Addressed PR feedback.

1: Use placeholder to be able to use wpdb->prepare for IN query. Update version number.
2021-01-18 10:29:42 +05:30 · 2021-01-18 10:29:42 +05:30 · 9f9475a18b
parent 2e4f2ef478
commit 9f9475a18b
2 changed files with 18 additions and 15 deletions
--- a/includes/class-wc-comments.php
+++ b/includes/class-wc-comments.php
@ -356,21 +356,24 @@ class WC_Comments {
 			return array();
 		}

-		$product_id_string = implode( "','", array_map( 'esc_sql', $product_ids ) );
+		$product_id_string_placeholder = substr( str_repeat( ',%s', count( $product_ids ) ), 1 );

 		$review_counts = $wpdb->get_results(
-			// phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+			// phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- Ignored for allowing interpolation in IN query.
+			$wpdb->prepare(
 				"
 					SELECT comment_post_ID as product_id, COUNT( comment_post_ID ) as review_count
 					FROM $wpdb->comments
 					WHERE
 						comment_parent = 0
-					AND comment_post_ID IN ( '$product_id_string' )
+						AND comment_post_ID IN ( $product_id_string_placeholder )
 						AND comment_approved = '1'
 						AND comment_type in ( 'review', '', 'comment' )
 					GROUP BY product_id
 				",
-			// phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared
+				$product_ids
+			),
+			// phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared.
 			ARRAY_A
 		);

--- a/includes/wc-update-functions.php
+++ b/includes/wc-update-functions.php
@ -2278,7 +2278,7 @@ function wc_update_500_fix_product_review_count() {
 }

 /**
- * Update DB version to 4.5.0.
+ * Update DB version to 5.0.0.
 */
 function wc_update_500_db_version() {
 	WC_Install::update_db_version( '5.0.0' );