Ticket #4933: 4933.patch

bp-core/bp-core-classes.php

@@ -318 +318 @@
                 // To avoid global joins, do a separate query
                 // @todo remove need for bp_is_active() check
                 if ( false !== $search_terms && bp_is_active( 'xprofile' ) ) {
-                        $found_user_ids = $wpdb->get_col( $wpdb->prepare( "SELECT user_id FROM {$bp->profile->table_name_data} WHERE value LIKE %s", '%%' . like_escape( $search_terms ) . '%%' ) );
+                        $search_terms_clean = mysql_real_escape_string( mysql_real_escape_string( $search_terms ) );
+                        $search_terms_clean = like_escape( $search_terms_clean );
+                        $found_user_ids_query = "SELECT user_id FROM {$bp->profile->table_name_data} WHERE value LIKE '%" . $search_terms_clean . "%'";
+                        $found_user_ids = $wpdb->get_col( $found_user_ids_query );
 
                         if ( ! empty( $found_user_ids ) ) {
                                 $sql['where'][] = "u.{$this->uid_name} IN (" . implode( ',', wp_parse_id_list( $found_user_ids ) ) . ")";

new file tests/testcases/core/classes.php

@@ +1 @@
+<?php
+/**
+ * @group core
+ */
+class BP_Tests_Core_Classes extends BP_UnitTestCase {
+        protected $old_current_user = 0;
+
+        public function setUp() {
+                parent::setUp();
+        }
+
+        public function tearDown() {
+                parent::tearDown();
+        }
+
+        /**
+         * Mark a user as active
+         *
+         * Users only show up in directories if marked as active in the database
+         */
+        public function create_active_user() {
+                $user_id = $this->factory->user->create( array( 'role' => 'subscriber' ) );
+                bp_update_user_meta( $user_id, 'last_activity', bp_core_current_time() );
+                return $user_id;
+        }
+
+        public function test_bp_user_query_search_with_apostrophe() {
+                // Apostrophe. Search_terms must escaped to mimic POST payload
+                $user_id = $this->create_active_user();
+                xprofile_set_field_data( 1, $user_id, "Foo'Bar" );
+                $q = new BP_User_Query( array( 'search_terms' => "oo\'Ba", ) );
+
+                $found_user_id = null;
+                if ( ! empty( $q->results ) ) {
+                        $found_user = array_pop( $q->results );
+                        $found_user_id = $found_user->ID;
+                }
+
+                $this->assertEquals( $user_id, $found_user_id );
+        }
+
+        public function test_bp_user_query_search_with_percent_sign() {
+
+                // LIKE special character: %
+                $user_id = $this->create_active_user();
+                xprofile_set_field_data( 1, $user_id, "Foo%Bar" );
+                $q = new BP_User_Query( array( 'search_terms' => "oo%Bar", ) );
+
+                $found_user_id = null;
+                if ( ! empty( $q->results ) ) {
+                        $found_user = array_pop( $q->results );
+                        $found_user_id = $found_user->ID;
+                }
+
+                $this->assertEquals( $user_id, $found_user_id );
+
+        }
+
+        public function test_bp_user_query_search_with_underscore() {
+
+                // LIKE special character: _
+                $user_id = $this->create_active_user();
+                xprofile_set_field_data( 1, $user_id, "Foo_Bar" );
+                $q = new BP_User_Query( array( 'search_terms' => "oo_Bar", ) );
+
+                $found_user_id = null;
+                if ( ! empty( $q->results ) ) {
+                        $found_user = array_pop( $q->results );
+                        $found_user_id = $found_user->ID;
+                }
+
+                $this->assertEquals( $user_id, $found_user_id );
+
+        }
+}
+