diff --git a/bp-activity/bp-activity-classes.php b/bp-activity/bp-activity-classes.php
index aedea6b..0ffc7a9 100644
a
|
b
|
class BP_Activity_Activity { |
172 | 172 | |
173 | 173 | // Searching |
174 | 174 | if ( $search_terms ) { |
175 | | $search_terms = $wpdb->escape( $search_terms ); |
176 | | $where_conditions['search_sql'] = "a.content LIKE '%%" . like_escape( $search_terms ) . "%%'"; |
| 175 | $where_conditions['search_sql'] = "a.content LIKE '%%" . esc_sql( like_escape( $search_terms ) ) . "%%'"; |
177 | 176 | } |
178 | 177 | |
179 | 178 | // Filtering |
… |
… |
class BP_Activity_Activity { |
190 | 189 | |
191 | 190 | // Exclude specified items |
192 | 191 | if ( !empty( $exclude ) ) { |
193 | | $exclude = implode( ',', wp_parse_id_list( $exclude ) ); |
| 192 | $exclude = esc_sql( implode( ',', wp_parse_id_list( $exclude ) ) ); |
194 | 193 | $where_conditions['exclude'] = "a.id NOT IN ({$exclude})"; |
195 | 194 | } |
196 | 195 | |
197 | 196 | // The specific ids to which you want to limit the query |
198 | 197 | if ( !empty( $in ) ) { |
199 | | $in = implode( ',', wp_parse_id_list( $in ) ); |
| 198 | $in = esc_sql( implode( ',', wp_parse_id_list( $in ) ) ); |
200 | 199 | $where_conditions['in'] = "a.id IN ({$in})"; |
201 | 200 | } |
202 | 201 | |
… |
… |
class BP_Activity_Activity { |
259 | 258 | $activity_user_ids[] = $activity->user_id; |
260 | 259 | } |
261 | 260 | |
262 | | $activity_user_ids = implode( ',', array_unique( (array) $activity_user_ids ) ); |
| 261 | $activity_user_ids = esc_sql( implode( ',', array_unique( (array) $activity_user_ids ) ) ); |
263 | 262 | if ( !empty( $activity_user_ids ) ) { |
264 | 263 | if ( $names = $wpdb->get_results( "SELECT user_id, value AS user_fullname FROM {$bp->profile->table_name_data} WHERE field_id = 1 AND user_id IN ({$activity_user_ids})" ) ) { |
265 | 264 | foreach ( (array) $names as $name ) |
… |
… |
class BP_Activity_Activity { |
373 | 372 | $where_args[] = $wpdb->prepare( "type = %s", $type ); |
374 | 373 | |
375 | 374 | if ( !empty( $item_id ) ) |
376 | | $where_args[] = $wpdb->prepare( "item_id = %s", $item_id ); |
| 375 | $where_args[] = $wpdb->prepare( "item_id = %d", $item_id ); |
377 | 376 | |
378 | 377 | if ( !empty( $secondary_item_id ) ) |
379 | | $where_args[] = $wpdb->prepare( "secondary_item_id = %s", $secondary_item_id ); |
| 378 | $where_args[] = $wpdb->prepare( "secondary_item_id = %d", $secondary_item_id ); |
380 | 379 | |
381 | 380 | if ( !empty( $action ) ) |
382 | 381 | $where_args[] = $wpdb->prepare( "action = %s", $action ); |
… |
… |
class BP_Activity_Activity { |
438 | 437 | $where_args[] = $wpdb->prepare( "primary_link = %s", $primary_link ); |
439 | 438 | |
440 | 439 | if ( !empty( $item_id ) ) |
441 | | $where_args[] = $wpdb->prepare( "item_id = %s", $item_id ); |
| 440 | $where_args[] = $wpdb->prepare( "item_id = %d", $item_id ); |
442 | 441 | |
443 | 442 | if ( !empty( $secondary_item_id ) ) |
444 | | $where_args[] = $wpdb->prepare( "secondary_item_id = %s", $secondary_item_id ); |
| 443 | $where_args[] = $wpdb->prepare( "secondary_item_id = %d", $secondary_item_id ); |
445 | 444 | |
446 | 445 | if ( !empty( $date_recorded ) ) |
447 | 446 | $where_args[] = $wpdb->prepare( "date_recorded = %s", $date_recorded ); |
… |
… |
class BP_Activity_Activity { |
473 | 472 | function delete_activity_item_comments( $activity_ids ) { |
474 | 473 | global $bp, $wpdb; |
475 | 474 | |
476 | | if ( is_array( $activity_ids ) ) |
477 | | $activity_ids = implode ( ',', array_map( 'absint', $activity_ids ) ); |
478 | | else |
479 | | $activity_ids = implode ( ',', array_map( 'absint', explode ( ',', $activity_ids ) ) ); |
480 | | |
| 475 | $activity_ids = esc_sql( implode( ',', wp_parse_id_list( $activity_ids ) ) ); |
481 | 476 | return $wpdb->query( "DELETE FROM {$bp->activity->table_name} WHERE type = 'activity_comment' AND item_id IN ({$activity_ids})" ); |
482 | 477 | } |
483 | 478 | |
484 | 479 | function delete_activity_meta_entries( $activity_ids ) { |
485 | 480 | global $bp, $wpdb; |
486 | 481 | |
487 | | if ( is_array( $activity_ids ) ) |
488 | | $activity_ids = implode ( ',', array_map( 'absint', $activity_ids ) ); |
489 | | else |
490 | | $activity_ids = implode ( ',', array_map( 'absint', explode ( ',', $activity_ids ) ) ); |
491 | | |
| 482 | $activity_ids = esc_sql( implode( ',', wp_parse_id_list( $activity_ids ) ) ); |
492 | 483 | return $wpdb->query( "DELETE FROM {$bp->activity->table_name_meta} WHERE activity_id IN ({$activity_ids})" ); |
493 | 484 | } |
494 | 485 | |