Merge pull request #33 from markjaquith/security

Use a token when escaping the add_order_item query. props @joncave
woocommerce · Sep 30, 2011 · 2a5d731 · 2a5d731
2 parents ed5b4b0 + 278b87d
commit 2a5d731
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/woocommerce_actions.php b/woocommerce_actions.php
@@ -186,9 +186,9 @@ function woocommerce_add_order_item() {
 			WHERE $wpdb->postmeta.meta_key = 'sku'
 			AND $wpdb->posts.post_status = 'publish'
 			AND $wpdb->posts.post_type = 'shop_product'
-			AND $wpdb->postmeta.meta_value = '".$item_to_add."'
+			AND $wpdb->postmeta.meta_value = %s
 			LIMIT 1
-		"));
+		"), $item_to_add );
 		$post = get_post( $post_id );
 	endif;
 
@@ -1001,4 +1001,4 @@ function woocommerce_ecommerce_tracking( $order_id ) {
 		})();
 	</script>
 	<?php
-} 
+}