[wp-trac] [WordPress Trac] #7953: get_post_meta return incorrect data under certain circumstances

WordPress Trac wp-trac at lists.automattic.com
Thu Oct 23 22:44:31 GMT 2008 

#7953: get_post_meta return incorrect data under certain circumstances
-------------------------+--------------------------------------------------
 Reporter:  markedwards  |       Owner:  anonymous               
     Type:  defect       |      Status:  new                     
 Priority:  normal       |   Milestone:  2.8                     
Component:  General      |     Version:                          
 Severity:  normal       |    Keywords:  post meta, get_post_meta
-------------------------+--------------------------------------------------
 If a post has a record in the postmeta table with a blank/empty meta_key
 name and get_post_meta is called using a blank meta_key or one that does
 not exist then get_post_meta might return the meta_value for a previously
 existing table record that has a blank meta_key name.

 Example where this might happen: Developer A writes a plugin that
 mistakenly inserts post meta data without a key name (e.g. meta_key is
 blank). Developer B writes a plugin that mistakenly tries to get post meta
 data using a meta_key name that does not exist (whether accidentally, or
 intentionally to determine if a key exists). Under those circumstances
 Developer B's call to get_post_meta will return the meta_value having a
 blank meta_key name, as previously written to the database by Developer A.

 To test this scenario inject a record for a given post ID into the table
 without a meta_key name (e.g. empty meta_key name) but WITH a meta value.
 Then called get_post_meta on the associated post ID using any  meta_key
 name known not to be associated with the post ID. The return result will
 be the value associated with the record having the empty meta_key name.

 The solution is to make sure that the functions get_post_meta,
 add_post_meta, delete_post_meta, and update_post_meta (in wp-
 includes/post.php) all check for a blank key name before taking any action
 and if the key is blank return accordingly per the function: return false
 for add_post_meta, delete_post_meta, and update_post_meta; and return
 empty for get_post_meta).

-- 
Ticket URL: <http://trac.wordpress.org/ticket/7953>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list