Ticket #4989: 4989.core.1.patch

bp-core/bp-core-cache.php

@@ -92 +92 @@
                 $object_column = $object_type . '_id';
         }
 
-        if ( !is_array( $object_ids ) ) {
-                $object_ids = preg_replace( '|[^0-9,]|', '', $object_ids );
-                $object_ids = explode( ',', $object_ids );
-        }
-
-        $object_ids = array_map( 'intval', $object_ids );
-
+        $object_ids = wp_parse_id_list( $object_ids );
         $cache = array();
 
         // Get meta info
-        $id_list   = join( ',', $object_ids );
+        $id_list   = esc_sql( join( ',', $object_ids ) );
         $meta_list = $wpdb->get_results( $wpdb->prepare( "SELECT {$object_column}, meta_key, meta_value FROM {$meta_table} WHERE {$object_column} IN ($id_list)", $object_type ), ARRAY_A );
 
         if ( !empty( $meta_list ) ) {

bp-core/bp-core-classes.php

@@ -298 +298 @@
                 // 'user_id' - When a user id is passed, limit to the friends of the user
                 // @todo remove need for bp_is_active() check
                 if ( ! empty( $user_id ) && bp_is_active( 'friends' ) ) {
-                        $friend_ids = friends_get_friend_user_ids( $user_id );
+                        $friend_ids = wp_parse_id_list( friends_get_friend_user_ids( $user_id ) );
                         $friend_ids = $wpdb->escape( implode( ',', (array) $friend_ids ) );
 
                         if ( ! empty( $friend_ids ) ) {
@@ -323 +323 @@
                         $found_user_ids = $wpdb->get_col( $found_user_ids_query );
 
                         if ( ! empty( $found_user_ids ) ) {
-                                $sql['where'][] = "u.{$this->uid_name} IN (" . implode( ',', wp_parse_id_list( $found_user_ids ) ) . ")";
+                                $sql['where'][] = "u.{$this->uid_name} IN (" . esc_sql( implode( ',', wp_parse_id_list( $found_user_ids ) ) ) . ")";
                         } else {
                                 $sql['where'][] = $this->no_results['where'];
                         }
@@ -341 +341 @@
                         $found_user_ids = $wpdb->get_col( $meta_sql );
 
                         if ( ! empty( $found_user_ids ) ) {
-                                $sql['where'][] = "u.{$this->uid_name} IN (" . implode( ',', wp_parse_id_list( $found_user_ids ) ) . ")";
+                                $found_user_ids = esc_sql( implode( ',', wp_parse_id_list( $found_user_ids ) ) );
+                                $sql['where'][] = "u.{$this->uid_name} IN ({$found_user_ids})";
                         }
                 }
 
@@ -458 +459 @@
                 }
 
                 // Turn user ID's into a query-usable, comma separated value
-                $user_ids_sql = implode( ',', wp_parse_id_list( $this->user_ids ) );
+                $user_ids_sql = esc_sql( implode( ',', wp_parse_id_list( $this->user_ids ) ) );
 
                 /**
                  * Use this action to independently populate your own custom extras.
@@ -805 +806 @@
                 }
 
                 if ( !empty( $exclude ) ) {
+                        $exclude = esc_sql( implode( ',', wp_parse_id_list( $exclude ) ) );
                         $sql['where_exclude'] = "AND u.ID NOT IN ({$exclude})";
                 }
 
@@ -814 +816 @@
                         $sql['where_users'] = "AND 0 = 1";
                 } else {
                         if ( !empty( $include ) ) {
-                                if ( is_array( $include ) ) {
-                                        $uids = $wpdb->escape( implode( ',', (array) $include ) );
-                                } else {
-                                        $uids = $wpdb->escape( $include );
-                                }
+                                $uids = esc_sql( implode( ',', wp_parse_id_list( $include ) ) );;
 
                                 if ( !empty( $uids ) ) {
                                         $sql['where_users'] = "AND u.ID IN ({$uids})";
                                 }
                         } elseif ( !empty( $user_id ) && bp_is_active( 'friends' ) ) {
                                 $friend_ids = friends_get_friend_user_ids( $user_id );
-                                $friend_ids = $wpdb->escape( implode( ',', (array) $friend_ids ) );
+                                $friend_ids = $wpdb->escape( implode( ',', wp_parse_id_list( $friend_ids ) ) );
 
                                 if ( !empty( $friend_ids ) ) {
                                         $sql['where_friends'] = "AND u.ID IN ({$friend_ids})";
@@ -910 +908 @@
                         $user_ids = array();
 
                         foreach ( (array) $paged_users as $user ) {
-                                $user_ids[] = $user->id;
+                                $user_ids[] = (int) $user->id;
                         }
 
-                        $user_ids = $wpdb->escape( join( ',', (array) $user_ids ) );
+                        $user_ids = $wpdb->escape( join( ',', $user_ids ) );
 
                         // Add additional data to the returned results
                         $paged_users = BP_Core_User::get_user_extras( $paged_users, $user_ids, $type );
@@ -981 +979 @@
                  */
                 $user_ids = array();
                 foreach ( (array) $paged_users as $user )
-                        $user_ids[] = $user->id;
+                        $user_ids[] = (int) $user->id;
 
-                $user_ids = $wpdb->escape( join( ',', (array) $user_ids ) );
+                $user_ids = $wpdb->escape( join( ',', $user_ids ) );
 
                 // Add additional data to the returned results
                 if ( $populate_extras ) {
@@ -1013 +1011 @@
 
                 $status_sql = bp_core_get_status_sql();
 
+                $user_ids = implode( ',', wp_parse_id_list( $user_ids ) );
                 $total_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT COUNT(DISTINCT ID) FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ( " . $wpdb->escape( $user_ids ) . " ) " );
                 $paged_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT DISTINCT ID as id, user_registered, user_nicename, user_login, user_email FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ( " . $wpdb->escape( $user_ids ) . " ) {$pag_sql}" );
 
@@ -1097 +1096 @@
                 if ( empty( $user_ids ) )
                         return $paged_users;
 
+                $user_ids = esc_sql( implode( ',', wp_parse_id_list( $user_ids ) ) );
+
                 // Fetch the user's full name
                 if ( bp_is_active( 'xprofile' ) && 'alphabetical' != $type ) {
                         $names = $wpdb->get_results( $wpdb->prepare( "SELECT pd.user_id as id, pd.value as fullname FROM {$bp->profile->table_name_fields} pf, {$bp->profile->table_name_data} pd WHERE pf.id = pd.field_id AND pf.name = %s AND pd.user_id IN ( {$user_ids} )", bp_xprofile_fullname_field_name() ) );

bp-core/bp-core-filters.php

@@ -130 +130 @@
         if ( empty( $user_ids ) )
                 return $comments;
 
-        $user_ids = implode( ',', $user_ids );
+        $user_ids = esc_sql( implode( ',', wp_parse_id_list( $user_ids ) ) );
 
         if ( !$userdata = $wpdb->get_results( "SELECT ID as user_id, user_login, user_nicename FROM {$wpdb->users} WHERE ID IN ({$user_ids})" ) )
                 return $comments;

bp-core/bp-core-functions.php

@@ -141 +141 @@
                 // Always get page data from the root blog, except on multiblog mode, when it comes
                 // from the current blog
                 $posts_table_name = bp_is_multiblog_mode() ? $wpdb->posts : $wpdb->get_blog_prefix( bp_get_root_blog_id() ) . 'posts';
-                $page_ids_sql     = implode( ',', (array) $page_ids );
+                $page_ids_sql     = esc_sql( implode( ',', wp_parse_id_list( $page_ids ) ) );
                 $page_names       = $wpdb->get_results( "SELECT ID, post_name, post_parent, post_title FROM {$posts_table_name} WHERE ID IN ({$page_ids_sql}) AND post_status = 'publish' " );
 
                 foreach ( (array) $page_ids as $component_id => $page_id ) {