Ticket #4993: 4993.patch
File 4993.patch, 2.1 KB (added by , 12 years ago) |
---|
-
bp-friends/bp-friends-classes.php
144 144 if ( empty( $user_id ) ) 145 145 $user_id = bp_loggedin_user_id(); 146 146 147 $filter = like_escape( $wpdb->escape( $filter ) );147 $filter = esc_sql( like_escape( $filter ) ); 148 148 149 149 if ( !empty( $limit ) && !empty( $page ) ) 150 150 $pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) ); … … 153 153 return false; 154 154 155 155 // Get all the user ids for the current user's friends. 156 $fids = implode( ',', $friend_ids);156 $fids = esc_sql( implode( ',', wp_parse_id_list( $friend_ids ) ) ); 157 157 158 158 if ( empty( $fids ) ) 159 159 return false; … … 198 198 function get_bulk_last_active( $user_ids ) { 199 199 global $wpdb; 200 200 201 $user_ids = implode( ',', wp_parse_id_list( $user_ids ) ); 202 201 203 return $wpdb->get_results( $wpdb->prepare( "SELECT meta_value as last_activity, user_id FROM {$wpdb->usermeta} WHERE meta_key = %s AND user_id IN ( {$user_ids} ) ORDER BY meta_value DESC", bp_get_user_meta_key( 'last_activity' ) ) ); 202 204 } 203 205 … … 222 224 function search_users( $filter, $user_id, $limit = null, $page = null ) { 223 225 global $wpdb, $bp; 224 226 225 $filter = like_escape( $wpdb->escape( $filter ) );227 $filter = esc_sql( like_escape( $filter ) ); 226 228 227 229 $usermeta_table = $wpdb->base_prefix . 'usermeta'; 228 230 $users_table = $wpdb->base_prefix . 'users'; … … 248 250 function search_users_count( $filter ) { 249 251 global $wpdb, $bp; 250 252 251 $filter = like_escape( $wpdb->escape( $filter ) );253 $filter = esc_sql( like_escape( $filter ) ); 252 254 253 255 $usermeta_table = $wpdb->prefix . 'usermeta'; 254 256 $users_table = $wpdb->base_prefix . 'users'; … … 274 276 if ( !bp_is_active( 'xprofile' ) ) 275 277 return false; 276 278 279 $user_ids = implode( ',', wp_parse_id_list( $user_ids ) ); 280 277 281 return $wpdb->get_results( $wpdb->prepare( "SELECT user_id FROM {$bp->profile->table_name_data} pd, {$bp->profile->table_name_fields} pf WHERE pf.id = pd.field_id AND pf.name = %s AND pd.user_id IN ( {$user_ids} ) ORDER BY pd.value ASC", bp_xprofile_fullname_field_name() ) ); 278 282 } 279 283