Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
11/13/2021 06:40:37 PM (3 years ago)
Author:
espellcaste
Message:

Sanitize all ORDER BY (ASC/DESC) values using the bp_esc_sql_order helper function where possible.

BuddyPress is not consistent on how it escapes ORDER BY (ASC/DESC) values provided by the developers/users. This commit improves that by using the bp_esc_sql_order helper function where possible.

Props imath

Fixes #8576

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-messages/classes/class-bp-messages-thread.php

    r13112 r13147  
    122122     *     @type int|null    $page                Page of messages being requested. Default to null, meaning all.
    123123     *     @type int|null    $per_page            Messages to return per page. Default to null, meaning all.
    124      *     @type string      $order               The order to sort the messages. Either 'ASC' or 'DESC'.
     124     *     @type string      $order               Optional. The order to sort the messages. Either 'ASC' or 'DESC'.
    125125     *                                            Defaults to 'ASC'.
    126126     *     @type int|null    $recipients_page     Page of recipients being requested. Default to null, meaning all.
     
    161161    public function populate( $thread_id = 0, $order = 'ASC', $args = array() ) {
    162162
    163         if ( ! in_array( strtoupper( $order ), array( 'ASC', 'DESC' ), true ) ) {
    164             $order = 'ASC';
    165         }
    166 
    167163        $user_id =
    168164            bp_displayed_user_id() ?
     
    178174                'page'                => null,
    179175                'per_page'            => null,
    180                 'order'               => $order,
     176                'order'               => bp_esc_sql_order( $order ),
    181177                'recipients_page'     => null,
    182178                'recipients_per_page' => null,
     
    184180        );
    185181
    186         $this->messages_order = $order;
     182        $this->messages_order = $r['order'];
    187183        $this->thread_id      = (int) $thread_id;
    188184
     
    374370        );
    375371
    376         // Fallback.
    377         if ( ! in_array( strtoupper( $r['order'] ), array( 'ASC', 'DESC' ), true ) ) {
    378             $r['order'] = 'ASC';
    379         }
     372        // Sanitize 'order'.
     373        $r['order'] = bp_esc_sql_order( $r['order'] );
    380374
    381375        // Get messages from cache if available.
     
    404398
    405399        // Flip if order is DESC.
    406         if ( 'DESC' === strtoupper( $r['order'] ) ) {
     400        if ( 'DESC' === $r['order'] ) {
    407401            $messages = array_reverse( $messages );
    408402        }
Note: See TracChangeset for help on using the changeset viewer.