WordPress.org

Support

Support » Plugins and Hacks » [Plugin: Simple Ads Manager] Category and tag names not properly escaped for mysql.

[Plugin: Simple Ads Manager] Category and tag names not properly escaped for mysql.

  • I’m talking about the buildAd function. Obviously when building query string containing " FIND_IN_SET(\"{$category->cat_name}\", $aTable.view_cats)" if category name contains double quotes this fails.

    I had to throw a quick fix : ad.class.php : line 158

    $cat_name_db = $wpdb->_real_escape( $category->cat_name );
                  if(empty($wcc_0)) $wcc_0 = " FIND_IN_SET(\"{$cat_name_db}\", $aTable.view_cats)";
    [...]

    and line 174

    $tag_name_db = $wpdb->_real_escape( $tag->name );
                  if(empty($wct_0)) $wct_0 = " FIND_IN_SET(\"{$tag_name_db}\", $aTable.view_tags)";

    There could be more I didn’t go through the whole stuff.

    Nice plugin. Keep the good work.

    http://wordpress.org/extend/plugins/simple-ads-manager/

Viewing 1 replies (of 1 total)
  • Plugin Author minimus

    @minimus

    Wait version 1.5! Categories (tags, authors) will be detected by slug, not by name…

Viewing 1 replies (of 1 total)
  • The topic ‘[Plugin: Simple Ads Manager] Category and tag names not properly escaped for mysql.’ is closed to new replies.