Escape properly the provided array of post codes
The callers only run wc_clean/esc_attr on the provided values which are not functions meant to protect against SQL injections.
This commit is contained in:
parent
7d8db595f2
commit
3c1b14d00d
|
@ -262,6 +262,7 @@ class WC_Tax {
|
||||||
private static function get_matched_tax_rates( $country, $state, $postcode, $city, $tax_class, $valid_postcodes ) {
|
private static function get_matched_tax_rates( $country, $state, $postcode, $city, $tax_class, $valid_postcodes ) {
|
||||||
global $wpdb;
|
global $wpdb;
|
||||||
|
|
||||||
|
$valid_postcodes = array_map( 'esc_sql', $valid_postcodes );
|
||||||
$found_rates = $wpdb->get_results(
|
$found_rates = $wpdb->get_results(
|
||||||
$wpdb->prepare( "
|
$wpdb->prepare( "
|
||||||
SELECT tax_rates.*
|
SELECT tax_rates.*
|
||||||
|
|
Loading…
Reference in New Issue