Ticket #4992: 4992.patch

bp-core/bp-core-classes.php

@@ -803 +803 @@
                 }
 
                 if ( !empty( $exclude ) ) {
+                        $exclude              = wp_parse_id_list( $exclude );
+                        $exclude              = $wpdb->escape( implode( ',', $exclude ) );
                         $sql['where_exclude'] = "AND u.ID NOT IN ({$exclude})";
                 }
 
@@ -812 +814 @@
                         $sql['where_users'] = "AND 0 = 1";
                 } else {
                         if ( !empty( $include ) ) {
-                                if ( is_array( $include ) ) {
-                                        $uids = $wpdb->escape( implode( ',', (array) $include ) );
-                                } else {
-                                        $uids = $wpdb->escape( $include );
-                                }
-
-                                if ( !empty( $uids ) ) {
-                                        $sql['where_users'] = "AND u.ID IN ({$uids})";
-                                }
+                                $include = wp_parse_id_list( $include );
+                                $include = esc_sql( implode( ',',  $include ) );
+                                $sql['where_users'] = "AND u.ID IN ({$include})";
                         } elseif ( !empty( $user_id ) && bp_is_active( 'friends' ) ) {
                                 $friend_ids = friends_get_friend_user_ids( $user_id );
-                                $friend_ids = $wpdb->escape( implode( ',', (array) $friend_ids ) );
 
                                 if ( !empty( $friend_ids ) ) {
+                                        $friend_ids = esc_sql( implode( ',', wp_parse_id_list( $friend_ids ) ) );
                                         $sql['where_friends'] = "AND u.ID IN ({$friend_ids})";
 
                                 // User has no friends, return false since there will be no users to fetch.
@@ -911 +907 @@
                                 $user_ids[] = $user->id;
                         }
 
-                        $user_ids = $wpdb->escape( join( ',', (array) $user_ids ) );
-
                         // Add additional data to the returned results
                         $paged_users = BP_Core_User::get_user_extras( $paged_users, $user_ids, $type );
                 }
@@ -981 +975 @@
                 foreach ( (array) $paged_users as $user )
                         $user_ids[] = $user->id;
 
-                $user_ids = $wpdb->escape( join( ',', (array) $user_ids ) );
-
                 // Add additional data to the returned results
                 if ( $populate_extras ) {
                         $paged_users = BP_Core_User::get_user_extras( $paged_users, $user_ids );
@@ -1009 +1001 @@
                 if ( $limit && $page )
                         $pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) );
 
+                $user_ids   = implode( ',', wp_parse_id_list( $user_ids ) );
                 $status_sql = bp_core_get_status_sql();
 
-                $total_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT COUNT(DISTINCT ID) FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ( " . $wpdb->escape( $user_ids ) . " ) " );
-                $paged_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT DISTINCT ID as id, user_registered, user_nicename, user_login, user_email FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ( " . $wpdb->escape( $user_ids ) . " ) {$pag_sql}" );
+                $total_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT COUNT(DISTINCT ID) FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ({$user_ids})" );
+                $paged_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT DISTINCT ID as id, user_registered, user_nicename, user_login, user_email FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ({$user_ids}) {$pag_sql}" );
 
                 $total_users = $wpdb->get_var( $total_users_sql );
                 $paged_users = $wpdb->get_results( $paged_users_sql );
@@ -1067 +1060 @@
                 foreach ( (array) $paged_users as $user )
                         $user_ids[] = $user->id;
 
-                $user_ids = $wpdb->escape( join( ',', (array) $user_ids ) );
-
                 // Add additional data to the returned results
                 if ( $populate_extras )
                         $paged_users = BP_Core_User::get_user_extras( $paged_users, $user_ids );
@@ -1095 +1086 @@
                 if ( empty( $user_ids ) )
                         return $paged_users;
 
+                // Sanitize user ID's
+                $user_ids = implode( ',', wp_parse_id_list( $user_ids ) );
+
                 // Fetch the user's full name
                 if ( bp_is_active( 'xprofile' ) && 'alphabetical' != $type ) {
                         $names = $wpdb->get_results( $wpdb->prepare( "SELECT pd.user_id as id, pd.value as fullname FROM {$bp->profile->table_name_fields} pf, {$bp->profile->table_name_data} pd WHERE pf.id = pd.field_id AND pf.name = %s AND pd.user_id IN ( {$user_ids} )", bp_xprofile_fullname_field_name() ) );