Steve-Dee-Designs
/
woocommerce
mirror of https://github.com/woocommerce/woocommerce.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Escape properly the provided array of post codes 

The callers only run wc_clean/esc_attr on the provided values which are
not functions meant to protect against SQL injections.
This commit is contained in:
Alexander Concha 2015-05-19 10:24:14 +02:00 committed by Mike Jolley
parent 7d8db595f2
commit 3c1b14d00d
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
includes/class-wc-tax.php
View File

@ -262,6 +262,7 @@ class WC_Tax {
private static function get_matched_tax_rates( $country, $state, $postcode, $city, $tax_class, $valid_postcodes ) {
global $wpdb;
$valid_postcodes = array_map( 'esc_sql', $valid_postcodes );
$found_rates = $wpdb->get_results(
$wpdb->prepare( "
SELECT tax_rates.*