Problem after v.2.3.4 update [mdf_results_by_ajax ... ]
The support doesn work on Saturdays and Sundays, so some Friday requests can be answered on Monday. If you have problems with registration ask help on contact us page pleaseIf you not got email within 24~36 business hours, firstly check your spam box, and if no any email from the support there - back to the forum and read answer here. DO NOT ANSWER ON EMAILS [noreply@pluginus.net] FROM THE FORUM!! Emails are just for your info, all answers should be published only here.
The support doesn work on Saturdays and Sundays, so some Friday requests can be answered on Monday.
The results page with shortcode [mdf_results_by_ajax ..]. no longer displays any items, no errors, the filters in the widget count the items, but on the results page you can see the pagination buttons but no content.
How can I fix this?
thk
Hello
We checked the plugin code carefully comparing the current version with the previous one. Here is what was changed and our conclusion.
File classes/shortcodes.php, line 835:
Old code:
get_template_part('mdf_templates/' . $template . '/index');
New code:
get_template_part('mdf_templates/' . basename($template) . '/index');
This was a security fix to prevent path traversal. The basename() call strips any directory path from the template name, leaving only the last segment.
File ext/helper.php, SQL query building functions (mdf_post_title_filter, mdf_post_content_filter, mdf_post_title_or_content_filter, mdf_post_title_and_content_filter):
Old code used raw string interpolation like:
words[words[ key] =" post_title LIKE '%{$word}%'";
New code uses proper WordPress prepared statements:
words[words[ key] = wpdb−>prepare("posttitleLIKEwpdb->prepare(" post_title LIKE %s", '%' . $wpdb->esc_like( word) . '%');
This was a security fix for SQL injection. No functional change for normal use cases.
Our conclusion: neither of these changes should affect the display of results via [mdf_results_by_ajax]. The rest of the code between versions is identical in logic, only formatting/indentation differs.
Our best guess for your issue: if you are using a custom template for results (for example, the template= parameter in your shortcode, or the search_result_tpl setting pointing to a path like mdf_templates/some/subfolder/index), the basename() change may now be stripping the subfolder part and the template can no longer be found, resulting in empty output.
Could you check your shortcode and widget settings and tell us what value you have for the template or search_result_tpl parameter?
Place please actual purchase code of the plugin into the private area of this ticket: (if version is premium)
https://share.pluginus.net/image/i20230222134241.png
https://share.pluginus.net/image/i20230222134615.png
https://share.pluginus.net/image/i20230222134511.png
Hi,
first of all, thanks for your reply.
I entered the license code as requested.
On my site, I use this shortcode
While on my template page, I use these variables:
<?php if (!defined('ABSPATH')) die('No direct access allowed'); ?>
<?php
wp_enqueue_style('scuole_ROX', get_template_directory_uri() . '/mdf_templates/any/scuole_ROX/css/bootstrap.min.css');
wp_enqueue_style('scuole_ROX', get_template_directory_uri() . '/mdf_templates/any/scuole_ROX/css/styles.css');
global $mdf_loop;
MDTF_SORT_PANEL::mdtf_catalog_ordering();
?>
What should I do to make this update work?
You can now view the site online with version 2.3.0.1.