Changeset 7008

Timestamp:

05/06/2013 07:51:30 PM (12 years ago)

Author:

boonebgorges

Message:

Improve search_terms SQL clause in BP_User_Query

Standardizing the way that apostrophes and other special characters are
escaped in the LIKE claues means that we won't miss items "O'Conner" in member
search.

Fixes #4933

Props dontdream

Location:

trunk

Files:

• bp-core/bp-core-classes.php (modified) (1 diff)
• tests/testcases/core/classes.php (modified) (1 diff)

trunk/bp-core/bp-core-classes.php

@@ -318 +318 @@
         // @todo remove need for bp_is_active() check
         if ( false !== $search_terms && bp_is_active( 'xprofile' ) ) {
-            $found_user_ids = $wpdb->get_col( $wpdb->prepare( "SELECT user_id FROM {$bp->profile->table_name_data} WHERE value LIKE %s", '%%' . like_escape( $search_terms ) . '%%' ) );
+            $search_terms_clean = mysql_real_escape_string( mysql_real_escape_string( $search_terms ) );
+            $search_terms_clean = like_escape( $search_terms_clean );
+            $found_user_ids_query = "SELECT user_id FROM {$bp->profile->table_name_data} WHERE value LIKE '%" . $search_terms_clean . "%'";
+            $found_user_ids = $wpdb->get_col( $found_user_ids_query );
 
             if ( ! empty( $found_user_ids ) ) {

trunk/tests/testcases/core/classes.php

@@ -101 +101 @@
         $this->assertEquals( $expected, $user_ids );
     }
+
+    public function test_bp_user_query_search_with_apostrophe() {
+        // Apostrophe. Search_terms must escaped to mimic POST payload
+        $user_id = $this->create_user();
+        xprofile_set_field_data( 1, $user_id, "Foo'Bar" );
+        $q = new BP_User_Query( array( 'search_terms' => "oo\'Ba", ) );
+
+        $found_user_id = null;
+        if ( ! empty( $q->results ) ) {
+            $found_user = array_pop( $q->results );
+            $found_user_id = $found_user->ID;
+        }
+
+        $this->assertEquals( $user_id, $found_user_id );
+    }
+
+    public function test_bp_user_query_search_with_percent_sign() {
+
+        // LIKE special character: %
+        $user_id = $this->create_user();
+        xprofile_set_field_data( 1, $user_id, "Foo%Bar" );
+        $q = new BP_User_Query( array( 'search_terms' => "oo%Bar", ) );
+
+        $found_user_id = null;
+        if ( ! empty( $q->results ) ) {
+            $found_user = array_pop( $q->results );
+            $found_user_id = $found_user->ID;
+        }
+
+        $this->assertEquals( $user_id, $found_user_id );
+
+    }
+
+    public function test_bp_user_query_search_with_underscore() {
+
+        // LIKE special character: _
+        $user_id = $this->create_user();
+        xprofile_set_field_data( 1, $user_id, "Foo_Bar" );
+        $q = new BP_User_Query( array( 'search_terms' => "oo_Bar", ) );
+
+        $found_user_id = null;
+        if ( ! empty( $q->results ) ) {
+            $found_user = array_pop( $q->results );
+            $found_user_id = $found_user->ID;
+        }
+
+        $this->assertEquals( $user_id, $found_user_id );
+
+    }
+
 }