Skip to:
Content

BuddyPress.org

Changeset 13147


Ignore:
Timestamp:
11/13/2021 06:40:37 PM (3 years ago)
Author:
espellcaste
Message:

Sanitize all ORDER BY (ASC/DESC) values using the bp_esc_sql_order helper function where possible.

BuddyPress is not consistent on how it escapes ORDER BY (ASC/DESC) values provided by the developers/users. This commit improves that by using the bp_esc_sql_order helper function where possible.

Props imath

Fixes #8576

Location:
trunk
Files:
15 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-activity/classes/class-bp-activity-activity.php

    r13146 r13147  
    512512        }
    513513
    514         // Sorting.
     514        // Sanitize 'order'.
    515515        $sort = $r['sort'];
    516         if ( $sort != 'ASC' && $sort != 'DESC' ) {
    517             $sort = 'DESC';
     516        if ( 'DESC' !== $sort ) {
     517            $sort = bp_esc_sql_order( $sort );
    518518        }
    519519
  • trunk/src/bp-blogs/bp-blogs-functions.php

    r13140 r13147  
    9292 * @param array $args {
    9393 *     Array of arguments.
    94  *     @type int   $offset   The offset to use.
    95  *     @type int   $limit    The number of blogs to record at one time.
    96  *     @type array $blog_ids Blog IDs to record. If empty, all blogs will be recorded.
    97  *     @type array $site_id  The network site ID to use.
     94 *     @type int    $offset   The offset to use.
     95 *     @type int    $limit    The number of blogs to record at one time.
     96 *     @type array  $blog_ids Blog IDs to record. If empty, all blogs will be recorded.
     97 *     @type array  $site_id  The network site ID to use.
    9898 * }
    99  *
    10099 * @return bool
    101100 */
  • trunk/src/bp-blogs/bp-blogs-template.php

    r13108 r13147  
    9898/**
    9999 * Rewind the blogs and reset blog index.
     100 *
     101 * @global BP_Blogs_Template $blogs_template {@link BP_Blogs_Template}
    100102 */
    101103function bp_rewind_blogs() {
     
    112114 * display a list of activity items.
    113115 *
    114  * @global object $blogs_template {@link BP_Blogs_Template}
     116 * @global BP_Blogs_Template $blogs_template {@link BP_Blogs_Template}
    115117 *
    116118 * @param array|string $args {
     
    134136 *                                      'active', 'alphabetical', 'newest', or 'random'.
    135137 *     @type array    $include_blog_ids Array of blog IDs to limit results to.
    136  *     @type string   $sort             'ASC' or 'DESC'. Default: 'DESC'.
    137138 *     @type string   $search_terms     Limit results by a search term. Default: the value of `$_REQUEST['s']` or
    138139 *                                      `$_REQUEST['sites_search']`, if present.
  • trunk/src/bp-core/bp-core-functions.php

    r13140 r13147  
    9393 * @since 1.2.6
    9494 *
    95  * @global object $wpdb WordPress database object.
     95 * @global wpdb $wpdb WordPress database object.
    9696 *
    9797 * @return string Filtered database prefix.
     
    384384 * @since 2.1.0
    385385 *
     386 * @global wpdb $wpdb WordPress database object.
    386387 * @see wpdb::esc_like() for more details on proper use.
    387388 *
     
    395396    if ( method_exists( $wpdb, 'esc_like' ) ) {
    396397        return $wpdb->esc_like( $text );
    397     } else {
    398         return addcslashes( $text, '_%\\' );
    399     }
     398    }
     399
     400    return addcslashes( $text, '_%\\' );
    400401}
    401402
  • trunk/src/bp-friends/classes/class-bp-friends-friendship.php

    r13108 r13147  
    258258     *        @type int    $is_limited        Whether the friendship is limited.
    259259     *        @type string $order_by          Column name to order by.
    260      *        @type string $sort_order        ASC or DESC. Default DESC.
     260     *        @type string $sort_order        Optional. ASC or DESC. Default: 'DESC'.
    261261     * }
    262262     * @param string $operator Optional. Operator to use in `wp_list_filter()`.
     
    370370
    371371        // Adjust the sort direction of the results.
    372         if ( 'ASC' === strtoupper( $r['sort_order'] ) ) {
     372        if ( 'ASC' === bp_esc_sql_order( $r['sort_order'] ) ) {
    373373            // `true` to preserve keys.
    374374            $friendships = array_reverse( $friendships, true );
  • trunk/src/bp-groups/classes/class-bp-groups-list-table.php

    r13103 r13147  
    9797        $order = 'DESC';
    9898        if ( ! empty( $_REQUEST['order'] ) ) {
    99             $order = ( 'desc' == strtolower( $_REQUEST['order'] ) ) ? 'DESC' : 'ASC';
     99            $order = bp_esc_sql_order( $_REQUEST['order'] );
    100100        }
    101101
  • trunk/src/bp-members/classes/class-bp-members-invitations-template.php

    r13108 r13147  
    185185
    186186        // Sort order direction.
    187         $orders = array( 'ASC', 'DESC' );
    188         if ( ! empty( $_GET['sort_order'] ) && in_array( $_GET['sort_order'], $orders ) ) {
     187        if ( ! empty( $_GET['sort_order'] ) ) {
    189188            $r['sort_order'] = $_GET['sort_order'];
    190         } else {
    191             $r['sort_order'] = in_array( $r['sort_order'], $orders ) ? $r['sort_order'] : 'DESC';
    192189        }
    193190
     
    196193        $this->pag_page     = bp_sanitize_pagination_arg( $this->pag_arg, $r['page'] );
    197194        $this->pag_num      = bp_sanitize_pagination_arg( 'num', $r['per_page'] );
     195        $this->sort_order   = bp_esc_sql_order( $r['sort_order'] );
    198196        $this->user_id      = $r['user_id'];
    199197        $this->search_terms = $r['search_terms'];
    200198        $this->order_by     = $r['order_by'];
    201         $this->sort_order   = $r['sort_order'];
    202199        $this->query_vars   = array(
    203200            'id'            => $r['id'],
     
    253250     */
    254251    public function has_invitations() {
    255         if ( $this->current_invitation_count ) {
    256             return true;
    257         }
    258 
    259         return false;
     252        return ! empty( $this->current_invitation_count );
    260253    }
    261254
  • trunk/src/bp-messages/bp-messages-template.php

    r13108 r13147  
    16351635 * @param array|string $args {
    16361636 *     Array of arguments. All are optional.
    1637  *     @type int      $thread_id         ID of the thread whose messages you are displaying.
     1637 *     @type int      $thread_id         Optional. ID of the thread whose messages you are displaying.
    16381638 *                                       Default: if viewing a thread, the thread ID will be parsed from
    16391639 *                                       the URL (bp_action_variable( 0 )).
    1640  *     @type string   $order             'ASC' or 'DESC'. Default: 'ASC'.
    1641  *     @type bool     $update_meta_cache Whether to pre-fetch metadata for
     1640 *     @type string   $order             Optional. 'ASC' or 'DESC'. Default: 'ASC'.
     1641 *     @type bool     $update_meta_cache Optional. Whether to pre-fetch metadata for
    16421642 *                                       queried message items. Default: true.
    16431643 *     @type int|null $page              Page of messages being requested. Default to null, meaning all.
  • trunk/src/bp-messages/classes/class-bp-messages-thread-template.php

    r13096 r13147  
    8585     *
    8686     * @param int    $thread_id ID of the message thread to display.
    87      * @param string $order     Order to show the thread's messages in.
     87     * @param string $order     Optional. Order to show the thread's messages in.
     88     *                          Default: 'ASC'.
    8889     * @param array  $args      Array of arguments for the query.
    8990     */
  • trunk/src/bp-messages/classes/class-bp-messages-thread.php

    r13112 r13147  
    122122     *     @type int|null    $page                Page of messages being requested. Default to null, meaning all.
    123123     *     @type int|null    $per_page            Messages to return per page. Default to null, meaning all.
    124      *     @type string      $order               The order to sort the messages. Either 'ASC' or 'DESC'.
     124     *     @type string      $order               Optional. The order to sort the messages. Either 'ASC' or 'DESC'.
    125125     *                                            Defaults to 'ASC'.
    126126     *     @type int|null    $recipients_page     Page of recipients being requested. Default to null, meaning all.
     
    161161    public function populate( $thread_id = 0, $order = 'ASC', $args = array() ) {
    162162
    163         if ( ! in_array( strtoupper( $order ), array( 'ASC', 'DESC' ), true ) ) {
    164             $order = 'ASC';
    165         }
    166 
    167163        $user_id =
    168164            bp_displayed_user_id() ?
     
    178174                'page'                => null,
    179175                'per_page'            => null,
    180                 'order'               => $order,
     176                'order'               => bp_esc_sql_order( $order ),
    181177                'recipients_page'     => null,
    182178                'recipients_per_page' => null,
     
    184180        );
    185181
    186         $this->messages_order = $order;
     182        $this->messages_order = $r['order'];
    187183        $this->thread_id      = (int) $thread_id;
    188184
     
    374370        );
    375371
    376         // Fallback.
    377         if ( ! in_array( strtoupper( $r['order'] ), array( 'ASC', 'DESC' ), true ) ) {
    378             $r['order'] = 'ASC';
    379         }
     372        // Sanitize 'order'.
     373        $r['order'] = bp_esc_sql_order( $r['order'] );
    380374
    381375        // Get messages from cache if available.
     
    404398
    405399        // Flip if order is DESC.
    406         if ( 'DESC' === strtoupper( $r['order'] ) ) {
     400        if ( 'DESC' === $r['order'] ) {
    407401            $messages = array_reverse( $messages );
    408402        }
  • trunk/src/bp-notifications/bp-notifications-template.php

    r13108 r13147  
    998998
    999999    // Check for a custom sort_order.
    1000     if ( !empty( $_REQUEST['sort_order'] ) ) {
    1001         if ( in_array( $_REQUEST['sort_order'], $orders ) ) {
     1000    if ( ! empty( $_REQUEST['sort_order'] ) ) {
     1001        if ( in_array( $_REQUEST['sort_order'], $orders, true ) ) {
    10021002            $selected = $_REQUEST['sort_order'];
    10031003        }
  • trunk/src/bp-notifications/classes/class-bp-notifications-notification.php

    r13112 r13147  
    447447
    448448        // Sort order direction.
    449         if ( ! empty( $args['sort_order'] ) && in_array( $args['sort_order'], array( 'ASC', 'DESC' ), true ) ) {
    450             $sort_order               = $args['sort_order'];
     449        if ( ! empty( $args['sort_order'] ) ) {
     450            $sort_order               = bp_esc_sql_order( $args['sort_order'] );
    451451            $conditions['sort_order'] = "{$sort_order}";
    452452        }
  • trunk/src/bp-notifications/classes/class-bp-notifications-template.php

    r13108 r13147  
    176176
    177177        // Sort order direction.
    178         $orders = array( 'ASC', 'DESC' );
    179         if ( ! empty( $_GET['sort_order'] ) && in_array( $_GET['sort_order'], $orders, true ) ) {
     178        if ( ! empty( $_GET['sort_order'] ) ) {
    180179            $r['sort_order'] = $_GET['sort_order'];
    181         } else {
    182             $r['sort_order'] = in_array( $r['sort_order'], $orders ) ? $r['sort_order'] : 'DESC';
    183180        }
    184181
     
    187184        $this->pag_page     = bp_sanitize_pagination_arg( $this->pag_arg, $r['page'] );
    188185        $this->pag_num      = bp_sanitize_pagination_arg( 'num', $r['per_page'] );
     186        $this->sort_order   = bp_esc_sql_order( $r['sort_order'] );
    189187        $this->user_id      = $r['user_id'];
    190188        $this->is_new       = $r['is_new'];
    191189        $this->search_terms = $r['search_terms'];
    192190        $this->order_by     = $r['order_by'];
    193         $this->sort_order   = $r['sort_order'];
    194191        $this->query_vars   = array(
    195192            'id'                => $r['id'],
  • trunk/src/bp-xprofile/classes/class-bp-xprofile-field.php

    r13110 r13147  
    562562     * @since 1.2.0
    563563     *
    564      * @global object $wpdb
    565      *
    566      * @param bool $for_editing Whether or not the field is for editing.
     564     * @global BuddyPress $bp The one true BuddyPress instance.
     565     * @global wpdb $wpdb WordPress database object.
     566     *
     567     * @param bool $for_editing Whether or not the field is for editing. Default to false.
    567568     * @return array
    568569     */
     
    570571        global $wpdb;
    571572
     573        // Sanitize 'order_by'.
     574        $order_by = bp_esc_sql_order( $this->order_by );
     575
    572576        // This is done here so we don't have problems with sql injection.
    573         if ( empty( $for_editing ) && ( 'asc' === $this->order_by ) ) {
    574             $sort_sql = 'ORDER BY name ASC';
    575         } elseif ( empty( $for_editing ) && ( 'desc' === $this->order_by ) ) {
    576             $sort_sql = 'ORDER BY name DESC';
     577        if ( empty( $for_editing ) ) {
     578            $sort_sql = "ORDER BY name {$order_by}";
    577579        } else {
    578580            $sort_sql = 'ORDER BY option_order ASC';
     
    587589        }
    588590
    589         $bp  = buddypress();
    590         $sql = $wpdb->prepare( "SELECT * FROM {$bp->profile->table_name_fields} WHERE parent_id = %d AND group_id = %d {$sort_sql}", $parent_id, $this->group_id );
    591 
     591        $bp       = buddypress();
     592        $sql      = $wpdb->prepare( "SELECT * FROM {$bp->profile->table_name_fields} WHERE parent_id = %d AND group_id = %d {$sort_sql}", $parent_id, $this->group_id );
    592593        $children = $wpdb->get_results( $sql );
    593594
     
    598599         * @since 3.0.0 Added the `$this` parameter.
    599600         *
    600          * @param object            $children    Found children for a field.
     601         * @param array             $children    Found children for a field.
    601602         * @param bool              $for_editing Whether or not the field is for editing.
    602603         * @param BP_XProfile_Field $this        Field object
  • trunk/tests/phpunit/testcases/messages/class.bp-messages-thread.php

    r13102 r13147  
    141141        );
    142142
     143        // Testing sort with lowercase and space.
     144        $thread = new BP_Messages_Thread( $message_1->thread_id, '    desc' );
     145        $this->assertEquals(
     146            array( $message_2->id, $message_1->id ),
     147            wp_list_pluck( $thread->messages, 'id' )
     148        );
     149
    143150        // Now sorting via the helper method.
    144151        $messages = BP_Messages_Thread::get_messages( $message_1->thread_id, array( 'order' => 'desc' ) );
Note: See TracChangeset for help on using the changeset viewer.