Description: IDs are Integers
 Remove source of SQL Injection CVE-2015-2213
Author: ocean90@wordpress.org
Origin: upstream, https://core.trac.wordpress.org/changeset/33555
Applied-Upstream: changeset 33555
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2015-08-05
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/wp-includes/post.php
+++ b/wp-includes/post.php
@@ -2456,10 +2456,11 @@
 
 	foreach ( $group_by_status as $status => $comments ) {
 		// Sanity check. This shouldn't happen.
-		if ( 'post-trashed' == $status )
+		if ( 'post-trashed' == $status ) {
 			$status = '0';
-		$comments_in = implode( "', '", $comments );
-		$wpdb->query( "UPDATE $wpdb->comments SET comment_approved = '$status' WHERE comment_ID IN ('" . $comments_in . "')" );
+		}
+		$comments_in = implode( ', ', array_map( 'intval', $comments ) );
+		$wpdb->query( $wpdb->prepare( "UPDATE $wpdb->comments SET comment_approved = %s WHERE comment_ID IN ($comments_in)", $status ) );
 	}
 
 	clean_comment_cache( array_keys($statuses) );
