[wp-trac] [WordPress Trac] #27466: WordPress 3.9 issue - database connection lost on mysql_real_escape_string() / AJAX?
WordPress Trac
noreply at wordpress.org
Thu Mar 20 18:31:41 UTC 2014
#27466: WordPress 3.9 issue - database connection lost on
mysql_real_escape_string() / AJAX?
--------------------------+-----------------------------
Reporter: harmr | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Query | Version: trunk
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
My plugin "Leaflet Maps Marker" adds a button to the TinyMCE editor which
opens a popup (current version still currently wpdialog why retest is more
difficult as wpdialog has been depreciated) and allows user to start an
AJAX search for markers.
Here is part of the code that is used to load the search window when the
users clicks on the tinymce button:
{{{
info.html('<iframe width=\'450\' height=\'407\' scrolling=\'no\' src=\'" .
$admin_url . "admin-ajax.php?action=get_mm_list&mode=html\' />')
}}}
Here is the code for the function get_mm_list that executes the sql query:
{{{
function get_mm_list()
global $wpdb;
$table_name_markers = $wpdb->prefix.'leafletmapsmarker_markers';
$table_name_layers = $wpdb->prefix.'leafletmapsmarker_layers';
$l_condition = isset($_GET['q']) ? "AND l.name LIKE '%" .
mysql_real_escape_string($_GET['q']) . "%'" : '';
$m_condition = isset($_GET['q']) ? "AND m.markername LIKE '%" .
mysql_real_escape_string($_GET['q']) . "%'" : '';
$marklist = $wpdb->get_results("
(SELECT l.id, 'icon-layer.png' as 'icon', l.name as 'name',
l.updatedon, l.updatedby, 'layer' as 'type' FROM $table_name_layers as l
WHERE l.id != '0' $l_condition)
UNION
(SELECT m.id, m.icon as 'icon', m.markername as 'name',
m.updatedon, m.updatedby, 'marker' as 'type' FROM $table_name_markers as m
WHERE m.id != '0' $m_condition)
order by updatedon DESC LIMIT 50", ARRAY_A);
if (isset($_GET['q']))
buildMarkersList($marklist);
exit();
?>
<!DOCTYPE html>
<html><!--result output starting here-->
....
}}}
Since WordPress 3.9 the AJAX search is broken - if you start typing into
the search field (which fires get_mm_list), the following error is
displayed:
'''
Warning: mysql_real_escape_string(): Access denied for user
'xxx'@'localhost' (using password: NO) in /wp-content/plugins/leaflet-
maps-marker/inc/tinymce-plugin.php on line 57 Warning:
mysql_real_escape_string(): A link to the server could not be established
in /wp-content/plugins/leaflet-maps-marker/inc/tinymce-plugin.php on line
57 Warning: mysql_real_escape_string(): Access denied for user
'xxx'@'localhost' (using password: NO) in /wp-content/plugins/leaflet-
maps-marker/inc/tinymce-plugin.php on line 58 Warning:
mysql_real_escape_string(): A link to the server could not be established
in /wp-content/plugins/leaflet-maps-marker/inc/tinymce-plugin.php on line
58
'''
when I remove the mysql_real_escape_string() function
{{{
$l_condition = isset($_GET['q']) ? "AND l.name LIKE '%" . $_GET['q'] .
"%'" : '';
$m_condition = isset($_GET['q']) ? "AND m.markername LIKE '%" . $_GET['q']
. "%'" : '';
}}}
results are displayed as usual. Anyway I am not sure if I can go without
mysql_real_escape_string() as I need the user input to be sanitized.
Is there a change with mysql_real_escape_string() I am not aware of or
could this be a bug?
Thanks for any help!
--
Ticket URL: <https://core.trac.wordpress.org/ticket/27466>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list