Title: corsoduke's Replies | WordPress.org

---

# corsoduke

  [  ](https://wordpress.org/support/users/corsoduke/)

 *   [Profile](https://wordpress.org/support/users/corsoduke/)
 *   [Topics Started](https://wordpress.org/support/users/corsoduke/topics/)
 *   [Replies Created](https://wordpress.org/support/users/corsoduke/replies/)
 *   [Reviews Written](https://wordpress.org/support/users/corsoduke/reviews/)
 *   [Topics Replied To](https://wordpress.org/support/users/corsoduke/replied-to/)
 *   [Engagements](https://wordpress.org/support/users/corsoduke/engagements/)
 *   [Favorites](https://wordpress.org/support/users/corsoduke/favorites/)

 Search replies:

## Forum Replies Created

Viewing 1 replies (of 1 total)

 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[WP Customer Reviews] Official Response](https://wordpress.org/support/topic/official-response/)
 *  [corsoduke](https://wordpress.org/support/users/corsoduke/)
 * (@corsoduke)
 * [10 years, 9 months ago](https://wordpress.org/support/topic/official-response/#post-6405692)
 * Hey people, had the same issue here and found out something interesing, if you
   have recent versions of mysql client there´s a deprecated mysql function implemented
   on the file
 * > wp-customer-reviews/wp-customer-reviews-admin.php
 *  here´s what I did to fix it:
 * Under this file for the plugin
    “wp-customer-reviews/wp-customer-reviews-admin.
   php” , we remove all the mysql_real_escape_string function leaving only the variable
   asignation; From this:
 *     ```
       $update_col = mysql_real_escape_string($col);
       $update_val = mysql_real_escape_string($d2);
       ```
   
 * To this:
 *     ```
       $update_col = $col;
       $update_val = $d2;
       ```
   
 * Note: there are about 6 lines where this function is used make sure all are removed.
 * And to accomplish our SQL injection security function that we just remove we 
   do the following:
 * We change this lines:
 *     ```
       if ($update_col !== false && $update_val !== false) {
           $query = "UPDATE '$this->dbtable' SET '$update_col'='$update_val' WHERE 'id'={$this->p->r} LIMIT 1";
           $wpdb->query($query);
           echo $show_val;
       }
       ```
   
 * to this:
 *     ```
       if ($update_col !== false && $update_val !== false) {
           $query = "UPDATE '$this->dbtable' SET '$update_col'='$update_val' WHERE 'id'={$this->p->r} LIMIT 1";
           $queryFixed = $wpdb->prepare($query, $update_col);
           $wpdb->query($queryFixed);
           echo $show_val;
       }
       ```
   
 * From WordPress documentation $wpdb->prepare() is used to avoid SQL Injection 
   on our current query, this should do the trick.

Viewing 1 replies (of 1 total)