Uploaded image for project: 'Planet4'
  1. Planet4
  2. PLANET-3584

Fix campaign exporter SQL creation

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Blocker Blocker
    • 1.56
    • None
    • 2
    • Campaigns
    • Sprint #90

      The (non released yet) functionality of campaign exporter has two parts that are vulnerable to SQL injections.
      exporter-helper.php Line: 33
      ```
      $wpdb->get_col(sprintf("SELECT meta_value FROM {$wpdb->postmeta} WHERE ( meta_key = '_thumbnail_id' or meta_key = 'backg round_image_id' ) AND post_id IN(%s)", implode(',', $post_ids)));
      ```

      And :
      exporter-helper.php Line: 47

      ```
      $wpdb->get_col("SELECT post_content FROM {$wpdb->posts} WHERE ID IN( " . implode(',', $post_ids) . " ) AND post_content REGEXP '((wp-image-|wp-att-)[0-9][0-9]*)|\\\\[gallery |shortcake
      _|href=|src='");
      ```

      Task: Sanitise the SQL
      Use command un WPDB to create the SQL query sanitised. Please create sanitised SQL query

            sdeshmuk Sagar Deshmukh
            kkokkoro Konstantinos Kokkorogiannis (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: