Skip to:
Content

BuddyPress.org

Ticket #4995: 4995.patch

File 4995.patch, 2.3 KB (added by johnjamesjacoby, 11 years ago)

  • bp-activity-classes.php

     
    169169
    170170                // Searching
    171171                if ( $search_terms ) {
    172                         $search_terms = $wpdb->escape( $search_terms );
    173                         $where_conditions['search_sql'] = "a.content LIKE '%%" . like_escape( $search_terms ) . "%%'";
     172                        $search_terms = esc_sql( like_escape( $search_terms ) );
     173                        $where_conditions['search_sql'] = "a.content LIKE '%%{$search_terms}%%'";
    174174                }
    175175
    176176                // Filtering
     
    245245                                        $activity_user_ids[] = $activity->user_id;
    246246                        }
    247247
    248                         $activity_user_ids = implode( ',', array_unique( (array) $activity_user_ids ) );
     248                        $activity_user_ids = implode( ',', wp_parse_id_list( $activity_user_ids ) );
    249249                        if ( !empty( $activity_user_ids ) ) {
    250250                                if ( $names = $wpdb->get_results( "SELECT user_id, value AS user_fullname FROM {$bp->profile->table_name_data} WHERE field_id = 1 AND user_id IN ({$activity_user_ids})" ) ) {
    251251                                        foreach ( (array) $names as $name )
     
    419419        function delete_activity_item_comments( $activity_ids ) {
    420420                global $bp, $wpdb;
    421421
    422                 if ( is_array( $activity_ids ) )
    423                         $activity_ids = implode ( ',', array_map( 'absint', $activity_ids ) );
    424                 else
    425                         $activity_ids = implode ( ',', array_map( 'absint', explode ( ',', $activity_ids ) ) );
     422                $activity_ids = esc_sql( implode( ',', wp_parse_id_list( $activity_ids ) ) );
    426423
    427424                return $wpdb->query( "DELETE FROM {$bp->activity->table_name} WHERE type = 'activity_comment' AND item_id IN ({$activity_ids})" );
    428425        }
     
    430427        function delete_activity_meta_entries( $activity_ids ) {
    431428                global $bp, $wpdb;
    432429
    433                 if ( is_array( $activity_ids ) )
    434                         $activity_ids = implode ( ',', array_map( 'absint', $activity_ids ) );
    435                 else
    436                         $activity_ids = implode ( ',', array_map( 'absint', explode ( ',', $activity_ids ) ) );
     430                $activity_ids = esc_sql( implode( ',', wp_parse_id_list( $activity_ids ) ) );
    437431
    438432                return $wpdb->query( "DELETE FROM {$bp->activity->table_name_meta} WHERE activity_id IN ({$activity_ids})" );
    439433        }

  • bp-activity-template.php

     
    368368        $r = wp_parse_args( $args, $defaults );
    369369        extract( $r );
    370370
     371        // Sanitized in BP_Activity_Activity::get()
    371372        if ( empty( $search_terms ) && ! empty( $_REQUEST['s'] ) )
    372373                $search_terms = $_REQUEST['s'];
    373374