From a0bc51f8d80f08468b4ac3f4779e1890ded25bb0 Mon Sep 17 00:00:00 2001
From: markjaquith <markjaquith@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Wed, 1 Dec 2010 01:51:32 +0000
Subject: [PATCH] Use prepare() instead of addslashes(). props wpmuguru.

git-svn-id: http://svn.automattic.com/wordpress/trunk@16643 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/comment.php | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/wp-includes/comment.php b/wp-includes/comment.php
index debb669116..c370102117 100644
--- a/wp-includes/comment.php
+++ b/wp-includes/comment.php
@@ -1865,9 +1865,8 @@ function trackback($trackback_url, $title, $excerpt, $ID) {
 	if ( is_wp_error( $response ) )
 		return;
 
-	$tb_url = addslashes( $trackback_url );
-	$wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET pinged = CONCAT(pinged, '\n', '$tb_url') WHERE ID = %d", $ID) );
-	return $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_url', '')) WHERE ID = %d", $ID) );
+	$wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET pinged = CONCAT(pinged, '\n', %s) WHERE ID = %d", $trackback_url, $ID) );
+	return $wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, %s, '')) WHERE ID = %d", $trackback_url, $ID) );
 }
 
 /**