Fix potential SQLi through improper use of API functions.

git-svn-id: http://core.svn.wordpress.org/trunk@24875 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2024-06-25 06:14:58 +02:00 · 2013-07-29 18:16:47 +00:00 · 2013-07-29 18:16:47 +00:00 · 5c57c78afa
commit 5c57c78afa
parent f39e2c28ce
2 changed files with 2 additions and 2 deletions
--- a/wp-admin/includes/ms.php
+++ b/wp-admin/includes/ms.php
@ -371,7 +371,7 @@ function update_user_status( $id, $pref, $value, $deprecated = null ) {
 	if ( null !== $deprecated )
 		_deprecated_argument( __FUNCTION__, '3.1' );

-	$wpdb->update( $wpdb->users, array( $pref => $value ), array( 'ID' => $id ) );
+	$wpdb->update( $wpdb->users, array( sanitize_key( $pref ) => $value ), array( 'ID' => $id ) );

 	$user = new WP_User( $id );
 	clean_user_cache( $user );
--- a/wp-includes/bookmark.php
+++ b/wp-includes/bookmark.php
@ -186,7 +186,7 @@ function get_bookmarks($args = '') {
 	}

 	if ( ! empty($search) ) {
-		$search = like_escape($search);
+		$search = esc_sql( like_escape( $search ) );
 		$search = " AND ( (link_url LIKE '%$search%') OR (link_name LIKE '%$search%') OR (link_description LIKE '%$search%') ) ";
 	}