Skip to:
Content

BuddyPress.org

Ticket #5701: 5701.patch

File 5701.patch, 42.1 KB (added by boonebgorges, 10 years ago)
  • src/bp-activity/bp-activity-classes.php

    diff --git src/bp-activity/bp-activity-classes.php src/bp-activity/bp-activity-classes.php
    index a67e088..66605fb 100644
    class BP_Activity_Activity { 
    337337
    338338                // Searching
    339339                if ( $search_terms ) {
    340                         $search_terms = esc_sql( $search_terms );
    341                         $where_conditions['search_sql'] = "a.content LIKE '%%" . esc_sql( like_escape( $search_terms ) ) . "%%'";
     340                        $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%';
     341                        $where_conditions['search_sql'] = $wpdb->prepare( 'a.content LIKE %s', $search_terms_like );
    342342                }
    343343
    344344                // Filtering
  • src/bp-blogs/bp-blogs-classes.php

    diff --git src/bp-blogs/bp-blogs-classes.php src/bp-blogs/bp-blogs-classes.php
    index aa38148..693265b 100644
    class BP_Blogs_Blog { 
    156156                }
    157157
    158158                if ( !empty( $search_terms ) ) {
    159                         $filter = esc_sql( like_escape( $search_terms ) );
    160                         $paged_blogs = $wpdb->get_results( "SELECT b.blog_id, b.user_id as admin_user_id, u.user_email as admin_user_email, wb.domain, wb.path, bm.meta_value as last_activity, bm2.meta_value as name FROM {$bp->blogs->table_name} b, {$bp->blogs->table_name_blogmeta} bm, {$bp->blogs->table_name_blogmeta} bm2, {$wpdb->base_prefix}blogs wb, {$wpdb->users} u WHERE b.blog_id = wb.blog_id AND b.user_id = u.ID AND b.blog_id = bm.blog_id AND b.blog_id = bm2.blog_id AND wb.archived = '0' AND wb.spam = 0 AND wb.mature = 0 AND wb.deleted = 0 {$hidden_sql} AND bm.meta_key = 'last_activity' AND bm2.meta_key = 'name' AND bm2.meta_value LIKE '%%$filter%%' {$user_sql} {$include_sql} GROUP BY b.blog_id {$order_sql} {$pag_sql}" );
    161                         $total_blogs = $wpdb->get_var( "SELECT COUNT(DISTINCT b.blog_id) FROM {$bp->blogs->table_name} b, {$wpdb->base_prefix}blogs wb, {$bp->blogs->table_name_blogmeta} bm, {$bp->blogs->table_name_blogmeta} bm2 WHERE b.blog_id = wb.blog_id AND bm.blog_id = b.blog_id AND bm2.blog_id = b.blog_id AND wb.archived = '0' AND wb.spam = 0 AND wb.mature = 0 AND wb.deleted = 0 {$hidden_sql} AND bm.meta_key = 'name' AND bm2.meta_key = 'description' AND ( bm.meta_value LIKE '%%$filter%%' || bm2.meta_value LIKE '%%$filter%%' ) {$user_sql} {$include_sql}" );
     159                        $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%';
     160                        $search_terms_sql  = $wpdb->prepare( 'bm2.meta_value LIKE %s', $search_terms_like );
     161                        $paged_blogs = $wpdb->get_results( "SELECT b.blog_id, b.user_id as admin_user_id, u.user_email as admin_user_email, wb.domain, wb.path, bm.meta_value as last_activity, bm2.meta_value as name FROM {$bp->blogs->table_name} b, {$bp->blogs->table_name_blogmeta} bm, {$bp->blogs->table_name_blogmeta} bm2, {$wpdb->base_prefix}blogs wb, {$wpdb->users} u WHERE b.blog_id = wb.blog_id AND b.user_id = u.ID AND b.blog_id = bm.blog_id AND b.blog_id = bm2.blog_id AND wb.archived = '0' AND wb.spam = 0 AND wb.mature = 0 AND wb.deleted = 0 {$hidden_sql} AND bm.meta_key = 'last_activity' AND bm2.meta_key = 'name' AND {$search_terms_sql} {$user_sql} {$include_sql} GROUP BY b.blog_id {$order_sql} {$pag_sql}" );
     162                        $total_blogs = $wpdb->get_var( "SELECT COUNT(DISTINCT b.blog_id) FROM {$bp->blogs->table_name} b, {$wpdb->base_prefix}blogs wb, {$bp->blogs->table_name_blogmeta} bm, {$bp->blogs->table_name_blogmeta} bm2 WHERE b.blog_id = wb.blog_id AND bm.blog_id = b.blog_id AND bm2.blog_id = b.blog_id AND wb.archived = '0' AND wb.spam = 0 AND wb.mature = 0 AND wb.deleted = 0 {$hidden_sql} AND bm.meta_key = 'name' AND bm2.meta_key = 'description' AND {$search_terms_sql} {$user_sql} {$include_sql}" );
    162163                } else {
    163164                        $paged_blogs = $wpdb->get_results( "SELECT b.blog_id, b.user_id as admin_user_id, u.user_email as admin_user_email, wb.domain, wb.path, bm.meta_value as last_activity, bm2.meta_value as name FROM {$bp->blogs->table_name} b, {$bp->blogs->table_name_blogmeta} bm, {$bp->blogs->table_name_blogmeta} bm2, {$wpdb->base_prefix}blogs wb, {$wpdb->users} u WHERE b.blog_id = wb.blog_id AND b.user_id = u.ID AND b.blog_id = bm.blog_id AND b.blog_id = bm2.blog_id {$user_sql} AND wb.archived = '0' AND wb.spam = 0 AND wb.mature = 0 AND wb.deleted = 0 {$hidden_sql} AND bm.meta_key = 'last_activity' AND bm2.meta_key = 'name' {$include_sql} GROUP BY b.blog_id {$order_sql} {$pag_sql}" );
    164165                        $total_blogs = $wpdb->get_var( "SELECT COUNT(DISTINCT b.blog_id) FROM {$bp->blogs->table_name} b, {$wpdb->base_prefix}blogs wb WHERE b.blog_id = wb.blog_id {$user_sql} AND wb.archived = '0' AND wb.spam = 0 AND wb.mature = 0 AND wb.deleted = 0 {$include_sql} {$hidden_sql}" );
    class BP_Blogs_Blog { 
    342343        public static function search_blogs( $filter, $limit = null, $page = null ) {
    343344                global $wpdb, $bp;
    344345
    345                 $filter = esc_sql( like_escape( $filter ) );
     346                $search_terms_like = '%' . bp_esc_like( $filter ) . '%';
     347                $search_terms_sql  = $wpdb->prepare( 'bm.meta_value LIKE %s', $search_terms_like );
    346348
    347349                $hidden_sql = '';
    348350                if ( !bp_current_user_can( 'bp_moderate' ) )
    class BP_Blogs_Blog { 
    353355                        $pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) );
    354356                }
    355357
    356                 $paged_blogs = $wpdb->get_results( "SELECT DISTINCT bm.blog_id FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE ( ( bm.meta_key = 'name' OR bm.meta_key = 'description' ) AND bm.meta_value LIKE '%%$filter%%' ) {$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY meta_value ASC{$pag_sql}" );
    357                 $total_blogs = $wpdb->get_var( "SELECT COUNT(DISTINCT bm.blog_id) FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE ( ( bm.meta_key = 'name' OR bm.meta_key = 'description' ) AND bm.meta_value LIKE '%%$filter%%' ) {$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY meta_value ASC" );
     358                $paged_blogs = $wpdb->get_results( "SELECT DISTINCT bm.blog_id FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE ( ( bm.meta_key = 'name' OR bm.meta_key = 'description' ) AND {$search_terms_sql} ) {$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY meta_value ASC{$pag_sql}" );
     359                $total_blogs = $wpdb->get_var( "SELECT COUNT(DISTINCT bm.blog_id) FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE ( ( bm.meta_key = 'name' OR bm.meta_key = 'description' ) AND {$search_terms_sql} ) {$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY meta_value ASC" );
    358360
    359361                return array( 'blogs' => $paged_blogs, 'total' => $total_blogs );
    360362        }
    class BP_Blogs_Blog { 
    403405        public static function get_by_letter( $letter, $limit = null, $page = null ) {
    404406                global $bp, $wpdb;
    405407
    406                 $letter = esc_sql( like_escape( $letter ) );
     408                $letter_like = '%' . bp_esc_like( $letter ) . '%';
     409                $letter_sql  = $wpdb->prepare( 'bm.meta_value LIKE %s', $letter_like );
    407410
    408411                $hidden_sql = '';
    409412                if ( !bp_current_user_can( 'bp_moderate' ) )
    class BP_Blogs_Blog { 
    413416                if ( $limit && $page )
    414417                        $pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) );
    415418
    416                 $paged_blogs = $wpdb->get_results( "SELECT DISTINCT bm.blog_id FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE bm.meta_key = 'name' AND bm.meta_value LIKE '$letter%%' {$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY bm.meta_value ASC{$pag_sql}" );
    417                 $total_blogs = $wpdb->get_var( "SELECT COUNT(DISTINCT bm.blog_id) FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE bm.meta_key = 'name' AND bm.meta_value LIKE '$letter%%' {$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY bm.meta_value ASC" );
     419                $paged_blogs = $wpdb->get_results( "SELECT DISTINCT bm.blog_id FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE bm.meta_key = 'name' AND {$letter_sql} {$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY bm.meta_value ASC{$pag_sql}" );
     420                $total_blogs = $wpdb->get_var( "SELECT COUNT(DISTINCT bm.blog_id) FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE bm.meta_key = 'name' AND {$letter_sql} {$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY bm.meta_value ASC" );
    418421
    419422                return array( 'blogs' => $paged_blogs, 'total' => $total_blogs );
    420423        }
  • src/bp-core/bp-core-classes.php

    diff --git src/bp-core/bp-core-classes.php src/bp-core/bp-core-classes.php
    index bad2c21..fb24188 100644
    class BP_User_Query { 
    364364                // 'search_terms' searches user_login and user_nicename
    365365                // xprofile field matches happen in bp_xprofile_bp_user_query_search()
    366366                if ( false !== $search_terms ) {
    367                         $search_terms_clean = esc_sql( esc_sql( $search_terms ) );
    368                         $sql['where']['search'] = "u.{$this->uid_name} IN ( SELECT ID FROM {$wpdb->users} WHERE ( user_login LIKE '%{$search_terms_clean}%' OR user_nicename LIKE '%{$search_terms_clean}%' ) )";
     367                        $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%';
     368                        $sql['where']['search'] = $wpdb->prepare( "u.{$this->uid_name} IN ( SELECT ID FROM {$wpdb->users} WHERE ( user_login LIKE %s OR user_nicename LIKE %s ) )", $search_terms_like, $search_terms_like );
    369369                }
    370370
    371371                // 'meta_key', 'meta_value' allow usermeta search
    class BP_Core_User { 
    967967                }
    968968
    969969                if ( !empty( $search_terms ) && bp_is_active( 'xprofile' ) ) {
    970                         $search_terms             = esc_sql( like_escape( $search_terms ) );
    971                         $sql['where_searchterms'] = "AND spd.value LIKE '%%$search_terms%%'";
     970                        $search_terms_like        = '%' . bp_esc_like( $search_terms ) . '%';
     971                        $sql['where_searchterms'] = $wpdb->prepare( "AND spd.value LIKE %s", $search_terms_like );
    972972                }
    973973
    974974                if ( !empty( $meta_key ) ) {
    class BP_Core_User { 
    10851085                        }
    10861086                }
    10871087
    1088                 $letter     = esc_sql( like_escape( $letter ) );
    1089                 $status_sql = bp_core_get_status_sql( 'u.' );
     1088                $letter_like = bp_esc_like( $letter ) . '%';
     1089                $status_sql  = bp_core_get_status_sql( 'u.' );
    10901090
    10911091                if ( !empty( $exclude ) ) {
    10921092                        $exclude     = implode( ',', wp_parse_id_list( $r['exclude'] ) );
    class BP_Core_User { 
    10951095                        $exclude_sql = '';
    10961096                }
    10971097
    1098                 $total_users_sql = apply_filters( 'bp_core_users_by_letter_count_sql', $wpdb->prepare( "SELECT COUNT(DISTINCT u.ID) FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id LEFT JOIN {$bp->profile->table_name_fields} pf ON pd.field_id = pf.id WHERE {$status_sql} AND pf.name = %s {$exclude_sql} AND pd.value LIKE '{$letter}%%'  ORDER BY pd.value ASC", bp_xprofile_fullname_field_name() ) );
    1099                 $paged_users_sql = apply_filters( 'bp_core_users_by_letter_sql',       $wpdb->prepare( "SELECT DISTINCT u.ID as id, u.user_registered, u.user_nicename, u.user_login, u.user_email FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id LEFT JOIN {$bp->profile->table_name_fields} pf ON pd.field_id = pf.id WHERE {$status_sql} AND pf.name = %s {$exclude_sql} AND pd.value LIKE '{$letter}%%' ORDER BY pd.value ASC{$pag_sql}", bp_xprofile_fullname_field_name() ) );
     1098                $total_users_sql = apply_filters( 'bp_core_users_by_letter_count_sql', $wpdb->prepare( "SELECT COUNT(DISTINCT u.ID) FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id LEFT JOIN {$bp->profile->table_name_fields} pf ON pd.field_id = pf.id WHERE {$status_sql} AND pf.name = %s {$exclude_sql} AND pd.value LIKE %s ORDER BY pd.value ASC", bp_xprofile_fullname_field_name(), $letter_like ) );
     1099                $paged_users_sql = apply_filters( 'bp_core_users_by_letter_sql',       $wpdb->prepare( "SELECT DISTINCT u.ID as id, u.user_registered, u.user_nicename, u.user_login, u.user_email FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id LEFT JOIN {$bp->profile->table_name_fields} pf ON pd.field_id = pf.id WHERE {$status_sql} AND pf.name = %s {$exclude_sql} AND pd.value LIKE %s ORDER BY pd.value ASC{$pag_sql}", bp_xprofile_fullname_field_name(), $letter_like ) );
    11001100
    11011101                $total_users = $wpdb->get_var( $total_users_sql );
    11021102                $paged_users = $wpdb->get_results( $paged_users_sql );
    class BP_Core_User { 
    11841184                $user_ids = array();
    11851185                $pag_sql  = $limit && $page ? $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * intval( $limit ) ), intval( $limit ) ) : '';
    11861186
    1187                 $search_terms = esc_sql( like_escape( $search_terms ) );
    1188                 $status_sql   = bp_core_get_status_sql( 'u.' );
     1187                $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%';
     1188                $status_sql        = bp_core_get_status_sql( 'u.' );
    11891189
    1190                 $total_users_sql = apply_filters( 'bp_core_search_users_count_sql', "SELECT COUNT(DISTINCT u.ID) as id FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id WHERE {$status_sql} AND pd.value LIKE '%%{$search_terms}%%' ORDER BY pd.value ASC", $search_terms );
    1191                 $paged_users_sql = apply_filters( 'bp_core_search_users_sql',       "SELECT DISTINCT u.ID as id, u.user_registered, u.user_nicename, u.user_login, u.user_email FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id WHERE {$status_sql} AND pd.value LIKE '%%{$search_terms}%%' ORDER BY pd.value ASC{$pag_sql}", $search_terms, $pag_sql );
     1190                $total_users_sql = apply_filters( 'bp_core_search_users_count_sql', $wpdb->prepare( "SELECT COUNT(DISTINCT u.ID) as id FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id WHERE {$status_sql} AND pd.value LIKE %s ORDER BY pd.value ASC", $search_terms_like ), $search_terms );
     1191                $paged_users_sql = apply_filters( 'bp_core_search_users_sql',       $wpdb->prepare( "SELECT DISTINCT u.ID as id, u.user_registered, u.user_nicename, u.user_login, u.user_email FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id WHERE {$status_sql} AND pd.value LIKE %s ORDER BY pd.value ASC{$pag_sql}", $search_terms_like ), $search_terms, $pag_sql );
    11921192
    11931193                $total_users = $wpdb->get_var( $total_users_sql );
    11941194                $paged_users = $wpdb->get_results( $paged_users_sql );
  • src/bp-core/bp-core-functions.php

    diff --git src/bp-core/bp-core-functions.php src/bp-core/bp-core-functions.php
    index 8d3d60e..66023f4 100644
    function bp_esc_sql_order( $order = '' ) { 
    265265}
    266266
    267267/**
     268 * Escape special characters in a SQL LIKE clause.
     269 *
     270 * In WordPress 4.0, like_escape() was deprecated, due to incorrect
     271 * documentation and improper sanitization leading to a history of misuse. To
     272 * maintain compatibility with versions of WP before 4.0, we duplicate the
     273 * logic of the replacement, wpdb::esc_like().
     274 *
     275 * @since BuddyPress (2.1.0)
     276 *
     277 * @see wpdb::esc_like() for more details on proper use.
     278 *
     279 * @param string $text The raw text to be escaped.
     280 * @return string Text in the form of a LIKE phrase. Not SQL safe. Run through
     281 *         wpdb::prepare() before use.
     282 */
     283function bp_esc_like( $text ) {
     284        global $wpdb;
     285
     286        if ( method_exists( $wpdb, 'esc_like' ) ) {
     287                return $wpdb->esc_like( $text );
     288        } else {
     289                return addcslashes( $text, '_%\\' );
     290        }
     291}
     292
     293/**
    268294 * Are we running username compatibility mode?
    269295 *
    270296 * @since BuddyPress (1.5.0)
  • src/bp-friends/bp-friends-classes.php

    diff --git src/bp-friends/bp-friends-classes.php src/bp-friends/bp-friends-classes.php
    index 63c40ca..2ceba53 100644
    class BP_Friends_Friendship { 
    290290                if ( empty( $user_id ) )
    291291                        $user_id = bp_loggedin_user_id();
    292292
    293                 $filter = esc_sql( like_escape( $filter ) );
     293                // Only search for matching strings at the beginning of the
     294                // name (@todo - figure out why this restriction)
     295                $search_terms_like = bp_esc_like( $filter ) . '%';
    294296
    295297                $pag_sql = '';
    296298                if ( !empty( $limit ) && !empty( $page ) )
    class BP_Friends_Friendship { 
    307309
    308310                // filter the user_ids based on the search criteria.
    309311                if ( bp_is_active( 'xprofile' ) ) {
    310                         $sql       = "SELECT DISTINCT user_id FROM {$bp->profile->table_name_data} WHERE user_id IN ({$fids}) AND value LIKE '{$filter}%%' {$pag_sql}";
    311                         $total_sql = "SELECT COUNT(DISTINCT user_id) FROM {$bp->profile->table_name_data} WHERE user_id IN ({$fids}) AND value LIKE '{$filter}%%'";
     312                        $sql       = $wpdb->prepare( "SELECT DISTINCT user_id FROM {$bp->profile->table_name_data} WHERE user_id IN ({$fids}) AND value LIKE %s {$pag_sql}", $search_terms_like );
     313                        $total_sql = $wpdb->prepare( "SELECT COUNT(DISTINCT user_id) FROM {$bp->profile->table_name_data} WHERE user_id IN ({$fids}) AND value LIKE %s", $search_terms_like );
    312314                } else {
    313                         $sql       = "SELECT DISTINCT user_id FROM {$wpdb->usermeta} WHERE user_id IN ({$fids}) AND meta_key = 'nickname' AND meta_value LIKE '{$filter}%%' {$pag_sql}";
    314                         $total_sql = "SELECT COUNT(DISTINCT user_id) FROM {$wpdb->usermeta} WHERE user_id IN ({$fids}) AND meta_key = 'nickname' AND meta_value LIKE '{$filter}%%'";
     315                        $sql       = $wpdb->prepare( "SELECT DISTINCT user_id FROM {$wpdb->usermeta} WHERE user_id IN ({$fids}) AND meta_key = 'nickname' AND meta_value LIKE %s' {$pag_sql}", $search_terms_like );
     316                        $total_sql = $wpdb->prepare( "SELECT COUNT(DISTINCT user_id) FROM {$wpdb->usermeta} WHERE user_id IN ({$fids}) AND meta_key = 'nickname' AND meta_value LIKE %s", $search_terms_like );
    315317                }
    316318
    317319                $filtered_friend_ids = $wpdb->get_col( $sql );
    class BP_Friends_Friendship { 
    443445        public static function search_users( $filter, $user_id, $limit = null, $page = null ) {
    444446                global $wpdb, $bp;
    445447
    446                 $filter = esc_sql( like_escape( $filter ) );
     448                // Only search for matching strings at the beginning of the
     449                // name (@todo - figure out why this restriction)
     450                $search_terms_like = bp_esc_like( $filter ) . '%';
    447451
    448452                $usermeta_table = $wpdb->base_prefix . 'usermeta';
    449453                $users_table    = $wpdb->base_prefix . 'users';
    class BP_Friends_Friendship { 
    454458
    455459                // filter the user_ids based on the search criteria.
    456460                if ( bp_is_active( 'xprofile' ) ) {
    457                         $sql = "SELECT DISTINCT d.user_id as id FROM {$bp->profile->table_name_data} d, {$users_table} u WHERE d.user_id = u.id AND d.value LIKE '{$filter}%%' ORDER BY d.value DESC {$pag_sql}";
     461                        $sql = $wpdb->prepare( "SELECT DISTINCT d.user_id as id FROM {$bp->profile->table_name_data} d, {$users_table} u WHERE d.user_id = u.id AND d.value LIKE %s ORDER BY d.value DESC {$pag_sql}", $search_terms_like );
    458462                } else {
    459                         $sql = "SELECT DISTINCT user_id as id FROM {$usermeta_table} WHERE meta_value LIKE '{$filter}%%' ORDER BY d.value DESC {$pag_sql}";
     463                        $sql = $wpdb->prepare( "SELECT DISTINCT user_id as id FROM {$usermeta_table} WHERE meta_value LIKE %s ORDER BY d.value DESC {$pag_sql}", $search_terms_like );
    460464                }
    461465
    462466                $filtered_fids = $wpdb->get_col($sql);
    class BP_Friends_Friendship { 
    478482        public static function search_users_count( $filter ) {
    479483                global $wpdb, $bp;
    480484
    481                 $filter = esc_sql( like_escape( $filter ) );
     485                // Only search for matching strings at the beginning of the
     486                // name (@todo - figure out why this restriction)
     487                $search_terms_like = bp_esc_like( $filter ) . '%';
    482488
    483489                $usermeta_table = $wpdb->prefix . 'usermeta';
    484490                $users_table    = $wpdb->base_prefix . 'users';
    485491
    486492                // filter the user_ids based on the search criteria.
    487493                if ( bp_is_active( 'xprofile' ) ) {
    488                         $sql = "SELECT COUNT(DISTINCT d.user_id) FROM {$bp->profile->table_name_data} d, {$users_table} u WHERE d.user_id = u.id AND d.value LIKE '{$filter}%%'";
     494                        $sql = $wpdb->prepare( "SELECT COUNT(DISTINCT d.user_id) FROM {$bp->profile->table_name_data} d, {$users_table} u WHERE d.user_id = u.id AND d.value LIKE %s", $search_terms_like );
    489495                } else {
    490                         $sql = "SELECT COUNT(DISTINCT user_id) FROM {$usermeta_table} WHERE meta_value LIKE '{$filter}%%'";
     496                        $sql = $wpdb->prepare( "SELECT COUNT(DISTINCT user_id) FROM {$usermeta_table} WHERE meta_value LIKE %s", $search_terms_like );
    491497                }
    492498
    493499                $user_count = $wpdb->get_col($sql);
  • src/bp-groups/bp-groups-classes.php

    diff --git src/bp-groups/bp-groups-classes.php src/bp-groups/bp-groups-classes.php
    index 3b98ff5..bc6ce37 100644
    class BP_Groups_Group { 
    445445                if ( empty( $user_id ) )
    446446                        $user_id = bp_displayed_user_id();
    447447
    448                 $filter = esc_sql( like_escape( $filter ) );
     448                $search_terms_like = bp_esc_like( $filter ) . '%';
    449449
    450450                $pag_sql = $order_sql = $hidden_sql = '';
    451451
    class BP_Groups_Group { 
    460460
    461461                $gids = esc_sql( implode( ',', wp_parse_id_list( $gids['groups'] ) ) );
    462462
    463                 $paged_groups = $wpdb->get_results( "SELECT id as group_id FROM {$bp->groups->table_name} WHERE ( name LIKE '{$filter}%%' OR description LIKE '{$filter}%%' ) AND id IN ({$gids}) {$pag_sql}" );
    464                 $total_groups = $wpdb->get_var( "SELECT COUNT(id) FROM {$bp->groups->table_name} WHERE ( name LIKE '{$filter}%%' OR description LIKE '{$filter}%%' ) AND id IN ({$gids})" );
     463                $paged_groups = $wpdb->get_results( $wpdb->prepare( "SELECT id as group_id FROM {$bp->groups->table_name} WHERE ( name LIKE %s OR description LIKE %s ) AND id IN ({$gids}) {$pag_sql}", $search_terms_like, $search_terms_like ) );
     464                $total_groups = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(id) FROM {$bp->groups->table_name} WHERE ( name LIKE %s OR description LIKE %s ) AND id IN ({$gids})", $search_terms_like, $search_terms_like ) );
    465465
    466466                return array( 'groups' => $paged_groups, 'total' => $total_groups );
    467467        }
    class BP_Groups_Group { 
    486486        public static function search_groups( $filter, $limit = null, $page = null, $sort_by = false, $order = false ) {
    487487                global $wpdb, $bp;
    488488
    489                 $filter = esc_sql( like_escape( $filter ) );
     489                $search_terms_like = '%' . bp_esc_like( $filter ) . '%';
    490490
    491491                $pag_sql = $order_sql = $hidden_sql = '';
    492492
    class BP_Groups_Group { 
    502502                if ( !bp_current_user_can( 'bp_moderate' ) )
    503503                        $hidden_sql = "AND status != 'hidden'";
    504504
    505                 $paged_groups = $wpdb->get_results( "SELECT id as group_id FROM {$bp->groups->table_name} WHERE ( name LIKE '%%{$filter}%%' OR description LIKE '%%{$filter}%%' ) {$hidden_sql} {$order_sql} {$pag_sql}" );
    506                 $total_groups = $wpdb->get_var( "SELECT COUNT(id) FROM {$bp->groups->table_name} WHERE ( name LIKE '%%{$filter}%%' OR description LIKE '%%{$filter}%%' ) {$hidden_sql}" );
     505                $paged_groups = $wpdb->get_results( $wpdb->prepare( "SELECT id as group_id FROM {$bp->groups->table_name} WHERE ( name LIKE %s OR description LIKE %s ) {$hidden_sql} {$order_sql} {$pag_sql}", $search_terms_like, $search_terms_like ) );
     506                $total_groups = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(id) FROM {$bp->groups->table_name} WHERE ( name LIKE %s OR description LIKE %s ) {$hidden_sql}", $search_terms_like, $search_terms_like ) );
    507507
    508508                return array( 'groups' => $paged_groups, 'total' => $total_groups );
    509509        }
    class BP_Groups_Group { 
    702702                }
    703703
    704704                if ( ! empty( $r['search_terms'] ) ) {
    705                         $search_terms = esc_sql( like_escape( $r['search_terms'] ) );
    706                         $sql['search'] = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";
     705                        $search_terms_like = '%' . bp_esc_like( $r['search_terms'] ) . '%';
     706                        $sql['search'] = $wpdb->prepare( " AND ( g.name LIKE %s OR g.description LIKE %s )", $search_terms_like, $search_terms_like );
    707707                }
    708708
    709709                $meta_query_sql = self::get_meta_query_sql( $r['meta_query'] );
    class BP_Groups_Group { 
    784784                }
    785785
    786786                if ( ! empty( $sql['search'] ) ) {
    787                         $total_sql['where'][] = "( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";
     787                        $total_sql['where'][] = $wpdb->prepare( "( g.name LIKE %s OR g.description LIKE %s )", $search_terms_like, $search_terms_like );
    788788                }
    789789
    790790                if ( ! empty( $r['user_id'] ) ) {
    class BP_Groups_Group { 
    10291029                        $hidden_sql = " AND g.status != 'hidden'";
    10301030
    10311031                if ( !empty( $search_terms ) ) {
    1032                         $search_terms = esc_sql( like_escape( $search_terms ) );
    1033                         $search_sql = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";
     1032                        $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%';
     1033                        $search_sql        = $wpdb->prepare( ' AND ( g.name LIKE %s OR g.description LIKE %s ) ', $search_terms_like, $search_terms_like );
    10341034                }
    10351035
    10361036                if ( !empty( $exclude ) ) {
    class BP_Groups_Group { 
    10931093                        $hidden_sql = " AND g.status != 'hidden'";
    10941094
    10951095                if ( !empty( $search_terms ) ) {
    1096                         $search_terms = esc_sql( like_escape( $search_terms ) );
    1097                         $search_sql = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";
     1096                        $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%';
     1097                        $search_sql        = $wpdb->prepare( ' AND ( g.name LIKE %s OR g.description LIKE %s ) ', $search_terms_like, $search_terms_like );
    10981098                }
    10991099
    11001100                if ( !empty( $exclude ) ) {
    class BP_Groups_Group { 
    11641164                if ( !bp_current_user_can( 'bp_moderate' ) )
    11651165                        $hidden_sql = " AND status != 'hidden'";
    11661166
    1167                 $letter = esc_sql( like_escape( $letter ) );
     1167                $letter_like = bp_esc_like( $letter ) . '%';
    11681168
    11691169                if ( !empty( $limit ) && !empty( $page ) ) {
    11701170                        $pag_sql      = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) );
    11711171                }
    11721172
    1173                 $total_groups = $wpdb->get_var( "SELECT COUNT(DISTINCT g.id) FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name} g WHERE g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND g.name LIKE '{$letter}%%' {$hidden_sql} {$exclude_sql}" );
     1173                $total_groups = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(DISTINCT g.id) FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name} g WHERE g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND g.name LIKE %s {$hidden_sql} {$exclude_sql}", $letter_like ) );
    11741174
    1175                 $paged_groups = $wpdb->get_results( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name} g WHERE g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND g.name LIKE '{$letter}%%' {$hidden_sql} {$exclude_sql} ORDER BY g.name ASC {$pag_sql}" );
     1175                $paged_groups = $wpdb->get_results( $wpdb->prepare( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name} g WHERE g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND g.name LIKE %s {$hidden_sql} {$exclude_sql} ORDER BY g.name ASC {$pag_sql}", $letter_like ) );
    11761176
    11771177                if ( !empty( $populate_extras ) ) {
    11781178                        foreach ( (array) $paged_groups as $group ) {
    class BP_Groups_Group { 
    12201220                        $hidden_sql = "AND g.status != 'hidden'";
    12211221
    12221222                if ( !empty( $search_terms ) ) {
    1223                         $search_terms = esc_sql( like_escape( $search_terms ) );
    1224                         $search_sql = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";
     1223                        $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%';
     1224                        $search_sql = $wpdb->prepare( " AND ( g.name LIKE %s OR g.description LIKE %s )", $search_terms_like, $search_terms_like );
    12251225                }
    12261226
    12271227                if ( !empty( $exclude ) ) {
    class BP_Groups_Group { 
    14371437                $sql['where']  = "WHERE gm.meta_key = 'forum_id' {$status_sql} AND t.topic_status = '0' AND t.topic_sticky != '2'";
    14381438
    14391439                if ( !empty( $search_terms ) ) {
    1440                         $st = esc_sql( like_escape( $search_terms ) );
    1441                         $sql['where'] .= " AND (  t.topic_title LIKE '%{$st}%' )";
     1440                        $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%';
     1441                        $sql['where'] .= $wpdb->prepare( " AND ( t.topic_title LIKE %s )", $search_terms_like );
    14421442                }
    14431443
    14441444                return $wpdb->get_var( implode( ' ', $sql ) );
    class BP_Groups_Member { 
    22612261        public static function get_recently_joined( $user_id, $limit = false, $page = false, $filter = false ) {
    22622262                global $wpdb, $bp;
    22632263
    2264                 $pag_sql = $hidden_sql = $filter_sql = '';
     2264                $user_id_sql = $pag_sql = $hidden_sql = $filter_sql = '';
     2265
     2266                $user_id_sql = $wpdb->prepare( 'm.user_id = %d', $user_id );
    22652267
    22662268                if ( !empty( $limit ) && !empty( $page ) )
    22672269                        $pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) );
    22682270
    22692271                if ( !empty( $filter ) ) {
    2270                         $filter     = esc_sql( like_escape( $filter ) );
    2271                         $filter_sql = " AND ( g.name LIKE '%%{$filter}%%' OR g.description LIKE '%%{$filter}%%' )";
     2272                        $search_terms_like = '%' . bp_esc_like( $filter ) . '%';
     2273                        $filter_sql = $wpdb->prepare( " AND ( g.name LIKE %s OR g.description LIKE %s )", $search_terms_like, $search_terms_like );
    22722274                }
    22732275
    22742276                if ( $user_id != bp_loggedin_user_id() )
    22752277                        $hidden_sql = " AND g.status != 'hidden'";
    22762278
    2277                 $paged_groups = $wpdb->get_results( $wpdb->prepare( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count'{$hidden_sql}{$filter_sql} AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0 ORDER BY m.date_modified DESC {$pag_sql}", $user_id ) );
    2278                 $total_groups = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(DISTINCT m.group_id) FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id{$hidden_sql}{$filter_sql} AND m.user_id = %d AND m.is_banned = 0 AND m.is_confirmed = 1 ORDER BY m.date_modified DESC", $user_id ) );
     2279                $paged_groups = $wpdb->get_results( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count'{$hidden_sql}{$filter_sql} AND {$user_id_sql} AND m.is_confirmed = 1 AND m.is_banned = 0 ORDER BY m.date_modified DESC {$pag_sql}" );
     2280                $total_groups = $wpdb->get_var( "SELECT COUNT(DISTINCT m.group_id) FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id{$hidden_sql}{$filter_sql} AND {$user_id_sql} AND m.is_banned = 0 AND m.is_confirmed = 1 ORDER BY m.date_modified DESC" );
    22792281
    22802282                return array( 'groups' => $paged_groups, 'total' => $total_groups );
    22812283        }
    class BP_Groups_Member { 
    22982300        public static function get_is_admin_of( $user_id, $limit = false, $page = false, $filter = false ) {
    22992301                global $wpdb, $bp;
    23002302
    2301                 $pag_sql = $hidden_sql = $filter_sql = '';
     2303                $user_id_sql = $pag_sql = $hidden_sql = $filter_sql = '';
     2304
     2305                $user_id_sql = $wpdb->prepare( 'm.user_id = %d', $user_id );
    23022306
    23032307                if ( !empty( $limit ) && !empty( $page ) )
    23042308                        $pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) );
    23052309
    23062310                if ( !empty( $filter ) ) {
    2307                         $filter     = esc_sql( like_escape( $filter ) );
    2308                         $filter_sql = " AND ( g.name LIKE '%%{$filter}%%' OR g.description LIKE '%%{$filter}%%' )";
     2311                        $search_terms_like = '%' . bp_esc_like( $filter ) . '%';
     2312                        $filter_sql = $wpdb->prepare( " AND ( g.name LIKE %s OR g.description LIKE %s )", $search_terms_like, $search_terms_like );
    23092313                }
    23102314
    23112315                if ( $user_id != bp_loggedin_user_id() )
    23122316                        $hidden_sql = " AND g.status != 'hidden'";
    23132317
    2314                 $paged_groups = $wpdb->get_results( $wpdb->prepare( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count'{$hidden_sql}{$filter_sql} AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_admin = 1 ORDER BY m.date_modified ASC {$pag_sql}", $user_id ) );
    2315                 $total_groups = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(DISTINCT m.group_id) FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id{$hidden_sql}{$filter_sql} AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_admin = 1 ORDER BY date_modified ASC", $user_id ) );
     2318                $paged_groups = $wpdb->get_results( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count'{$hidden_sql}{$filter_sql} AND {$user_id_sql} AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_admin = 1 ORDER BY m.date_modified ASC {$pag_sql}" );
     2319                $total_groups = $wpdb->get_var( "SELECT COUNT(DISTINCT m.group_id) FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id{$hidden_sql}{$filter_sql} AND {$user_id_sql} AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_admin = 1 ORDER BY date_modified ASC" );
    23162320
    23172321                return array( 'groups' => $paged_groups, 'total' => $total_groups );
    23182322        }
    class BP_Groups_Member { 
    23352339        public static function get_is_mod_of( $user_id, $limit = false, $page = false, $filter = false ) {
    23362340                global $wpdb, $bp;
    23372341
    2338                 $pag_sql = $hidden_sql = $filter_sql = '';
     2342                $user_id_sql = $pag_sql = $hidden_sql = $filter_sql = '';
     2343
     2344                $user_id_sql = $wpdb->prepare( 'm.user_id = %d', $user_id );
    23392345
    23402346                if ( !empty( $limit ) && !empty( $page ) )
    23412347                        $pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) );
    23422348
    23432349                if ( !empty( $filter ) ) {
    2344                         $filter     = esc_sql( like_escape( $filter ) );
    2345                         $filter_sql = " AND ( g.name LIKE '%%{$filter}%%' OR g.description LIKE '%%{$filter}%%' )";
     2350                        $search_terms_like = '%' . bp_esc_like( $filter ) . '%';
     2351                        $filter_sql = $wpdb->prepare( " AND ( g.name LIKE %s OR g.description LIKE %s )", $search_terms_like, $search_terms_like );
    23462352                }
    23472353
    23482354                if ( $user_id != bp_loggedin_user_id() )
    23492355                        $hidden_sql = " AND g.status != 'hidden'";
    23502356
    2351                 $paged_groups = $wpdb->get_results( $wpdb->prepare( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count'{$hidden_sql}{$filter_sql} AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_mod = 1 ORDER BY m.date_modified ASC {$pag_sql}", $user_id ) );
    2352                 $total_groups = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(DISTINCT m.group_id) FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id{$hidden_sql}{$filter_sql} AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_mod = 1 ORDER BY date_modified ASC", $user_id ) );
     2357                $paged_groups = $wpdb->get_results( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count'{$hidden_sql}{$filter_sql} AND {$user_id_sql} AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_mod = 1 ORDER BY m.date_modified ASC {$pag_sql}" );
     2358                $total_groups = $wpdb->get_var( "SELECT COUNT(DISTINCT m.group_id) FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id{$hidden_sql}{$filter_sql} AND {$user_id_sql} AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_mod = 1 ORDER BY date_modified ASC" );
    23532359
    23542360                return array( 'groups' => $paged_groups, 'total' => $total_groups );
    23552361        }
  • src/bp-members/bp-members-classes.php

    diff --git src/bp-members/bp-members-classes.php src/bp-members/bp-members-classes.php
    index b1a2f9d..ca74e5e 100644
    class BP_Signup { 
    150150
    151151                        // Search terms
    152152                        if ( ! empty( $r['usersearch'] ) ) {
    153                                 $search_terms_clean = esc_sql( esc_sql( $r['usersearch'] ) );
    154                                 $search_terms_clean = like_escape( $search_terms_clean );
    155                                 $sql['where'][]     = "( user_login LIKE '%" . $search_terms_clean . "%' OR user_email LIKE '%" . $search_terms_clean . "%' OR meta LIKE '%" . $search_terms_clean . "%' )";
     153                                $search_terms_like = '%' . bp_esc_like( $r['usersearch'] ) . '%';
     154                                $sql['where'][]    = $wpdb->prepare( "( user_login LIKE %s OR user_email LIKE %s OR meta LIKE %s )", $search_terms_like, $search_terms_like, $search_terms_like );
    156155                        }
    157156
    158157                        // Activation key
    class BP_Signup { 
    208207                        $diff    = $now - $sent_at;
    209208
    210209                        /**
    211                          * add a boolean in case the last time an activation link 
     210                         * add a boolean in case the last time an activation link
    212211                         * has been sent happened less than a day ago
    213212                         */
    214213                        if ( $diff < 1 * DAY_IN_SECONDS ) {
  • src/bp-messages/bp-messages-classes.php

    diff --git src/bp-messages/bp-messages-classes.php src/bp-messages/bp-messages-classes.php
    index d23c53f..bfa1461 100644
    class BP_Messages_Thread { 
    250250        public static function get_current_threads_for_user( $user_id, $box = 'inbox', $type = 'all', $limit = null, $page = null, $search_terms = '' ) {
    251251                global $wpdb, $bp;
    252252
    253                 $pag_sql = $type_sql = $search_sql = '';
     253                $user_id_sql = $pag_sql = $type_sql = $search_sql = '';
     254
    254255                if ( $limit && $page ) {
    255256                        $pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) );
    256257                }
    class BP_Messages_Thread { 
    262263                }
    263264
    264265                if ( ! empty( $search_terms ) ) {
    265                         $search_terms = like_escape( esc_sql( $search_terms ) );
    266                         $search_sql   = "AND ( subject LIKE '%%$search_terms%%' OR message LIKE '%%$search_terms%%' )";
     266                        $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%';
     267                        $search_sql        = $wpdb->prepare( "AND ( subject LIKE %s OR message LIKE %s )", $search_terms_like, $search_terms_like );
    267268                }
    268269
    269270                if ( 'sentbox' == $box ) {
    270                         $thread_ids    = $wpdb->get_results( $wpdb->prepare( "SELECT m.thread_id, MAX(m.date_sent) AS date_sent FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND m.sender_id = r.user_id AND m.sender_id = %d AND r.is_deleted = 0 {$search_sql} GROUP BY m.thread_id ORDER BY date_sent DESC {$pag_sql}", $user_id ) );
    271                         $total_threads = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT( DISTINCT m.thread_id ) FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND m.sender_id = r.user_id AND m.sender_id = %d AND r.is_deleted = 0 {$search_sql} ", $user_id ) );
     271                        $user_id_sql = $wpdb->prepare( 'm.sender_id = %d', $user_id );
     272                        $thread_ids  = $wpdb->get_results( "SELECT m.thread_id, MAX(m.date_sent) AS date_sent FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND m.sender_id = r.user_id AND {$user_id_sql} AND r.is_deleted = 0 {$search_sql} GROUP BY m.thread_id ORDER BY date_sent DESC {$pag_sql}" );
     273                        $total_threads = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT( DISTINCT m.thread_id ) FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND m.sender_id = r.user_id AND {$user_id_sql} AND r.is_deleted = 0 {$search_sql} ", $user_id ) );
    272274                } else {
    273                         $thread_ids = $wpdb->get_results( $wpdb->prepare( "SELECT m.thread_id, MAX(m.date_sent) AS date_sent FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND r.is_deleted = 0 AND r.user_id = %d AND r.sender_only = 0 {$type_sql} {$search_sql} GROUP BY m.thread_id ORDER BY date_sent DESC {$pag_sql}", $user_id ) );
    274                         $total_threads = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT( DISTINCT m.thread_id ) FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND r.is_deleted = 0 AND r.user_id = %d AND r.sender_only = 0 {$type_sql} {$search_sql} ", $user_id ) );
     275                        $user_id_sql = $wpdb->prepare( 'r.user_id = %d', $user_id );
     276                        $thread_ids = $wpdb->get_results( "SELECT m.thread_id, MAX(m.date_sent) AS date_sent FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND r.is_deleted = 0 AND {$user_id_sql} AND r.sender_only = 0 {$type_sql} {$search_sql} GROUP BY m.thread_id ORDER BY date_sent DESC {$pag_sql}" );
     277                        $total_threads = $wpdb->get_var( "SELECT COUNT( DISTINCT m.thread_id ) FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND r.is_deleted = 0 AND {$user_id_sql} AND r.sender_only = 0 {$type_sql} {$search_sql}" );
    275278                }
    276279
    277280                if ( empty( $thread_ids ) ) {
  • src/bp-notifications/bp-notifications-classes.php

    diff --git src/bp-notifications/bp-notifications-classes.php src/bp-notifications/bp-notifications-classes.php
    index 09fcf88..d8b89b4 100644
    class BP_Notifications_Notification { 
    327327
    328328                // search_terms
    329329                if ( ! empty( $args['search_terms'] ) ) {
    330                         $search_terms = like_escape( esc_sql( $args['search_terms'] ) );
    331                         $where_conditions['search_terms'] = "( component_name LIKE '%%$search_terms%%' OR component_action LIKE '%%$search_terms%%' )";
     330                        $search_terms_like = '%' . bp_esc_like( $args['search_terms'] ) . '%';
     331                        $where_conditions['search_terms'] = $wpdb->prepare( "( component_name LIKE %s OR component_action LIKE %s )", $search_terms_like, $search_terms_like );
    332332                }
    333333
    334334                // Custom WHERE