Ticket #5701: 5701.patch
File 5701.patch, 42.1 KB (added by , 10 years ago) |
---|
-
src/bp-activity/bp-activity-classes.php
diff --git src/bp-activity/bp-activity-classes.php src/bp-activity/bp-activity-classes.php index a67e088..66605fb 100644
class BP_Activity_Activity { 337 337 338 338 // Searching 339 339 if ( $search_terms ) { 340 $search_terms = esc_sql( $search_terms );341 $where_conditions['search_sql'] = "a.content LIKE '%%" . esc_sql( like_escape( $search_terms ) ) . "%%'";340 $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%'; 341 $where_conditions['search_sql'] = $wpdb->prepare( 'a.content LIKE %s', $search_terms_like ); 342 342 } 343 343 344 344 // Filtering -
src/bp-blogs/bp-blogs-classes.php
diff --git src/bp-blogs/bp-blogs-classes.php src/bp-blogs/bp-blogs-classes.php index aa38148..693265b 100644
class BP_Blogs_Blog { 156 156 } 157 157 158 158 if ( !empty( $search_terms ) ) { 159 $filter = esc_sql( like_escape( $search_terms ) ); 160 $paged_blogs = $wpdb->get_results( "SELECT b.blog_id, b.user_id as admin_user_id, u.user_email as admin_user_email, wb.domain, wb.path, bm.meta_value as last_activity, bm2.meta_value as name FROM {$bp->blogs->table_name} b, {$bp->blogs->table_name_blogmeta} bm, {$bp->blogs->table_name_blogmeta} bm2, {$wpdb->base_prefix}blogs wb, {$wpdb->users} u WHERE b.blog_id = wb.blog_id AND b.user_id = u.ID AND b.blog_id = bm.blog_id AND b.blog_id = bm2.blog_id AND wb.archived = '0' AND wb.spam = 0 AND wb.mature = 0 AND wb.deleted = 0 {$hidden_sql} AND bm.meta_key = 'last_activity' AND bm2.meta_key = 'name' AND bm2.meta_value LIKE '%%$filter%%' {$user_sql} {$include_sql} GROUP BY b.blog_id {$order_sql} {$pag_sql}" ); 161 $total_blogs = $wpdb->get_var( "SELECT COUNT(DISTINCT b.blog_id) FROM {$bp->blogs->table_name} b, {$wpdb->base_prefix}blogs wb, {$bp->blogs->table_name_blogmeta} bm, {$bp->blogs->table_name_blogmeta} bm2 WHERE b.blog_id = wb.blog_id AND bm.blog_id = b.blog_id AND bm2.blog_id = b.blog_id AND wb.archived = '0' AND wb.spam = 0 AND wb.mature = 0 AND wb.deleted = 0 {$hidden_sql} AND bm.meta_key = 'name' AND bm2.meta_key = 'description' AND ( bm.meta_value LIKE '%%$filter%%' || bm2.meta_value LIKE '%%$filter%%' ) {$user_sql} {$include_sql}" ); 159 $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%'; 160 $search_terms_sql = $wpdb->prepare( 'bm2.meta_value LIKE %s', $search_terms_like ); 161 $paged_blogs = $wpdb->get_results( "SELECT b.blog_id, b.user_id as admin_user_id, u.user_email as admin_user_email, wb.domain, wb.path, bm.meta_value as last_activity, bm2.meta_value as name FROM {$bp->blogs->table_name} b, {$bp->blogs->table_name_blogmeta} bm, {$bp->blogs->table_name_blogmeta} bm2, {$wpdb->base_prefix}blogs wb, {$wpdb->users} u WHERE b.blog_id = wb.blog_id AND b.user_id = u.ID AND b.blog_id = bm.blog_id AND b.blog_id = bm2.blog_id AND wb.archived = '0' AND wb.spam = 0 AND wb.mature = 0 AND wb.deleted = 0 {$hidden_sql} AND bm.meta_key = 'last_activity' AND bm2.meta_key = 'name' AND {$search_terms_sql} {$user_sql} {$include_sql} GROUP BY b.blog_id {$order_sql} {$pag_sql}" ); 162 $total_blogs = $wpdb->get_var( "SELECT COUNT(DISTINCT b.blog_id) FROM {$bp->blogs->table_name} b, {$wpdb->base_prefix}blogs wb, {$bp->blogs->table_name_blogmeta} bm, {$bp->blogs->table_name_blogmeta} bm2 WHERE b.blog_id = wb.blog_id AND bm.blog_id = b.blog_id AND bm2.blog_id = b.blog_id AND wb.archived = '0' AND wb.spam = 0 AND wb.mature = 0 AND wb.deleted = 0 {$hidden_sql} AND bm.meta_key = 'name' AND bm2.meta_key = 'description' AND {$search_terms_sql} {$user_sql} {$include_sql}" ); 162 163 } else { 163 164 $paged_blogs = $wpdb->get_results( "SELECT b.blog_id, b.user_id as admin_user_id, u.user_email as admin_user_email, wb.domain, wb.path, bm.meta_value as last_activity, bm2.meta_value as name FROM {$bp->blogs->table_name} b, {$bp->blogs->table_name_blogmeta} bm, {$bp->blogs->table_name_blogmeta} bm2, {$wpdb->base_prefix}blogs wb, {$wpdb->users} u WHERE b.blog_id = wb.blog_id AND b.user_id = u.ID AND b.blog_id = bm.blog_id AND b.blog_id = bm2.blog_id {$user_sql} AND wb.archived = '0' AND wb.spam = 0 AND wb.mature = 0 AND wb.deleted = 0 {$hidden_sql} AND bm.meta_key = 'last_activity' AND bm2.meta_key = 'name' {$include_sql} GROUP BY b.blog_id {$order_sql} {$pag_sql}" ); 164 165 $total_blogs = $wpdb->get_var( "SELECT COUNT(DISTINCT b.blog_id) FROM {$bp->blogs->table_name} b, {$wpdb->base_prefix}blogs wb WHERE b.blog_id = wb.blog_id {$user_sql} AND wb.archived = '0' AND wb.spam = 0 AND wb.mature = 0 AND wb.deleted = 0 {$include_sql} {$hidden_sql}" ); … … class BP_Blogs_Blog { 342 343 public static function search_blogs( $filter, $limit = null, $page = null ) { 343 344 global $wpdb, $bp; 344 345 345 $filter = esc_sql( like_escape( $filter ) ); 346 $search_terms_like = '%' . bp_esc_like( $filter ) . '%'; 347 $search_terms_sql = $wpdb->prepare( 'bm.meta_value LIKE %s', $search_terms_like ); 346 348 347 349 $hidden_sql = ''; 348 350 if ( !bp_current_user_can( 'bp_moderate' ) ) … … class BP_Blogs_Blog { 353 355 $pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) ); 354 356 } 355 357 356 $paged_blogs = $wpdb->get_results( "SELECT DISTINCT bm.blog_id FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE ( ( bm.meta_key = 'name' OR bm.meta_key = 'description' ) AND bm.meta_value LIKE '%%$filter%%') {$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY meta_value ASC{$pag_sql}" );357 $total_blogs = $wpdb->get_var( "SELECT COUNT(DISTINCT bm.blog_id) FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE ( ( bm.meta_key = 'name' OR bm.meta_key = 'description' ) AND bm.meta_value LIKE '%%$filter%%') {$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY meta_value ASC" );358 $paged_blogs = $wpdb->get_results( "SELECT DISTINCT bm.blog_id FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE ( ( bm.meta_key = 'name' OR bm.meta_key = 'description' ) AND {$search_terms_sql} ) {$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY meta_value ASC{$pag_sql}" ); 359 $total_blogs = $wpdb->get_var( "SELECT COUNT(DISTINCT bm.blog_id) FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE ( ( bm.meta_key = 'name' OR bm.meta_key = 'description' ) AND {$search_terms_sql} ) {$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY meta_value ASC" ); 358 360 359 361 return array( 'blogs' => $paged_blogs, 'total' => $total_blogs ); 360 362 } … … class BP_Blogs_Blog { 403 405 public static function get_by_letter( $letter, $limit = null, $page = null ) { 404 406 global $bp, $wpdb; 405 407 406 $letter = esc_sql( like_escape( $letter ) ); 408 $letter_like = '%' . bp_esc_like( $letter ) . '%'; 409 $letter_sql = $wpdb->prepare( 'bm.meta_value LIKE %s', $letter_like ); 407 410 408 411 $hidden_sql = ''; 409 412 if ( !bp_current_user_can( 'bp_moderate' ) ) … … class BP_Blogs_Blog { 413 416 if ( $limit && $page ) 414 417 $pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) ); 415 418 416 $paged_blogs = $wpdb->get_results( "SELECT DISTINCT bm.blog_id FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE bm.meta_key = 'name' AND bm.meta_value LIKE '$letter%%'{$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY bm.meta_value ASC{$pag_sql}" );417 $total_blogs = $wpdb->get_var( "SELECT COUNT(DISTINCT bm.blog_id) FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE bm.meta_key = 'name' AND bm.meta_value LIKE '$letter%%'{$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY bm.meta_value ASC" );419 $paged_blogs = $wpdb->get_results( "SELECT DISTINCT bm.blog_id FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE bm.meta_key = 'name' AND {$letter_sql} {$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY bm.meta_value ASC{$pag_sql}" ); 420 $total_blogs = $wpdb->get_var( "SELECT COUNT(DISTINCT bm.blog_id) FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE bm.meta_key = 'name' AND {$letter_sql} {$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY bm.meta_value ASC" ); 418 421 419 422 return array( 'blogs' => $paged_blogs, 'total' => $total_blogs ); 420 423 } -
src/bp-core/bp-core-classes.php
diff --git src/bp-core/bp-core-classes.php src/bp-core/bp-core-classes.php index bad2c21..fb24188 100644
class BP_User_Query { 364 364 // 'search_terms' searches user_login and user_nicename 365 365 // xprofile field matches happen in bp_xprofile_bp_user_query_search() 366 366 if ( false !== $search_terms ) { 367 $search_terms_ clean = esc_sql( esc_sql( $search_terms ) );368 $sql['where']['search'] = "u.{$this->uid_name} IN ( SELECT ID FROM {$wpdb->users} WHERE ( user_login LIKE '%{$search_terms_clean}%' OR user_nicename LIKE '%{$search_terms_clean}%' ) )";367 $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%'; 368 $sql['where']['search'] = $wpdb->prepare( "u.{$this->uid_name} IN ( SELECT ID FROM {$wpdb->users} WHERE ( user_login LIKE %s OR user_nicename LIKE %s ) )", $search_terms_like, $search_terms_like ); 369 369 } 370 370 371 371 // 'meta_key', 'meta_value' allow usermeta search … … class BP_Core_User { 967 967 } 968 968 969 969 if ( !empty( $search_terms ) && bp_is_active( 'xprofile' ) ) { 970 $search_terms = esc_sql( like_escape( $search_terms ) );971 $sql['where_searchterms'] = "AND spd.value LIKE '%%$search_terms%%'";970 $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%'; 971 $sql['where_searchterms'] = $wpdb->prepare( "AND spd.value LIKE %s", $search_terms_like ); 972 972 } 973 973 974 974 if ( !empty( $meta_key ) ) { … … class BP_Core_User { 1085 1085 } 1086 1086 } 1087 1087 1088 $letter = esc_sql( like_escape( $letter ) );1089 $status_sql = bp_core_get_status_sql( 'u.' );1088 $letter_like = bp_esc_like( $letter ) . '%'; 1089 $status_sql = bp_core_get_status_sql( 'u.' ); 1090 1090 1091 1091 if ( !empty( $exclude ) ) { 1092 1092 $exclude = implode( ',', wp_parse_id_list( $r['exclude'] ) ); … … class BP_Core_User { 1095 1095 $exclude_sql = ''; 1096 1096 } 1097 1097 1098 $total_users_sql = apply_filters( 'bp_core_users_by_letter_count_sql', $wpdb->prepare( "SELECT COUNT(DISTINCT u.ID) FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id LEFT JOIN {$bp->profile->table_name_fields} pf ON pd.field_id = pf.id WHERE {$status_sql} AND pf.name = %s {$exclude_sql} AND pd.value LIKE '{$letter}%%' ORDER BY pd.value ASC", bp_xprofile_fullname_field_name()) );1099 $paged_users_sql = apply_filters( 'bp_core_users_by_letter_sql', $wpdb->prepare( "SELECT DISTINCT u.ID as id, u.user_registered, u.user_nicename, u.user_login, u.user_email FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id LEFT JOIN {$bp->profile->table_name_fields} pf ON pd.field_id = pf.id WHERE {$status_sql} AND pf.name = %s {$exclude_sql} AND pd.value LIKE '{$letter}%%' ORDER BY pd.value ASC{$pag_sql}", bp_xprofile_fullname_field_name()) );1098 $total_users_sql = apply_filters( 'bp_core_users_by_letter_count_sql', $wpdb->prepare( "SELECT COUNT(DISTINCT u.ID) FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id LEFT JOIN {$bp->profile->table_name_fields} pf ON pd.field_id = pf.id WHERE {$status_sql} AND pf.name = %s {$exclude_sql} AND pd.value LIKE %s ORDER BY pd.value ASC", bp_xprofile_fullname_field_name(), $letter_like ) ); 1099 $paged_users_sql = apply_filters( 'bp_core_users_by_letter_sql', $wpdb->prepare( "SELECT DISTINCT u.ID as id, u.user_registered, u.user_nicename, u.user_login, u.user_email FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id LEFT JOIN {$bp->profile->table_name_fields} pf ON pd.field_id = pf.id WHERE {$status_sql} AND pf.name = %s {$exclude_sql} AND pd.value LIKE %s ORDER BY pd.value ASC{$pag_sql}", bp_xprofile_fullname_field_name(), $letter_like ) ); 1100 1100 1101 1101 $total_users = $wpdb->get_var( $total_users_sql ); 1102 1102 $paged_users = $wpdb->get_results( $paged_users_sql ); … … class BP_Core_User { 1184 1184 $user_ids = array(); 1185 1185 $pag_sql = $limit && $page ? $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * intval( $limit ) ), intval( $limit ) ) : ''; 1186 1186 1187 $search_terms = esc_sql( like_escape( $search_terms ) );1188 $status_sql = bp_core_get_status_sql( 'u.' );1187 $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%'; 1188 $status_sql = bp_core_get_status_sql( 'u.' ); 1189 1189 1190 $total_users_sql = apply_filters( 'bp_core_search_users_count_sql', "SELECT COUNT(DISTINCT u.ID) as id FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id WHERE {$status_sql} AND pd.value LIKE '%%{$search_terms}%%' ORDER BY pd.value ASC", $search_terms );1191 $paged_users_sql = apply_filters( 'bp_core_search_users_sql', "SELECT DISTINCT u.ID as id, u.user_registered, u.user_nicename, u.user_login, u.user_email FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id WHERE {$status_sql} AND pd.value LIKE '%%{$search_terms}%%' ORDER BY pd.value ASC{$pag_sql}", $search_terms, $pag_sql );1190 $total_users_sql = apply_filters( 'bp_core_search_users_count_sql', $wpdb->prepare( "SELECT COUNT(DISTINCT u.ID) as id FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id WHERE {$status_sql} AND pd.value LIKE %s ORDER BY pd.value ASC", $search_terms_like ), $search_terms ); 1191 $paged_users_sql = apply_filters( 'bp_core_search_users_sql', $wpdb->prepare( "SELECT DISTINCT u.ID as id, u.user_registered, u.user_nicename, u.user_login, u.user_email FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id WHERE {$status_sql} AND pd.value LIKE %s ORDER BY pd.value ASC{$pag_sql}", $search_terms_like ), $search_terms, $pag_sql ); 1192 1192 1193 1193 $total_users = $wpdb->get_var( $total_users_sql ); 1194 1194 $paged_users = $wpdb->get_results( $paged_users_sql ); -
src/bp-core/bp-core-functions.php
diff --git src/bp-core/bp-core-functions.php src/bp-core/bp-core-functions.php index 8d3d60e..66023f4 100644
function bp_esc_sql_order( $order = '' ) { 265 265 } 266 266 267 267 /** 268 * Escape special characters in a SQL LIKE clause. 269 * 270 * In WordPress 4.0, like_escape() was deprecated, due to incorrect 271 * documentation and improper sanitization leading to a history of misuse. To 272 * maintain compatibility with versions of WP before 4.0, we duplicate the 273 * logic of the replacement, wpdb::esc_like(). 274 * 275 * @since BuddyPress (2.1.0) 276 * 277 * @see wpdb::esc_like() for more details on proper use. 278 * 279 * @param string $text The raw text to be escaped. 280 * @return string Text in the form of a LIKE phrase. Not SQL safe. Run through 281 * wpdb::prepare() before use. 282 */ 283 function bp_esc_like( $text ) { 284 global $wpdb; 285 286 if ( method_exists( $wpdb, 'esc_like' ) ) { 287 return $wpdb->esc_like( $text ); 288 } else { 289 return addcslashes( $text, '_%\\' ); 290 } 291 } 292 293 /** 268 294 * Are we running username compatibility mode? 269 295 * 270 296 * @since BuddyPress (1.5.0) -
src/bp-friends/bp-friends-classes.php
diff --git src/bp-friends/bp-friends-classes.php src/bp-friends/bp-friends-classes.php index 63c40ca..2ceba53 100644
class BP_Friends_Friendship { 290 290 if ( empty( $user_id ) ) 291 291 $user_id = bp_loggedin_user_id(); 292 292 293 $filter = esc_sql( like_escape( $filter ) ); 293 // Only search for matching strings at the beginning of the 294 // name (@todo - figure out why this restriction) 295 $search_terms_like = bp_esc_like( $filter ) . '%'; 294 296 295 297 $pag_sql = ''; 296 298 if ( !empty( $limit ) && !empty( $page ) ) … … class BP_Friends_Friendship { 307 309 308 310 // filter the user_ids based on the search criteria. 309 311 if ( bp_is_active( 'xprofile' ) ) { 310 $sql = "SELECT DISTINCT user_id FROM {$bp->profile->table_name_data} WHERE user_id IN ({$fids}) AND value LIKE '{$filter}%%' {$pag_sql}";311 $total_sql = "SELECT COUNT(DISTINCT user_id) FROM {$bp->profile->table_name_data} WHERE user_id IN ({$fids}) AND value LIKE '{$filter}%%'";312 $sql = $wpdb->prepare( "SELECT DISTINCT user_id FROM {$bp->profile->table_name_data} WHERE user_id IN ({$fids}) AND value LIKE %s {$pag_sql}", $search_terms_like ); 313 $total_sql = $wpdb->prepare( "SELECT COUNT(DISTINCT user_id) FROM {$bp->profile->table_name_data} WHERE user_id IN ({$fids}) AND value LIKE %s", $search_terms_like ); 312 314 } else { 313 $sql = "SELECT DISTINCT user_id FROM {$wpdb->usermeta} WHERE user_id IN ({$fids}) AND meta_key = 'nickname' AND meta_value LIKE '{$filter}%%' {$pag_sql}";314 $total_sql = "SELECT COUNT(DISTINCT user_id) FROM {$wpdb->usermeta} WHERE user_id IN ({$fids}) AND meta_key = 'nickname' AND meta_value LIKE '{$filter}%%'";315 $sql = $wpdb->prepare( "SELECT DISTINCT user_id FROM {$wpdb->usermeta} WHERE user_id IN ({$fids}) AND meta_key = 'nickname' AND meta_value LIKE %s' {$pag_sql}", $search_terms_like ); 316 $total_sql = $wpdb->prepare( "SELECT COUNT(DISTINCT user_id) FROM {$wpdb->usermeta} WHERE user_id IN ({$fids}) AND meta_key = 'nickname' AND meta_value LIKE %s", $search_terms_like ); 315 317 } 316 318 317 319 $filtered_friend_ids = $wpdb->get_col( $sql ); … … class BP_Friends_Friendship { 443 445 public static function search_users( $filter, $user_id, $limit = null, $page = null ) { 444 446 global $wpdb, $bp; 445 447 446 $filter = esc_sql( like_escape( $filter ) ); 448 // Only search for matching strings at the beginning of the 449 // name (@todo - figure out why this restriction) 450 $search_terms_like = bp_esc_like( $filter ) . '%'; 447 451 448 452 $usermeta_table = $wpdb->base_prefix . 'usermeta'; 449 453 $users_table = $wpdb->base_prefix . 'users'; … … class BP_Friends_Friendship { 454 458 455 459 // filter the user_ids based on the search criteria. 456 460 if ( bp_is_active( 'xprofile' ) ) { 457 $sql = "SELECT DISTINCT d.user_id as id FROM {$bp->profile->table_name_data} d, {$users_table} u WHERE d.user_id = u.id AND d.value LIKE '{$filter}%%' ORDER BY d.value DESC {$pag_sql}";461 $sql = $wpdb->prepare( "SELECT DISTINCT d.user_id as id FROM {$bp->profile->table_name_data} d, {$users_table} u WHERE d.user_id = u.id AND d.value LIKE %s ORDER BY d.value DESC {$pag_sql}", $search_terms_like ); 458 462 } else { 459 $sql = "SELECT DISTINCT user_id as id FROM {$usermeta_table} WHERE meta_value LIKE '{$filter}%%' ORDER BY d.value DESC {$pag_sql}";463 $sql = $wpdb->prepare( "SELECT DISTINCT user_id as id FROM {$usermeta_table} WHERE meta_value LIKE %s ORDER BY d.value DESC {$pag_sql}", $search_terms_like ); 460 464 } 461 465 462 466 $filtered_fids = $wpdb->get_col($sql); … … class BP_Friends_Friendship { 478 482 public static function search_users_count( $filter ) { 479 483 global $wpdb, $bp; 480 484 481 $filter = esc_sql( like_escape( $filter ) ); 485 // Only search for matching strings at the beginning of the 486 // name (@todo - figure out why this restriction) 487 $search_terms_like = bp_esc_like( $filter ) . '%'; 482 488 483 489 $usermeta_table = $wpdb->prefix . 'usermeta'; 484 490 $users_table = $wpdb->base_prefix . 'users'; 485 491 486 492 // filter the user_ids based on the search criteria. 487 493 if ( bp_is_active( 'xprofile' ) ) { 488 $sql = "SELECT COUNT(DISTINCT d.user_id) FROM {$bp->profile->table_name_data} d, {$users_table} u WHERE d.user_id = u.id AND d.value LIKE '{$filter}%%'";494 $sql = $wpdb->prepare( "SELECT COUNT(DISTINCT d.user_id) FROM {$bp->profile->table_name_data} d, {$users_table} u WHERE d.user_id = u.id AND d.value LIKE %s", $search_terms_like ); 489 495 } else { 490 $sql = "SELECT COUNT(DISTINCT user_id) FROM {$usermeta_table} WHERE meta_value LIKE '{$filter}%%'";496 $sql = $wpdb->prepare( "SELECT COUNT(DISTINCT user_id) FROM {$usermeta_table} WHERE meta_value LIKE %s", $search_terms_like ); 491 497 } 492 498 493 499 $user_count = $wpdb->get_col($sql); -
src/bp-groups/bp-groups-classes.php
diff --git src/bp-groups/bp-groups-classes.php src/bp-groups/bp-groups-classes.php index 3b98ff5..bc6ce37 100644
class BP_Groups_Group { 445 445 if ( empty( $user_id ) ) 446 446 $user_id = bp_displayed_user_id(); 447 447 448 $ filter = esc_sql( like_escape( $filter ) );448 $search_terms_like = bp_esc_like( $filter ) . '%'; 449 449 450 450 $pag_sql = $order_sql = $hidden_sql = ''; 451 451 … … class BP_Groups_Group { 460 460 461 461 $gids = esc_sql( implode( ',', wp_parse_id_list( $gids['groups'] ) ) ); 462 462 463 $paged_groups = $wpdb->get_results( "SELECT id as group_id FROM {$bp->groups->table_name} WHERE ( name LIKE '{$filter}%%' OR description LIKE '{$filter}%%' ) AND id IN ({$gids}) {$pag_sql}");464 $total_groups = $wpdb->get_var( "SELECT COUNT(id) FROM {$bp->groups->table_name} WHERE ( name LIKE '{$filter}%%' OR description LIKE '{$filter}%%' ) AND id IN ({$gids})");463 $paged_groups = $wpdb->get_results( $wpdb->prepare( "SELECT id as group_id FROM {$bp->groups->table_name} WHERE ( name LIKE %s OR description LIKE %s ) AND id IN ({$gids}) {$pag_sql}", $search_terms_like, $search_terms_like ) ); 464 $total_groups = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(id) FROM {$bp->groups->table_name} WHERE ( name LIKE %s OR description LIKE %s ) AND id IN ({$gids})", $search_terms_like, $search_terms_like ) ); 465 465 466 466 return array( 'groups' => $paged_groups, 'total' => $total_groups ); 467 467 } … … class BP_Groups_Group { 486 486 public static function search_groups( $filter, $limit = null, $page = null, $sort_by = false, $order = false ) { 487 487 global $wpdb, $bp; 488 488 489 $ filter = esc_sql( like_escape( $filter ) );489 $search_terms_like = '%' . bp_esc_like( $filter ) . '%'; 490 490 491 491 $pag_sql = $order_sql = $hidden_sql = ''; 492 492 … … class BP_Groups_Group { 502 502 if ( !bp_current_user_can( 'bp_moderate' ) ) 503 503 $hidden_sql = "AND status != 'hidden'"; 504 504 505 $paged_groups = $wpdb->get_results( "SELECT id as group_id FROM {$bp->groups->table_name} WHERE ( name LIKE '%%{$filter}%%' OR description LIKE '%%{$filter}%%' ) {$hidden_sql} {$order_sql} {$pag_sql}");506 $total_groups = $wpdb->get_var( "SELECT COUNT(id) FROM {$bp->groups->table_name} WHERE ( name LIKE '%%{$filter}%%' OR description LIKE '%%{$filter}%%' ) {$hidden_sql}");505 $paged_groups = $wpdb->get_results( $wpdb->prepare( "SELECT id as group_id FROM {$bp->groups->table_name} WHERE ( name LIKE %s OR description LIKE %s ) {$hidden_sql} {$order_sql} {$pag_sql}", $search_terms_like, $search_terms_like ) ); 506 $total_groups = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(id) FROM {$bp->groups->table_name} WHERE ( name LIKE %s OR description LIKE %s ) {$hidden_sql}", $search_terms_like, $search_terms_like ) ); 507 507 508 508 return array( 'groups' => $paged_groups, 'total' => $total_groups ); 509 509 } … … class BP_Groups_Group { 702 702 } 703 703 704 704 if ( ! empty( $r['search_terms'] ) ) { 705 $search_terms = esc_sql( like_escape( $r['search_terms'] ) );706 $sql['search'] = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";705 $search_terms_like = '%' . bp_esc_like( $r['search_terms'] ) . '%'; 706 $sql['search'] = $wpdb->prepare( " AND ( g.name LIKE %s OR g.description LIKE %s )", $search_terms_like, $search_terms_like ); 707 707 } 708 708 709 709 $meta_query_sql = self::get_meta_query_sql( $r['meta_query'] ); … … class BP_Groups_Group { 784 784 } 785 785 786 786 if ( ! empty( $sql['search'] ) ) { 787 $total_sql['where'][] = "( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";787 $total_sql['where'][] = $wpdb->prepare( "( g.name LIKE %s OR g.description LIKE %s )", $search_terms_like, $search_terms_like ); 788 788 } 789 789 790 790 if ( ! empty( $r['user_id'] ) ) { … … class BP_Groups_Group { 1029 1029 $hidden_sql = " AND g.status != 'hidden'"; 1030 1030 1031 1031 if ( !empty( $search_terms ) ) { 1032 $search_terms = esc_sql( like_escape( $search_terms ) );1033 $search_sql = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";1032 $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%'; 1033 $search_sql = $wpdb->prepare( ' AND ( g.name LIKE %s OR g.description LIKE %s ) ', $search_terms_like, $search_terms_like ); 1034 1034 } 1035 1035 1036 1036 if ( !empty( $exclude ) ) { … … class BP_Groups_Group { 1093 1093 $hidden_sql = " AND g.status != 'hidden'"; 1094 1094 1095 1095 if ( !empty( $search_terms ) ) { 1096 $search_terms = esc_sql( like_escape( $search_terms ) );1097 $search_sql = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";1096 $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%'; 1097 $search_sql = $wpdb->prepare( ' AND ( g.name LIKE %s OR g.description LIKE %s ) ', $search_terms_like, $search_terms_like ); 1098 1098 } 1099 1099 1100 1100 if ( !empty( $exclude ) ) { … … class BP_Groups_Group { 1164 1164 if ( !bp_current_user_can( 'bp_moderate' ) ) 1165 1165 $hidden_sql = " AND status != 'hidden'"; 1166 1166 1167 $letter = esc_sql( like_escape( $letter ) );1167 $letter_like = bp_esc_like( $letter ) . '%'; 1168 1168 1169 1169 if ( !empty( $limit ) && !empty( $page ) ) { 1170 1170 $pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) ); 1171 1171 } 1172 1172 1173 $total_groups = $wpdb->get_var( "SELECT COUNT(DISTINCT g.id) FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name} g WHERE g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND g.name LIKE '{$letter}%%' {$hidden_sql} {$exclude_sql}");1173 $total_groups = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(DISTINCT g.id) FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name} g WHERE g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND g.name LIKE %s {$hidden_sql} {$exclude_sql}", $letter_like ) ); 1174 1174 1175 $paged_groups = $wpdb->get_results( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name} g WHERE g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND g.name LIKE '{$letter}%%' {$hidden_sql} {$exclude_sql} ORDER BY g.name ASC {$pag_sql}");1175 $paged_groups = $wpdb->get_results( $wpdb->prepare( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name} g WHERE g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND g.name LIKE %s {$hidden_sql} {$exclude_sql} ORDER BY g.name ASC {$pag_sql}", $letter_like ) ); 1176 1176 1177 1177 if ( !empty( $populate_extras ) ) { 1178 1178 foreach ( (array) $paged_groups as $group ) { … … class BP_Groups_Group { 1220 1220 $hidden_sql = "AND g.status != 'hidden'"; 1221 1221 1222 1222 if ( !empty( $search_terms ) ) { 1223 $search_terms = esc_sql( like_escape( $search_terms ) );1224 $search_sql = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";1223 $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%'; 1224 $search_sql = $wpdb->prepare( " AND ( g.name LIKE %s OR g.description LIKE %s )", $search_terms_like, $search_terms_like ); 1225 1225 } 1226 1226 1227 1227 if ( !empty( $exclude ) ) { … … class BP_Groups_Group { 1437 1437 $sql['where'] = "WHERE gm.meta_key = 'forum_id' {$status_sql} AND t.topic_status = '0' AND t.topic_sticky != '2'"; 1438 1438 1439 1439 if ( !empty( $search_terms ) ) { 1440 $s t = esc_sql( like_escape( $search_terms ) );1441 $sql['where'] .= " AND ( t.topic_title LIKE '%{$st}%' )";1440 $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%'; 1441 $sql['where'] .= $wpdb->prepare( " AND ( t.topic_title LIKE %s )", $search_terms_like ); 1442 1442 } 1443 1443 1444 1444 return $wpdb->get_var( implode( ' ', $sql ) ); … … class BP_Groups_Member { 2261 2261 public static function get_recently_joined( $user_id, $limit = false, $page = false, $filter = false ) { 2262 2262 global $wpdb, $bp; 2263 2263 2264 $pag_sql = $hidden_sql = $filter_sql = ''; 2264 $user_id_sql = $pag_sql = $hidden_sql = $filter_sql = ''; 2265 2266 $user_id_sql = $wpdb->prepare( 'm.user_id = %d', $user_id ); 2265 2267 2266 2268 if ( !empty( $limit ) && !empty( $page ) ) 2267 2269 $pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) ); 2268 2270 2269 2271 if ( !empty( $filter ) ) { 2270 $ filter = esc_sql( like_escape( $filter ) );2271 $filter_sql = " AND ( g.name LIKE '%%{$filter}%%' OR g.description LIKE '%%{$filter}%%' )";2272 $search_terms_like = '%' . bp_esc_like( $filter ) . '%'; 2273 $filter_sql = $wpdb->prepare( " AND ( g.name LIKE %s OR g.description LIKE %s )", $search_terms_like, $search_terms_like ); 2272 2274 } 2273 2275 2274 2276 if ( $user_id != bp_loggedin_user_id() ) 2275 2277 $hidden_sql = " AND g.status != 'hidden'"; 2276 2278 2277 $paged_groups = $wpdb->get_results( $wpdb->prepare( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count'{$hidden_sql}{$filter_sql} AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0 ORDER BY m.date_modified DESC {$pag_sql}", $user_id ));2278 $total_groups = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(DISTINCT m.group_id) FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id{$hidden_sql}{$filter_sql} AND m.user_id = %d AND m.is_banned = 0 AND m.is_confirmed = 1 ORDER BY m.date_modified DESC", $user_id ));2279 $paged_groups = $wpdb->get_results( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count'{$hidden_sql}{$filter_sql} AND {$user_id_sql} AND m.is_confirmed = 1 AND m.is_banned = 0 ORDER BY m.date_modified DESC {$pag_sql}" ); 2280 $total_groups = $wpdb->get_var( "SELECT COUNT(DISTINCT m.group_id) FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id{$hidden_sql}{$filter_sql} AND {$user_id_sql} AND m.is_banned = 0 AND m.is_confirmed = 1 ORDER BY m.date_modified DESC" ); 2279 2281 2280 2282 return array( 'groups' => $paged_groups, 'total' => $total_groups ); 2281 2283 } … … class BP_Groups_Member { 2298 2300 public static function get_is_admin_of( $user_id, $limit = false, $page = false, $filter = false ) { 2299 2301 global $wpdb, $bp; 2300 2302 2301 $pag_sql = $hidden_sql = $filter_sql = ''; 2303 $user_id_sql = $pag_sql = $hidden_sql = $filter_sql = ''; 2304 2305 $user_id_sql = $wpdb->prepare( 'm.user_id = %d', $user_id ); 2302 2306 2303 2307 if ( !empty( $limit ) && !empty( $page ) ) 2304 2308 $pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) ); 2305 2309 2306 2310 if ( !empty( $filter ) ) { 2307 $ filter = esc_sql( like_escape( $filter ) );2308 $filter_sql = " AND ( g.name LIKE '%%{$filter}%%' OR g.description LIKE '%%{$filter}%%' )";2311 $search_terms_like = '%' . bp_esc_like( $filter ) . '%'; 2312 $filter_sql = $wpdb->prepare( " AND ( g.name LIKE %s OR g.description LIKE %s )", $search_terms_like, $search_terms_like ); 2309 2313 } 2310 2314 2311 2315 if ( $user_id != bp_loggedin_user_id() ) 2312 2316 $hidden_sql = " AND g.status != 'hidden'"; 2313 2317 2314 $paged_groups = $wpdb->get_results( $wpdb->prepare( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count'{$hidden_sql}{$filter_sql} AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_admin = 1 ORDER BY m.date_modified ASC {$pag_sql}", $user_id ));2315 $total_groups = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(DISTINCT m.group_id) FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id{$hidden_sql}{$filter_sql} AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_admin = 1 ORDER BY date_modified ASC", $user_id ));2318 $paged_groups = $wpdb->get_results( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count'{$hidden_sql}{$filter_sql} AND {$user_id_sql} AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_admin = 1 ORDER BY m.date_modified ASC {$pag_sql}" ); 2319 $total_groups = $wpdb->get_var( "SELECT COUNT(DISTINCT m.group_id) FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id{$hidden_sql}{$filter_sql} AND {$user_id_sql} AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_admin = 1 ORDER BY date_modified ASC" ); 2316 2320 2317 2321 return array( 'groups' => $paged_groups, 'total' => $total_groups ); 2318 2322 } … … class BP_Groups_Member { 2335 2339 public static function get_is_mod_of( $user_id, $limit = false, $page = false, $filter = false ) { 2336 2340 global $wpdb, $bp; 2337 2341 2338 $pag_sql = $hidden_sql = $filter_sql = ''; 2342 $user_id_sql = $pag_sql = $hidden_sql = $filter_sql = ''; 2343 2344 $user_id_sql = $wpdb->prepare( 'm.user_id = %d', $user_id ); 2339 2345 2340 2346 if ( !empty( $limit ) && !empty( $page ) ) 2341 2347 $pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) ); 2342 2348 2343 2349 if ( !empty( $filter ) ) { 2344 $ filter = esc_sql( like_escape( $filter ) );2345 $filter_sql = " AND ( g.name LIKE '%%{$filter}%%' OR g.description LIKE '%%{$filter}%%' )";2350 $search_terms_like = '%' . bp_esc_like( $filter ) . '%'; 2351 $filter_sql = $wpdb->prepare( " AND ( g.name LIKE %s OR g.description LIKE %s )", $search_terms_like, $search_terms_like ); 2346 2352 } 2347 2353 2348 2354 if ( $user_id != bp_loggedin_user_id() ) 2349 2355 $hidden_sql = " AND g.status != 'hidden'"; 2350 2356 2351 $paged_groups = $wpdb->get_results( $wpdb->prepare( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count'{$hidden_sql}{$filter_sql} AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_mod = 1 ORDER BY m.date_modified ASC {$pag_sql}", $user_id ));2352 $total_groups = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(DISTINCT m.group_id) FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id{$hidden_sql}{$filter_sql} AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_mod = 1 ORDER BY date_modified ASC", $user_id ));2357 $paged_groups = $wpdb->get_results( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count'{$hidden_sql}{$filter_sql} AND {$user_id_sql} AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_mod = 1 ORDER BY m.date_modified ASC {$pag_sql}" ); 2358 $total_groups = $wpdb->get_var( "SELECT COUNT(DISTINCT m.group_id) FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id{$hidden_sql}{$filter_sql} AND {$user_id_sql} AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_mod = 1 ORDER BY date_modified ASC" ); 2353 2359 2354 2360 return array( 'groups' => $paged_groups, 'total' => $total_groups ); 2355 2361 } -
src/bp-members/bp-members-classes.php
diff --git src/bp-members/bp-members-classes.php src/bp-members/bp-members-classes.php index b1a2f9d..ca74e5e 100644
class BP_Signup { 150 150 151 151 // Search terms 152 152 if ( ! empty( $r['usersearch'] ) ) { 153 $search_terms_clean = esc_sql( esc_sql( $r['usersearch'] ) ); 154 $search_terms_clean = like_escape( $search_terms_clean ); 155 $sql['where'][] = "( user_login LIKE '%" . $search_terms_clean . "%' OR user_email LIKE '%" . $search_terms_clean . "%' OR meta LIKE '%" . $search_terms_clean . "%' )"; 153 $search_terms_like = '%' . bp_esc_like( $r['usersearch'] ) . '%'; 154 $sql['where'][] = $wpdb->prepare( "( user_login LIKE %s OR user_email LIKE %s OR meta LIKE %s )", $search_terms_like, $search_terms_like, $search_terms_like ); 156 155 } 157 156 158 157 // Activation key … … class BP_Signup { 208 207 $diff = $now - $sent_at; 209 208 210 209 /** 211 * add a boolean in case the last time an activation link 210 * add a boolean in case the last time an activation link 212 211 * has been sent happened less than a day ago 213 212 */ 214 213 if ( $diff < 1 * DAY_IN_SECONDS ) { -
src/bp-messages/bp-messages-classes.php
diff --git src/bp-messages/bp-messages-classes.php src/bp-messages/bp-messages-classes.php index d23c53f..bfa1461 100644
class BP_Messages_Thread { 250 250 public static function get_current_threads_for_user( $user_id, $box = 'inbox', $type = 'all', $limit = null, $page = null, $search_terms = '' ) { 251 251 global $wpdb, $bp; 252 252 253 $pag_sql = $type_sql = $search_sql = ''; 253 $user_id_sql = $pag_sql = $type_sql = $search_sql = ''; 254 254 255 if ( $limit && $page ) { 255 256 $pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) ); 256 257 } … … class BP_Messages_Thread { 262 263 } 263 264 264 265 if ( ! empty( $search_terms ) ) { 265 $search_terms = like_escape( esc_sql( $search_terms ) );266 $search_sql = "AND ( subject LIKE '%%$search_terms%%' OR message LIKE '%%$search_terms%%' )";266 $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%'; 267 $search_sql = $wpdb->prepare( "AND ( subject LIKE %s OR message LIKE %s )", $search_terms_like, $search_terms_like ); 267 268 } 268 269 269 270 if ( 'sentbox' == $box ) { 270 $thread_ids = $wpdb->get_results( $wpdb->prepare( "SELECT m.thread_id, MAX(m.date_sent) AS date_sent FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND m.sender_id = r.user_id AND m.sender_id = %d AND r.is_deleted = 0 {$search_sql} GROUP BY m.thread_id ORDER BY date_sent DESC {$pag_sql}", $user_id ) ); 271 $total_threads = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT( DISTINCT m.thread_id ) FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND m.sender_id = r.user_id AND m.sender_id = %d AND r.is_deleted = 0 {$search_sql} ", $user_id ) ); 271 $user_id_sql = $wpdb->prepare( 'm.sender_id = %d', $user_id ); 272 $thread_ids = $wpdb->get_results( "SELECT m.thread_id, MAX(m.date_sent) AS date_sent FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND m.sender_id = r.user_id AND {$user_id_sql} AND r.is_deleted = 0 {$search_sql} GROUP BY m.thread_id ORDER BY date_sent DESC {$pag_sql}" ); 273 $total_threads = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT( DISTINCT m.thread_id ) FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND m.sender_id = r.user_id AND {$user_id_sql} AND r.is_deleted = 0 {$search_sql} ", $user_id ) ); 272 274 } else { 273 $thread_ids = $wpdb->get_results( $wpdb->prepare( "SELECT m.thread_id, MAX(m.date_sent) AS date_sent FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND r.is_deleted = 0 AND r.user_id = %d AND r.sender_only = 0 {$type_sql} {$search_sql} GROUP BY m.thread_id ORDER BY date_sent DESC {$pag_sql}", $user_id ) ); 274 $total_threads = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT( DISTINCT m.thread_id ) FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND r.is_deleted = 0 AND r.user_id = %d AND r.sender_only = 0 {$type_sql} {$search_sql} ", $user_id ) ); 275 $user_id_sql = $wpdb->prepare( 'r.user_id = %d', $user_id ); 276 $thread_ids = $wpdb->get_results( "SELECT m.thread_id, MAX(m.date_sent) AS date_sent FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND r.is_deleted = 0 AND {$user_id_sql} AND r.sender_only = 0 {$type_sql} {$search_sql} GROUP BY m.thread_id ORDER BY date_sent DESC {$pag_sql}" ); 277 $total_threads = $wpdb->get_var( "SELECT COUNT( DISTINCT m.thread_id ) FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND r.is_deleted = 0 AND {$user_id_sql} AND r.sender_only = 0 {$type_sql} {$search_sql}" ); 275 278 } 276 279 277 280 if ( empty( $thread_ids ) ) { -
src/bp-notifications/bp-notifications-classes.php
diff --git src/bp-notifications/bp-notifications-classes.php src/bp-notifications/bp-notifications-classes.php index 09fcf88..d8b89b4 100644
class BP_Notifications_Notification { 327 327 328 328 // search_terms 329 329 if ( ! empty( $args['search_terms'] ) ) { 330 $search_terms = like_escape( esc_sql( $args['search_terms'] ) );331 $where_conditions['search_terms'] = "( component_name LIKE '%%$search_terms%%' OR component_action LIKE '%%$search_terms%%' )";330 $search_terms_like = '%' . bp_esc_like( $args['search_terms'] ) . '%'; 331 $where_conditions['search_terms'] = $wpdb->prepare( "( component_name LIKE %s OR component_action LIKE %s )", $search_terms_like, $search_terms_like ); 332 332 } 333 333 334 334 // Custom WHERE