From b18299bf56115b9d54acd50110708d6aeed9d56d Mon Sep 17 00:00:00 2001 From: n0099 Date: Fri, 25 Jun 2021 08:38:47 +0800 Subject: [PATCH] fix: use $wpdb->prepare() to reduce vulnerability of sql injection --- inc/theme-widgets.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/inc/theme-widgets.php b/inc/theme-widgets.php index 0532987..3f74b09 100644 --- a/inc/theme-widgets.php +++ b/inc/theme-widgets.php @@ -125,7 +125,7 @@ function string_cut($string, $sublen, $start = 0, $code = 'UTF-8') { function latest_comments($list_number=5, $cut_length=50) { global $wpdb, $output; - $comments = $wpdb->get_results($wpdb->prepare("SELECT comment_ID, comment_post_ID, comment_author, comment_date_gmt, comment_content FROM {$wpdb->comments} LEFT OUTER JOIN {$wpdb->posts} ON {$wpdb->comments}.comment_post_ID = {$wpdb->posts}.ID WHERE comment_approved = '1' AND (comment_type = '' OR comment_type = 'comment') AND user_id != '1' AND post_password = '' ORDER BY comment_date_gmt DESC LIMIT %d", $list_number)); + $comments = $wpdb->get_results($wpdb->prepare("SELECT comment_ID, comment_post_ID, comment_author, comment_author_email, comment_date_gmt, comment_content FROM {$wpdb->comments} LEFT OUTER JOIN {$wpdb->posts} ON {$wpdb->comments}.comment_post_ID = {$wpdb->posts}.ID WHERE comment_approved = '1' AND (comment_type = '' OR comment_type = 'comment') AND user_id != '1' AND post_password = '' ORDER BY comment_date_gmt DESC LIMIT %d", $list_number)); foreach ($comments as $comment) { $nickname = esc_attr($comment->comment_author) ?: __('匿名', 'kratos'); $output .= '
' . get_avatar($comment, 60) . '
' . $nickname . ' ' . __('发布于 ', 'kratos') . timeago($comment->comment_date_gmt) . ' ' . convert_smilies(esc_attr(string_cut(strip_tags($comment->comment_content), $cut_length))) . '
';