Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
11/13/2021 06:40:37 PM (3 years ago)
Author:
espellcaste
Message:

Sanitize all ORDER BY (ASC/DESC) values using the bp_esc_sql_order helper function where possible.

BuddyPress is not consistent on how it escapes ORDER BY (ASC/DESC) values provided by the developers/users. This commit improves that by using the bp_esc_sql_order helper function where possible.

Props imath

Fixes #8576

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-xprofile/classes/class-bp-xprofile-field.php

    r13110 r13147  
    562562     * @since 1.2.0
    563563     *
    564      * @global object $wpdb
    565      *
    566      * @param bool $for_editing Whether or not the field is for editing.
     564     * @global BuddyPress $bp The one true BuddyPress instance.
     565     * @global wpdb $wpdb WordPress database object.
     566     *
     567     * @param bool $for_editing Whether or not the field is for editing. Default to false.
    567568     * @return array
    568569     */
     
    570571        global $wpdb;
    571572
     573        // Sanitize 'order_by'.
     574        $order_by = bp_esc_sql_order( $this->order_by );
     575
    572576        // This is done here so we don't have problems with sql injection.
    573         if ( empty( $for_editing ) && ( 'asc' === $this->order_by ) ) {
    574             $sort_sql = 'ORDER BY name ASC';
    575         } elseif ( empty( $for_editing ) && ( 'desc' === $this->order_by ) ) {
    576             $sort_sql = 'ORDER BY name DESC';
     577        if ( empty( $for_editing ) ) {
     578            $sort_sql = "ORDER BY name {$order_by}";
    577579        } else {
    578580            $sort_sql = 'ORDER BY option_order ASC';
     
    587589        }
    588590
    589         $bp  = buddypress();
    590         $sql = $wpdb->prepare( "SELECT * FROM {$bp->profile->table_name_fields} WHERE parent_id = %d AND group_id = %d {$sort_sql}", $parent_id, $this->group_id );
    591 
     591        $bp       = buddypress();
     592        $sql      = $wpdb->prepare( "SELECT * FROM {$bp->profile->table_name_fields} WHERE parent_id = %d AND group_id = %d {$sort_sql}", $parent_id, $this->group_id );
    592593        $children = $wpdb->get_results( $sql );
    593594
     
    598599         * @since 3.0.0 Added the `$this` parameter.
    599600         *
    600          * @param object            $children    Found children for a field.
     601         * @param array             $children    Found children for a field.
    601602         * @param bool              $for_editing Whether or not the field is for editing.
    602603         * @param BP_XProfile_Field $this        Field object
Note: See TracChangeset for help on using the changeset viewer.