From 9ecb20f259e4cb9a274bf390e121093f55182315 Mon Sep 17 00:00:00 2001
From: Coen Jacobs <coenjacobs@gmail.com>
Date: Thu, 18 Oct 2012 15:37:04 +0200
Subject: [PATCH] [3.2.5] SQL injection #1575

---
 classes/class-wc-product.php         | 14 +++++++-------
 templates/single-product-reviews.php | 12 ++++++------
 woocommerce-ajax.php                 |  8 ++++----
 woocommerce-functions.php            |  2 +-
 woocommerce.php                      |  2 +-
 5 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/classes/class-wc-product.php b/classes/class-wc-product.php
index 144edd5fe41..05a6fc35190 100644
--- a/classes/class-wc-product.php
+++ b/classes/class-wc-product.php
@@ -1068,22 +1068,22 @@ class WC_Product {
 
 			global $wpdb;
 
-			$count = $wpdb->get_var("
+			$count = $wpdb->get_var( $wpdb->prepare("
 				SELECT COUNT(meta_value) FROM $wpdb->commentmeta
 				LEFT JOIN $wpdb->comments ON $wpdb->commentmeta.comment_id = $wpdb->comments.comment_ID
 				WHERE meta_key = 'rating'
-				AND comment_post_ID = $this->id
+				AND comment_post_ID = %d
 				AND comment_approved = '1'
 				AND meta_value > 0
-			");
+			"), $this->id );
 
-			$ratings = $wpdb->get_var("
+			$ratings = $wpdb->get_var( $wpdb->prepare("
 				SELECT SUM(meta_value) FROM $wpdb->commentmeta
 				LEFT JOIN $wpdb->comments ON $wpdb->commentmeta.comment_id = $wpdb->comments.comment_ID
 				WHERE meta_key = 'rating'
-				AND comment_post_ID = $this->id
+				AND comment_post_ID = %d
 				AND comment_approved = '1'
-			");
+			"), $this->id );
 
 			if ( $count>0 ) :
 				$average_rating = number_format($ratings / $count, 2);
@@ -1622,7 +1622,7 @@ class WC_Product {
 	 */
 	function grouped_product_sync() {
 		global $wpdb, $woocommerce;
-		$post_parent = $wpdb->get_var("SELECT post_parent FROM $wpdb->posts WHERE ID = $this->id;");
+		$post_parent = $wpdb->get_var( $wpdb->prepare( "SELECT post_parent FROM $wpdb->posts WHERE ID = %d;"), $this->id );
 
 		if (!$post_parent) return;
 
diff --git a/templates/single-product-reviews.php b/templates/single-product-reviews.php
index 0470243c05d..9a98fdd7eac 100644
--- a/templates/single-product-reviews.php
+++ b/templates/single-product-reviews.php
@@ -17,22 +17,22 @@ if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly
 	
 	if ( get_option('woocommerce_enable_review_rating') == 'yes' ) {
 
-		$count = $wpdb->get_var("
+		$count = $wpdb->get_var( $wpdb->prepare("
 			SELECT COUNT(meta_value) FROM $wpdb->commentmeta
 			LEFT JOIN $wpdb->comments ON $wpdb->commentmeta.comment_id = $wpdb->comments.comment_ID
 			WHERE meta_key = 'rating'
-			AND comment_post_ID = $post->ID
+			AND comment_post_ID = %d
 			AND comment_approved = '1'
 			AND meta_value > 0
-		");
+		"), $post->ID );
 	
-		$rating = $wpdb->get_var("
+		$rating = $wpdb->get_var( $wpdb->prepare("
 			SELECT SUM(meta_value) FROM $wpdb->commentmeta
 			LEFT JOIN $wpdb->comments ON $wpdb->commentmeta.comment_id = $wpdb->comments.comment_ID
 			WHERE meta_key = 'rating'
-			AND comment_post_ID = $post->ID
+			AND comment_post_ID = %d
 			AND comment_approved = '1'
-		");
+		"), $post->ID );
 	
 		if ( $count > 0 ) {
 	
diff --git a/woocommerce-ajax.php b/woocommerce-ajax.php
index e3a6cfbc030..4cd079493ce 100644
--- a/woocommerce-ajax.php
+++ b/woocommerce-ajax.php
@@ -1323,13 +1323,13 @@ function woocommerce_product_ordering() {
 	$nextid = isset( $_POST['nextid'] ) ? $_POST['nextid'] : false;
 	$new_pos = array(); // store new positions for ajax
 
-	$siblings = $wpdb->get_results("
-		SELECT ID, menu_order FROM {$wpdb->posts} AS posts
+	$siblings = $wpdb->get_results( $wpdb->prepare("
+		SELECT ID, menu_order FROM %s AS posts
 		WHERE 	posts.post_type 	= 'product'
 		AND 	posts.post_status 	IN ( 'publish', 'pending', 'draft', 'future', 'private' )
-		AND 	posts.ID			NOT IN ( {$post->ID} )
+		AND 	posts.ID			NOT IN (%s)
 		ORDER BY posts.menu_order ASC, posts.ID DESC
-	");
+	"), $wpdb->posts, $post->ID );
 
 	$menu_order = 0;
 
diff --git a/woocommerce-functions.php b/woocommerce-functions.php
index cca04d8f289..d724c6525e2 100644
--- a/woocommerce-functions.php
+++ b/woocommerce-functions.php
@@ -806,7 +806,7 @@ function woocommerce_download_product() {
 
 		$product_id 	= (int) urldecode($_GET['download_file']);
 		$order_key 		= urldecode( $_GET['order'] );
-		$email 			= str_replace( ' ', '+', urldecode( $_GET['email'] ) );
+		$email 			= sanitize_email( str_replace( ' ', '+', urldecode( $_GET['email'] ) ) );
 		$download_id 	= isset( $_GET['key'] ) ? urldecode( $_GET['key'] ) : '';  // backwards compatibility for existing download URLs
 		$_product	 	= new WC_Product( $product_id );
 
diff --git a/woocommerce.php b/woocommerce.php
index 6124fa1d10c..8d81e221dc9 100644
--- a/woocommerce.php
+++ b/woocommerce.php
@@ -1421,7 +1421,7 @@ class Woocommerce {
 	function get_attribute_taxonomies() {
 		global $wpdb;
 		if ( ! $this->attribute_taxonomies )
-			$this->attribute_taxonomies = $wpdb->get_results("SELECT * FROM " . $wpdb->prefix . "woocommerce_attribute_taxonomies;" );
+			$this->attribute_taxonomies = $wpdb->get_results( $wpdb->prepare( "SELECT * FROM " . $wpdb->prefix . "woocommerce_attribute_taxonomies" ) );
 		return apply_filters( 'woocommerce_attribute_taxonomies', $this->attribute_taxonomies );
 	}