Skip to content
This repository was archived by the owner on Mar 1, 2024. It is now read-only.

Commit a99667d

Browse files
Piotr PestaPiotr Pesta
Piotr Pesta
authored and
Piotr Pesta
committed
sql injection fix, code cleanup
git-svn-id: https://plugins.svn.wordpress.org/most-popular-posts-widget-lite/trunk@1081078 b8457f37-d9ea-0310-8a92-e5e31aec5664
1 parent 8ad66b0 commit a99667d

File tree

3 files changed

+15
-12
lines changed

3 files changed

+15
-12
lines changed

Diff for: functions.php

+9-9
Original file line numberDiff line numberDiff line change
@@ -4,12 +4,12 @@
44
function add_views($postID) {
55
global $wpdb;
66
$popular_posts_statistics_table = $wpdb->prefix . 'popular_posts_statistics';
7-
if (!$wpdb->query("SELECT hit_count FROM $popular_posts_statistics_table WHERE post_id = $postID") && $postID != 1 && !preg_match('/bot|spider|crawler|slurp|curl|^$/i', $_SERVER['HTTP_USER_AGENT'])) { //jeśli nie istnieje rekord hit_count z podanym ID oraz ID nie jest równe 1 oraz odwiedzający nie jest botem
8-
$result = $wpdb->query("INSERT INTO $popular_posts_statistics_table (post_id, hit_count, date) VALUES ($postID, 1, NOW())"); //dodaje do tablicy id postu, date oraz hit
9-
}elseif ($postID != 1 && !preg_match('/bot|spider|crawler|slurp|curl|^$/i', $_SERVER['HTTP_USER_AGENT'])) { //w innym przypadku...
10-
$hitsnumber = $wpdb->get_results("SELECT hit_count FROM $popular_posts_statistics_table WHERE post_id = $postID", ARRAY_A);
7+
if (!$wpdb->query($wpdb->prepare("SELECT hit_count FROM $popular_posts_statistics_table WHERE post_id = %d", $postID)) && !preg_match('/bot|spider|crawler|slurp|curl|^$/i', $_SERVER['HTTP_USER_AGENT'])) { //jeśli nie istnieje rekord hit_count z podanym ID oraz ID nie jest równe 1 oraz odwiedzający nie jest botem
8+
$wpdb->query($wpdb->prepare("INSERT INTO $popular_posts_statistics_table (post_id, hit_count, date) VALUES (%d, 1, NOW())", $postID)); //dodaje do tablicy id postu, date oraz hit
9+
}elseif (!preg_match('/bot|spider|crawler|slurp|curl|^$/i', $_SERVER['HTTP_USER_AGENT'])) { //w innym przypadku...
10+
$hitsnumber = $wpdb->get_results($wpdb->prepare("SELECT hit_count FROM $popular_posts_statistics_table WHERE post_id = %d", $postID), ARRAY_A);
1111
$hitsnumber = $hitsnumber[0]['hit_count'];
12-
$result = $wpdb->query("UPDATE $popular_posts_statistics_table SET hit_count = $hitsnumber + 1, date = NOW() WHERE post_id = $postID");
12+
$wpdb->query($wpdb->prepare("UPDATE $popular_posts_statistics_table SET hit_count = %d + 1, date = NOW() WHERE post_id = %d", $hitsnumber, $postID));
1313
}
1414
}
1515

@@ -19,17 +19,17 @@ function show_views($postID, $posnumber, $numberofdays, $ignoredpages) {
1919
$popular_posts_statistics_table = $wpdb->prefix . 'popular_posts_statistics';
2020
$posts_table = $wpdb->prefix . 'posts';
2121
if ($wpdb->query("SELECT hit_count FROM $popular_posts_statistics_table")) {
22-
$result = $wpdb->get_results("SELECT hit_count FROM $popular_posts_statistics_table WHERE date >= NOW() - INTERVAL $numberofdays DAY ORDER BY hit_count DESC", ARRAY_A);
23-
$post_id_number = $wpdb->get_results("SELECT post_id FROM $popular_posts_statistics_table WHERE date >= NOW() - INTERVAL $numberofdays DAY ORDER BY hit_count DESC LIMIT $posnumber", ARRAY_A);
22+
$result = $wpdb->get_results($wpdb->prepare("SELECT hit_count FROM $popular_posts_statistics_table WHERE date >= NOW() - INTERVAL %d DAY ORDER BY hit_count DESC", $numberofdays), ARRAY_A);
23+
$post_id_number = $wpdb->get_results($wpdb->prepare("SELECT post_id FROM $popular_posts_statistics_table WHERE date >= NOW() - INTERVAL %d DAY ORDER BY hit_count DESC LIMIT %d", $numberofdays, $posnumber), ARRAY_A);
2424
echo "<ol>";
2525
for ($i = 0; $i < count($post_id_number); ++$i) {
2626
$post_number = $post_id_number[$i]['post_id'];
2727
$post_link = get_permalink($post_number); //zdobywanie permalinka
2828
$countbeginning = "<br /><span id=\"pp-count\">";
2929
$countending = "</span></span><br />";
30-
$post_name_by_id = $wpdb->get_results("SELECT post_title FROM $posts_table WHERE ID = $post_number", ARRAY_A);
30+
$post_name_by_id = $wpdb->get_results($wpdb->prepare("SELECT post_title FROM $posts_table WHERE ID = %d", $post_number), ARRAY_A);
3131
if (!$post_name_by_id){ //sprawdza, czy post o danym ID istnieje, jeśli nie - kasuje rekord i przerywa skrypt (który by wyświetlał błąd w pierwszej linii)
32-
$wpdb->query("DELETE FROM $popular_posts_statistics_table WHERE post_id = $post_number");
32+
$wpdb->query($wpdb->prepare("DELETE FROM $popular_posts_statistics_table WHERE post_id = %d", $post_number));
3333
break;
3434
}
3535
if (in_array($post_number, $ignoredpages)) { //sprawdza, czy postu nie ma na liście banów

Diff for: pp-popular-posts.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
Plugin URI: http://smartfan.pl/
55
Description: Widget which displays statistics of most popular posts based on mumber of visits. Lite version.
66
Author: Piotr Pesta
7-
Version: 0.8
7+
Version: 0.9
88
Author URI: http://smartfan.pl/
99
License: GPL12
1010
*/

Diff for: readme.txt

+5-2
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ Tags: widget, bars, pupular, pupularity, visits, counter
55
Author: Piotr Pesta
66
Requires at least: 2.8.0
77
Tested up to: 4.1
8-
Stable tag: 0.8
8+
Stable tag: 0.9
99
License: GPLv2 or later
1010
License URI: http://www.gnu.org/licenses/gpl-2.0.html
1111

@@ -34,4 +34,7 @@ Or just add .zip file as a new plugin in your Wordpress administration panel.
3434

3535
== Changelog ==
3636
* 0.8
37-
Initial Release
37+
Initial Release
38+
* 0.9
39+
Code cleanup
40+
SQL Injection security fix

0 commit comments

Comments
 (0)