From 6ba8661a1f8178855c041a5ae4e3ab72db38936d Mon Sep 17 00:00:00 2001
From: azaozz <azaozz@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Fri, 10 Oct 2008 09:40:30 +0000
Subject: [PATCH] Fix escaping of post meta, props DD32, fixes #7768

git-svn-id: http://svn.automattic.com/wordpress/trunk@9116 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/includes/post.php | 11 ++++-------
 wp-includes/post.php       |  2 ++
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/wp-admin/includes/post.php b/wp-admin/includes/post.php
index 54a47c2e5c..a41a85ed78 100644
--- a/wp-admin/includes/post.php
+++ b/wp-admin/includes/post.php
@@ -499,10 +499,9 @@ function add_meta( $post_ID ) {
 
 	$protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
 
-	$metakeyselect = $wpdb->escape( stripslashes( trim( $_POST['metakeyselect'] ) ) );
-	$metakeyinput = $wpdb->escape( stripslashes( trim( $_POST['metakeyinput'] ) ) );
-	$metavalue = maybe_serialize( stripslashes( (trim( $_POST['metavalue'] ) ) ));
-	$metavalue = $wpdb->escape( $metavalue );
+	$metakeyselect = stripslashes( trim( $_POST['metakeyselect'] ) );
+	$metakeyinput = stripslashes( trim( $_POST['metakeyinput'] ) );
+	$metavalue = maybe_serialize( stripslashes( trim( $_POST['metavalue'] ) ) );
 
 	if ( ('0' === $metavalue || !empty ( $metavalue ) ) && ((('#NONE#' != $metakeyselect) && !empty ( $metakeyselect) ) || !empty ( $metakeyinput) ) ) {
 		// We have a key/value pair. If both the select and the
@@ -519,9 +518,7 @@ function add_meta( $post_ID ) {
 
 		wp_cache_delete($post_ID, 'post_meta');
 
-		$wpdb->query( $wpdb->prepare("INSERT INTO $wpdb->postmeta
-			(post_id,meta_key,meta_value ) VALUES (%s, %s, %s)",
-			$post_ID, $metakey, $metavalue) );
+		$wpdb->query( $wpdb->prepare("INSERT INTO $wpdb->postmeta (post_id,meta_key,meta_value ) VALUES (%s, %s, %s)", $post_ID, $metakey, $metavalue) );
 		return $wpdb->insert_id;
 	}
 	return false;
diff --git a/wp-includes/post.php b/wp-includes/post.php
index ab8a89df2b..fc328279ac 100644
--- a/wp-includes/post.php
+++ b/wp-includes/post.php
@@ -519,6 +519,7 @@ function add_post_meta($post_id, $meta_key, $meta_value, $unique = false) {
 
 	// expected_slashed ($meta_key)
 	$meta_key = stripslashes($meta_key);
+	$meta_value = stripslashes($meta_value);
 
 	if ( $unique && $wpdb->get_var( $wpdb->prepare( "SELECT meta_key FROM $wpdb->postmeta WHERE meta_key = %s AND post_id = %d", $meta_key, $post_id ) ) )
 		return false;
@@ -631,6 +632,7 @@ function update_post_meta($post_id, $meta_key, $meta_value, $prev_value = '') {
 
 	// expected_slashed ($meta_key)
 	$meta_key = stripslashes($meta_key);
+	$meta_value = stripslashes($meta_value);
 
 	if ( ! $wpdb->get_var( $wpdb->prepare( "SELECT meta_key FROM $wpdb->postmeta WHERE meta_key = %s AND post_id = %d", $meta_key, $post_id ) ) ) {
 		return add_post_meta($post_id, $meta_key, $meta_value);