Escape properly the provided array of post codes

The callers only run wc_clean/esc_attr on the provided values which are
not functions meant to protect against SQL injections.
This commit is contained in:
Alexander Concha 2015-05-19 10:24:14 +02:00 committed by Mike Jolley
parent 7d8db595f2
commit 3c1b14d00d
1 changed files with 1 additions and 0 deletions

View File

@ -262,6 +262,7 @@ class WC_Tax {
private static function get_matched_tax_rates( $country, $state, $postcode, $city, $tax_class, $valid_postcodes ) { private static function get_matched_tax_rates( $country, $state, $postcode, $city, $tax_class, $valid_postcodes ) {
global $wpdb; global $wpdb;
$valid_postcodes = array_map( 'esc_sql', $valid_postcodes );
$found_rates = $wpdb->get_results( $found_rates = $wpdb->get_results(
$wpdb->prepare( " $wpdb->prepare( "
SELECT tax_rates.* SELECT tax_rates.*