Data sanitization

@coenjacobs for .11
2013-05-31 18:34:44 +01:00 · 2013-05-31 18:34:44 +01:00 · 3277b485b8
parent b67232b7f3
commit 3277b485b8
2 changed files with 5 additions and 5 deletions
--- a/admin/settings/settings-tax-rates.php
+++ b/admin/settings/settings-tax-rates.php
@ -422,12 +422,12 @@ function woocommerce_tax_rates_setting_save() {
 							if ( is_numeric( $postcode_parts[0] ) && is_numeric( $postcode_parts[1] ) && $postcode_parts[1] > $postcode_parts[0] ) {
 								for ( $i = $postcode_parts[0]; $i <= $postcode_parts[1]; $i ++ ) {
 									if ( $i )
-										$postcode_query[] = "( '$i', $tax_rate_id, 'postcode' )";
+										$postcode_query[] = "( '" . $wpdb->escape( $i ) . "', $tax_rate_id, 'postcode' )";
 								}
 							}
 						} else {
 							if ( $postcode )
-								$postcode_query[] = "( '$postcode', $tax_rate_id, 'postcode' )";
+								$postcode_query[] = "( '" . $wpdb->escape( $postcode ) . "', $tax_rate_id, 'postcode' )";
 						}

 					$wpdb->query( "INSERT INTO {$wpdb->prefix}woocommerce_tax_rate_locations ( location_code, tax_rate_id, location_type ) VALUES " . implode( ',', $postcode_query ) );
@ -516,12 +516,12 @@ function woocommerce_tax_rates_setting_save() {
 						if ( is_numeric( $postcode_parts[0] ) && is_numeric( $postcode_parts[1] ) && $postcode_parts[1] > $postcode_parts[0] ) {
 							for ( $i = $postcode_parts[0]; $i <= $postcode_parts[1]; $i ++ ) {
 								if ( $i )
-									$postcode_query[] = "( '$i', $tax_rate_id, 'postcode' )";
+									$postcode_query[] = "( '" . $wpdb->escape( $i ) . "', $tax_rate_id, 'postcode' )";
 							}
 						}
 					} else {
 						if ( $postcode )
-							$postcode_query[] = "( '$postcode', $tax_rate_id, 'postcode' )";
+							$postcode_query[] = "( '" . $wpdb->escape( $postcode ) . "', $tax_rate_id, 'postcode' )";
 					}

 				$wpdb->query( "INSERT INTO {$wpdb->prefix}woocommerce_tax_rate_locations ( location_code, tax_rate_id, location_type ) VALUES " . implode( ',', $postcode_query ) );
--- a/admin/woocommerce-admin-reports.php
+++ b/admin/woocommerce-admin-reports.php
@ -1461,7 +1461,7 @@ function woocommerce_coupon_discounts() {
 	$first_year = $wpdb->get_var( "SELECT post_date FROM $wpdb->posts WHERE post_date != 0 AND post_type='shop_order' ORDER BY post_date ASC LIMIT 1;" );
 	$first_year = ( $first_year ) ? date( 'Y', strtotime( $first_year ) ) : date( 'Y' );

-	$current_year 	= isset( $_POST['show_year'] ) 	? $_POST['show_year'] 	: date( 'Y', current_time( 'timestamp' ) );
+	$current_year 	= isset( $_POST['show_year'] ) 	? absint( $_POST['show_year'] ) : date( 'Y', current_time( 'timestamp' ) );
 	$start_date 	= strtotime( $current_year . '0101' );

 	$order_statuses = implode( "','", apply_filters( 'woocommerce_reports_order_statuses', array( 'completed', 'processing', 'on-hold' ) ) );