corsoduke

Hey people, had the same issue here and found out something interesing, if you have recent versions of mysql client there´s a deprecated mysql function implemented on the file

wp-customer-reviews/wp-customer-reviews-admin.php

here´s what I did to fix it:

Under this file for the plugin
“wp-customer-reviews/wp-customer-reviews-admin.php”
, we remove all the mysql_real_escape_string function leaving only the variable asignation;
From this:

$update_col = mysql_real_escape_string($col);
$update_val = mysql_real_escape_string($d2);

To this:

$update_col = $col;
$update_val = $d2;

Note: there are about 6 lines where this function is used make sure all are removed.

And to accomplish our SQL injection security function that we just remove we do the following:

We change this lines:

if ($update_col !== false && $update_val !== false) {
    $query = "UPDATE '$this->dbtable' SET '$update_col'='$update_val' WHERE 'id'={$this->p->r} LIMIT 1";
    $wpdb->query($query);
    echo $show_val;
}

to this:

if ($update_col !== false && $update_val !== false) {
    $query = "UPDATE '$this->dbtable' SET '$update_col'='$update_val' WHERE 'id'={$this->p->r} LIMIT 1";
    $queryFixed = $wpdb->prepare($query, $update_col);
    $wpdb->query($queryFixed);
    echo $show_val;
}

From WordPress documentation $wpdb->prepare() is used to avoid SQL Injection on our current query, this should do the trick.