Changeset 13147
- Timestamp:
- 11/13/2021 06:40:37 PM (3 years ago)
- Location:
- trunk
- Files:
-
- 15 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/bp-activity/classes/class-bp-activity-activity.php
r13146 r13147 512 512 } 513 513 514 // S orting.514 // Sanitize 'order'. 515 515 $sort = $r['sort']; 516 if ( $sort != 'ASC' && $sort != 'DESC') {517 $sort = 'DESC';516 if ( 'DESC' !== $sort ) { 517 $sort = bp_esc_sql_order( $sort ); 518 518 } 519 519 -
trunk/src/bp-blogs/bp-blogs-functions.php
r13140 r13147 92 92 * @param array $args { 93 93 * Array of arguments. 94 * @type int $offset The offset to use.95 * @type int $limit The number of blogs to record at one time.96 * @type array $blog_ids Blog IDs to record. If empty, all blogs will be recorded.97 * @type array $site_id The network site ID to use.94 * @type int $offset The offset to use. 95 * @type int $limit The number of blogs to record at one time. 96 * @type array $blog_ids Blog IDs to record. If empty, all blogs will be recorded. 97 * @type array $site_id The network site ID to use. 98 98 * } 99 *100 99 * @return bool 101 100 */ -
trunk/src/bp-blogs/bp-blogs-template.php
r13108 r13147 98 98 /** 99 99 * Rewind the blogs and reset blog index. 100 * 101 * @global BP_Blogs_Template $blogs_template {@link BP_Blogs_Template} 100 102 */ 101 103 function bp_rewind_blogs() { … … 112 114 * display a list of activity items. 113 115 * 114 * @global object$blogs_template {@link BP_Blogs_Template}116 * @global BP_Blogs_Template $blogs_template {@link BP_Blogs_Template} 115 117 * 116 118 * @param array|string $args { … … 134 136 * 'active', 'alphabetical', 'newest', or 'random'. 135 137 * @type array $include_blog_ids Array of blog IDs to limit results to. 136 * @type string $sort 'ASC' or 'DESC'. Default: 'DESC'.137 138 * @type string $search_terms Limit results by a search term. Default: the value of `$_REQUEST['s']` or 138 139 * `$_REQUEST['sites_search']`, if present. -
trunk/src/bp-core/bp-core-functions.php
r13140 r13147 93 93 * @since 1.2.6 94 94 * 95 * @global object$wpdb WordPress database object.95 * @global wpdb $wpdb WordPress database object. 96 96 * 97 97 * @return string Filtered database prefix. … … 384 384 * @since 2.1.0 385 385 * 386 * @global wpdb $wpdb WordPress database object. 386 387 * @see wpdb::esc_like() for more details on proper use. 387 388 * … … 395 396 if ( method_exists( $wpdb, 'esc_like' ) ) { 396 397 return $wpdb->esc_like( $text ); 397 } else {398 return addcslashes( $text, '_%\\' ); 399 }398 } 399 400 return addcslashes( $text, '_%\\' ); 400 401 } 401 402 -
trunk/src/bp-friends/classes/class-bp-friends-friendship.php
r13108 r13147 258 258 * @type int $is_limited Whether the friendship is limited. 259 259 * @type string $order_by Column name to order by. 260 * @type string $sort_order ASC or DESC. Default DESC.260 * @type string $sort_order Optional. ASC or DESC. Default: 'DESC'. 261 261 * } 262 262 * @param string $operator Optional. Operator to use in `wp_list_filter()`. … … 370 370 371 371 // Adjust the sort direction of the results. 372 if ( 'ASC' === strtoupper( $r['sort_order'] ) ) {372 if ( 'ASC' === bp_esc_sql_order( $r['sort_order'] ) ) { 373 373 // `true` to preserve keys. 374 374 $friendships = array_reverse( $friendships, true ); -
trunk/src/bp-groups/classes/class-bp-groups-list-table.php
r13103 r13147 97 97 $order = 'DESC'; 98 98 if ( ! empty( $_REQUEST['order'] ) ) { 99 $order = ( 'desc' == strtolower( $_REQUEST['order'] ) ) ? 'DESC' : 'ASC';99 $order = bp_esc_sql_order( $_REQUEST['order'] ); 100 100 } 101 101 -
trunk/src/bp-members/classes/class-bp-members-invitations-template.php
r13108 r13147 185 185 186 186 // Sort order direction. 187 $orders = array( 'ASC', 'DESC' ); 188 if ( ! empty( $_GET['sort_order'] ) && in_array( $_GET['sort_order'], $orders ) ) { 187 if ( ! empty( $_GET['sort_order'] ) ) { 189 188 $r['sort_order'] = $_GET['sort_order']; 190 } else {191 $r['sort_order'] = in_array( $r['sort_order'], $orders ) ? $r['sort_order'] : 'DESC';192 189 } 193 190 … … 196 193 $this->pag_page = bp_sanitize_pagination_arg( $this->pag_arg, $r['page'] ); 197 194 $this->pag_num = bp_sanitize_pagination_arg( 'num', $r['per_page'] ); 195 $this->sort_order = bp_esc_sql_order( $r['sort_order'] ); 198 196 $this->user_id = $r['user_id']; 199 197 $this->search_terms = $r['search_terms']; 200 198 $this->order_by = $r['order_by']; 201 $this->sort_order = $r['sort_order'];202 199 $this->query_vars = array( 203 200 'id' => $r['id'], … … 253 250 */ 254 251 public function has_invitations() { 255 if ( $this->current_invitation_count ) { 256 return true; 257 } 258 259 return false; 252 return ! empty( $this->current_invitation_count ); 260 253 } 261 254 -
trunk/src/bp-messages/bp-messages-template.php
r13108 r13147 1635 1635 * @param array|string $args { 1636 1636 * Array of arguments. All are optional. 1637 * @type int $thread_id ID of the thread whose messages you are displaying.1637 * @type int $thread_id Optional. ID of the thread whose messages you are displaying. 1638 1638 * Default: if viewing a thread, the thread ID will be parsed from 1639 1639 * the URL (bp_action_variable( 0 )). 1640 * @type string $order 'ASC' or 'DESC'. Default: 'ASC'.1641 * @type bool $update_meta_cache Whether to pre-fetch metadata for1640 * @type string $order Optional. 'ASC' or 'DESC'. Default: 'ASC'. 1641 * @type bool $update_meta_cache Optional. Whether to pre-fetch metadata for 1642 1642 * queried message items. Default: true. 1643 1643 * @type int|null $page Page of messages being requested. Default to null, meaning all. -
trunk/src/bp-messages/classes/class-bp-messages-thread-template.php
r13096 r13147 85 85 * 86 86 * @param int $thread_id ID of the message thread to display. 87 * @param string $order Order to show the thread's messages in. 87 * @param string $order Optional. Order to show the thread's messages in. 88 * Default: 'ASC'. 88 89 * @param array $args Array of arguments for the query. 89 90 */ -
trunk/src/bp-messages/classes/class-bp-messages-thread.php
r13112 r13147 122 122 * @type int|null $page Page of messages being requested. Default to null, meaning all. 123 123 * @type int|null $per_page Messages to return per page. Default to null, meaning all. 124 * @type string $order The order to sort the messages. Either 'ASC' or 'DESC'.124 * @type string $order Optional. The order to sort the messages. Either 'ASC' or 'DESC'. 125 125 * Defaults to 'ASC'. 126 126 * @type int|null $recipients_page Page of recipients being requested. Default to null, meaning all. … … 161 161 public function populate( $thread_id = 0, $order = 'ASC', $args = array() ) { 162 162 163 if ( ! in_array( strtoupper( $order ), array( 'ASC', 'DESC' ), true ) ) {164 $order = 'ASC';165 }166 167 163 $user_id = 168 164 bp_displayed_user_id() ? … … 178 174 'page' => null, 179 175 'per_page' => null, 180 'order' => $order,176 'order' => bp_esc_sql_order( $order ), 181 177 'recipients_page' => null, 182 178 'recipients_per_page' => null, … … 184 180 ); 185 181 186 $this->messages_order = $ order;182 $this->messages_order = $r['order']; 187 183 $this->thread_id = (int) $thread_id; 188 184 … … 374 370 ); 375 371 376 // Fallback. 377 if ( ! in_array( strtoupper( $r['order'] ), array( 'ASC', 'DESC' ), true ) ) { 378 $r['order'] = 'ASC'; 379 } 372 // Sanitize 'order'. 373 $r['order'] = bp_esc_sql_order( $r['order'] ); 380 374 381 375 // Get messages from cache if available. … … 404 398 405 399 // Flip if order is DESC. 406 if ( 'DESC' === strtoupper( $r['order'] )) {400 if ( 'DESC' === $r['order'] ) { 407 401 $messages = array_reverse( $messages ); 408 402 } -
trunk/src/bp-notifications/bp-notifications-template.php
r13108 r13147 998 998 999 999 // Check for a custom sort_order. 1000 if ( ! empty( $_REQUEST['sort_order'] ) ) {1001 if ( in_array( $_REQUEST['sort_order'], $orders ) ) {1000 if ( ! empty( $_REQUEST['sort_order'] ) ) { 1001 if ( in_array( $_REQUEST['sort_order'], $orders, true ) ) { 1002 1002 $selected = $_REQUEST['sort_order']; 1003 1003 } -
trunk/src/bp-notifications/classes/class-bp-notifications-notification.php
r13112 r13147 447 447 448 448 // Sort order direction. 449 if ( ! empty( $args['sort_order'] ) && in_array( $args['sort_order'], array( 'ASC', 'DESC' ), true )) {450 $sort_order = $args['sort_order'];449 if ( ! empty( $args['sort_order'] ) ) { 450 $sort_order = bp_esc_sql_order( $args['sort_order'] ); 451 451 $conditions['sort_order'] = "{$sort_order}"; 452 452 } -
trunk/src/bp-notifications/classes/class-bp-notifications-template.php
r13108 r13147 176 176 177 177 // Sort order direction. 178 $orders = array( 'ASC', 'DESC' ); 179 if ( ! empty( $_GET['sort_order'] ) && in_array( $_GET['sort_order'], $orders, true ) ) { 178 if ( ! empty( $_GET['sort_order'] ) ) { 180 179 $r['sort_order'] = $_GET['sort_order']; 181 } else {182 $r['sort_order'] = in_array( $r['sort_order'], $orders ) ? $r['sort_order'] : 'DESC';183 180 } 184 181 … … 187 184 $this->pag_page = bp_sanitize_pagination_arg( $this->pag_arg, $r['page'] ); 188 185 $this->pag_num = bp_sanitize_pagination_arg( 'num', $r['per_page'] ); 186 $this->sort_order = bp_esc_sql_order( $r['sort_order'] ); 189 187 $this->user_id = $r['user_id']; 190 188 $this->is_new = $r['is_new']; 191 189 $this->search_terms = $r['search_terms']; 192 190 $this->order_by = $r['order_by']; 193 $this->sort_order = $r['sort_order'];194 191 $this->query_vars = array( 195 192 'id' => $r['id'], -
trunk/src/bp-xprofile/classes/class-bp-xprofile-field.php
r13110 r13147 562 562 * @since 1.2.0 563 563 * 564 * @global object $wpdb 565 * 566 * @param bool $for_editing Whether or not the field is for editing. 564 * @global BuddyPress $bp The one true BuddyPress instance. 565 * @global wpdb $wpdb WordPress database object. 566 * 567 * @param bool $for_editing Whether or not the field is for editing. Default to false. 567 568 * @return array 568 569 */ … … 570 571 global $wpdb; 571 572 573 // Sanitize 'order_by'. 574 $order_by = bp_esc_sql_order( $this->order_by ); 575 572 576 // This is done here so we don't have problems with sql injection. 573 if ( empty( $for_editing ) && ( 'asc' === $this->order_by ) ) { 574 $sort_sql = 'ORDER BY name ASC'; 575 } elseif ( empty( $for_editing ) && ( 'desc' === $this->order_by ) ) { 576 $sort_sql = 'ORDER BY name DESC'; 577 if ( empty( $for_editing ) ) { 578 $sort_sql = "ORDER BY name {$order_by}"; 577 579 } else { 578 580 $sort_sql = 'ORDER BY option_order ASC'; … … 587 589 } 588 590 589 $bp = buddypress(); 590 $sql = $wpdb->prepare( "SELECT * FROM {$bp->profile->table_name_fields} WHERE parent_id = %d AND group_id = %d {$sort_sql}", $parent_id, $this->group_id ); 591 591 $bp = buddypress(); 592 $sql = $wpdb->prepare( "SELECT * FROM {$bp->profile->table_name_fields} WHERE parent_id = %d AND group_id = %d {$sort_sql}", $parent_id, $this->group_id ); 592 593 $children = $wpdb->get_results( $sql ); 593 594 … … 598 599 * @since 3.0.0 Added the `$this` parameter. 599 600 * 600 * @param object$children Found children for a field.601 * @param array $children Found children for a field. 601 602 * @param bool $for_editing Whether or not the field is for editing. 602 603 * @param BP_XProfile_Field $this Field object -
trunk/tests/phpunit/testcases/messages/class.bp-messages-thread.php
r13102 r13147 141 141 ); 142 142 143 // Testing sort with lowercase and space. 144 $thread = new BP_Messages_Thread( $message_1->thread_id, ' desc' ); 145 $this->assertEquals( 146 array( $message_2->id, $message_1->id ), 147 wp_list_pluck( $thread->messages, 'id' ) 148 ); 149 143 150 // Now sorting via the helper method. 144 151 $messages = BP_Messages_Thread::get_messages( $message_1->thread_id, array( 'order' => 'desc' ) );
Note: See TracChangeset
for help on using the changeset viewer.