group_id = $wpdb->get_var($wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_title = '%s' AND post_type = 'acs' LIMIT 1", $group_name));

    https://wordpress.org/plugins/advanced-custom-sort/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Awesome! That fixed the issue.

    @logikal16 I would be happy to add this fix if you have the plugin repo.

    @dtateii @Population2 I wouldn’t recommend using this plugin anymore.

    For more flexibility, check out the Custom Field Suite plugin (I’m the author). It includes a Relationship field type, which does the exact same thing this plugin does. It also lets you drag-and-drop to reorder items.

    +1 to the fix proposed by dtateii

    I reached the same conclusion before hitting support. Here is a diff in case it helps:

    diff --git a/wp-content/plugins/advanced-custom-sort/acs.php b/wp-content/plugins/advanced-custom-sort/acs.php
    index a000a5b..8296248 100644
    --- a/wp-content/plugins/advanced-custom-sort/acs.php
    +++ b/wp-content/plugins/advanced-custom-sort/acs.php
    @@ -222,8 +222,7 @@ class Acs
    
             $opts = array_merge($defaults, $opts);
    
    -        $group_name = mysql_real_escape_string($group_name);
    -        $group_id = $wpdb->get_var("SELECT ID FROM $wpdb->posts WHERE post_title = '$group_name' AND post_type = '
    +        $group_id = $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE post_title = '%s' AND post_
             $posts = get_post_meta($group_id, 'post_order', true);
             $array = (array) unserialize($posts);

    It would be great to see this fix added to plugin repo.

    Please discard my previous diff code, I did not copy it correctly, this one is correct though:

    diff --git a/wp-content/plugins/advanced-custom-sort/acs.php b/wp-content/plugins/advanced-custom-sort/acs.php
    index a000a5b..c8975fb 100644
    --- a/wp-content/plugins/advanced-custom-sort/acs.php
    +++ b/wp-content/plugins/advanced-custom-sort/acs.php
    @@ -222,10 +222,11 @@ class Acs
    
             $opts = array_merge($defaults, $opts);
    
    -        $group_name = mysql_real_escape_string($group_name);
    -        $group_id = $wpdb->get_var("SELECT ID FROM $wpdb->posts WHERE post_title = '$group_name' AND post_type = 'acs' LIMIT 1");
    +        $group_id = $wpdb->get_var( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE post_title = '%s' AND post_type = 'acs' LIMIT 1", $group_name ) );
             $posts = get_post_meta($group_id, 'post_order', true);
             $array = (array) unserialize($posts);
    +
    +        
    
             if ($opts['output'] == 'string')
             {
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Fix for deprecated mysql_real_escape_string()’ is closed to new replies.