Simple Ads Manager
Category and tag names not properly escaped for mysql. (2 posts)

  1. Zlatev
    Posted 4 years ago #

    I'm talking about the buildAd function. Obviously when building query string containing " FIND_IN_SET(\"{$category->cat_name}\", $aTable.view_cats)" if category name contains double quotes this fails.

    I had to throw a quick fix : ad.class.php : line 158

    $cat_name_db = $wpdb->_real_escape( $category->cat_name );
                  if(empty($wcc_0)) $wcc_0 = " FIND_IN_SET(\"{$cat_name_db}\", $aTable.view_cats)";

    and line 174

    $tag_name_db = $wpdb->_real_escape( $tag->name );
                  if(empty($wct_0)) $wct_0 = " FIND_IN_SET(\"{$tag_name_db}\", $aTable.view_tags)";

    There could be more I didn't go through the whole stuff.

    Nice plugin. Keep the good work.


  2. minimus
    Plugin Author

    Posted 4 years ago #

    Wait version 1.5! Categories (tags, authors) will be detected by slug, not by name...

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic