Skip to:
Content

BuddyPress.org

Changeset 7014


Ignore:
Timestamp:
05/07/2013 11:42:23 PM (12 years ago)
Author:
boonebgorges
Message:

Audit of parameter sanitization in Groups and Core database classes

  • Uses wp_parse_id_list() to sanitize parameters of integer arrays
  • Implements a more consistent approach to LIKE clause sanitization

See #4989

Props johnjamesjacoby

Location:
branches/1.7
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • branches/1.7/bp-core/bp-core-classes.php

    r6654 r7014  
    837837
    838838        if ( !empty( $search_terms ) && bp_is_active( 'xprofile' ) ) {
    839             $search_terms             = like_escape( $wpdb->escape( $search_terms ) );
     839            $search_terms             = esc_sql( like_escape( trim( $search_terms ) ) );
    840840            $sql['where_searchterms'] = "AND spd.value LIKE '%%$search_terms%%'";
    841841        }
     
    954954        }
    955955
    956         $letter     = like_escape( $wpdb->escape( $letter ) );
     956        $letter     = esc_sql( like_escape( trim( $letter ) ) );
    957957        $status_sql = bp_core_get_status_sql( 'u.' );
    958958
    959         $exclude_sql = ( !empty( $exclude ) ) ? " AND u.ID NOT IN ({$exclude})" : "";
     959        if ( !empty( $exclude ) ) {
     960            $exclude     = wp_parse_id_list( $r['exclude'] );
     961            $exclude     = $wpdb->escape( implode( ',', $exclude ) );
     962            $exclude_sql = " AND u.id NOT IN ({$exclude})";
     963        } else {
     964            $exclude_sql = '';
     965        }
    960966
    961967        $total_users_sql = apply_filters( 'bp_core_users_by_letter_count_sql', $wpdb->prepare( "SELECT COUNT(DISTINCT u.ID) FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id LEFT JOIN {$bp->profile->table_name_fields} pf ON pd.field_id = pf.id WHERE {$status_sql} AND pf.name = %s {$exclude_sql} AND pd.value LIKE '{$letter}%%'  ORDER BY pd.value ASC", bp_xprofile_fullname_field_name() ) );
     
    10461052        $pag_sql  = $limit && $page ? $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * intval( $limit ) ), intval( $limit ) ) : '';
    10471053
    1048         $search_terms = like_escape( $wpdb->escape( $search_terms ) );
     1054        $search_terms = esc_sql( like_escape( trim( $search_terms ) ) );
    10491055        $status_sql   = bp_core_get_status_sql( 'u.' );
    10501056
  • branches/1.7/bp-groups/bp-groups-classes.php

    r6712 r7014  
    222222            $user_id = bp_displayed_user_id();
    223223
    224         $filter = like_escape( $wpdb->escape( $filter ) );
     224        $filter = esc_sql( like_escape( $filter ) );
    225225
    226226        if ( !empty( $limit ) && !empty( $page ) )
     
    241241    }
    242242
     243    /**
     244     * @todo Deprecate in favor of get()
     245     */
    243246    function search_groups( $filter, $limit = null, $page = null, $sort_by = false, $order = false ) {
    244247        global $wpdb, $bp;
    245248
    246         $filter = like_escape( $wpdb->escape( $filter ) );
     249        $filter = esc_sql( like_escape( $filter ) );
    247250
    248251        if ( !empty( $limit ) && !empty( $page ) )
     
    250253
    251254        if ( !empty( $sort_by ) && !empty( $order ) ) {
    252             $sort_by   = $wpdb->escape( $sort_by );
    253             $order     = $wpdb->escape( $order );
    254             $order_sql = "ORDER BY $sort_by $order";
     255            $sort_by   = esc_sql( $sort_by );
     256            $order     = esc_sql( $order );
     257            $order_sql = "ORDER BY {$sort_by} {$order}";
    255258        }
    256259
     
    364367
    365368        if ( !empty( $search_terms ) ) {
    366             $search_terms = like_escape( $wpdb->escape( $search_terms ) );
     369            $search_terms = esc_sql( like_escape( $search_terms ) );
    367370            $sql['search'] = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";
    368371        }
     
    372375
    373376        if ( !empty( $include ) ) {
    374             if ( is_array( $include ) )
    375                 $include = implode( ',', $include );
    376 
    377             $include = $wpdb->escape( $include );
     377            $include        = wp_parse_id_list( $r['include'] );
     378            $include        = $wpdb->escape( implode( ',', $include ) );
    378379            $sql['include'] = " AND g.id IN ({$include})";
    379380        }
    380381
    381382        if ( !empty( $exclude ) ) {
    382             if ( is_array( $exclude ) )
    383                 $exclude = implode( ',', $exclude );
    384 
    385             $exclude = $wpdb->escape( $exclude );
     383            $exclude        = wp_parse_id_list( $r['exclude'] );
     384            $exclude        = $wpdb->escape( implode( ',', $exclude ) );
    386385            $sql['exclude'] = " AND g.id NOT IN ({$exclude})";
    387386        }
     
    480479
    481480        if ( !empty( $search_terms ) ) {
    482             $search_terms = like_escape( $wpdb->escape( $search_terms ) );
     481            $search_terms = esc_sql( like_escape( trim( $search_terms ) ) );
    483482            $search_sql = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";
    484483        }
    485484
    486485        if ( !empty( $exclude ) ) {
    487             $exclude = $wpdb->escape( $exclude );
     486            $exclude     = wp_parse_id_list( $exclude );
     487            $exclude     = $wpdb->escape( implode( ',', $exclude ) );
    488488            $exclude_sql = " AND g.id NOT IN ({$exclude})";
    489489        }
    490490
    491491        if ( !empty( $user_id ) ) {
    492             $user_id = $wpdb->escape( $user_id );
     492            $user_id      = absint( $wpdb->escape( $user_id ) );
    493493            $paged_groups = $wpdb->get_results( "SELECT DISTINCT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_groupmeta} gm3, {$bp->groups->table_name_members} m, {$bbdb->forums} f, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND g.id = gm3.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND (gm3.meta_key = 'forum_id' AND gm3.meta_value = f.forum_id) AND f.topics > 0 {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql} ORDER BY f.topics DESC {$pag_sql}" );
    494494            $total_groups = $wpdb->get_var( "SELECT COUNT(DISTINCT g.id) FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_groupmeta} gm3, {$bbdb->forums} f, {$bp->groups->table_name} g WHERE g.id = gm1.group_id AND g.id = gm2.group_id AND g.id = gm3.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND (gm3.meta_key = 'forum_id' AND gm3.meta_value = f.forum_id) AND f.topics > 0 {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql}" );
     
    521521
    522522        if ( !empty( $search_terms ) ) {
    523             $search_terms = like_escape( $wpdb->escape( $search_terms ) );
     523            $search_terms = esc_sql( like_escape( trim( $search_terms ) ) );
    524524            $search_sql = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";
    525525        }
    526526
    527527        if ( !empty( $exclude ) ) {
    528             $exclude = $wpdb->escape( $exclude );
     528            $exclude     = wp_parse_id_list( $exclude );
     529            $exclude     = $wpdb->escape( implode( ',', $exclude ) );
    529530            $exclude_sql = " AND g.id NOT IN ({$exclude})";
    530531        }
     
    563564
    564565        if ( !empty( $exclude ) ) {
    565             $exclude = $wpdb->escape( $exclude );
     566            $exclude     = wp_parse_id_list( $exclude );
     567            $exclude     = $wpdb->escape( implode( ',', $exclude ) );
    566568            $exclude_sql = " AND g.id NOT IN ({$exclude})";
    567569        }
     
    570572            $hidden_sql = " AND status != 'hidden'";
    571573
    572         $letter = like_escape( $wpdb->escape( $letter ) );
     574        $letter = esc_sql( like_escape( $letter ) );
    573575
    574576        if ( !empty( $limit ) && !empty( $page ) ) {
     
    602604
    603605        if ( !empty( $search_terms ) ) {
    604             $search_terms = like_escape( $wpdb->escape( $search_terms ) );
     606            $search_terms = esc_sql( like_escape( trim( $search_terms ) ) );
    605607            $search_sql = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";
    606608        }
    607609
    608610        if ( !empty( $exclude ) ) {
    609             $exclude = $wpdb->escape( $exclude );
     611            $exclude     = wp_parse_id_list( $exclude );
     612            $exclude     = $wpdb->escape( implode( ',', $exclude ) );
    610613            $exclude_sql = " AND g.id NOT IN ({$exclude})";
    611614        }
     
    634637        if ( empty( $group_ids ) )
    635638            return $paged_groups;
     639
     640        // Sanitize group IDs
     641        $group_ids = wp_parse_id_list( $group_ids );
     642        $group_ids = implode( ',', $group_ids );
    636643
    637644        // Fetch the logged in users status within each group
     
    736743        $sql['where']  = "WHERE gm.meta_key = 'forum_id' {$status_sql} AND t.topic_status = '0' AND t.topic_sticky != '2'";
    737744
    738         if ( $search_terms ) {
    739             $st = like_escape( $search_terms );
     745        if ( !empty( $search_terms ) ) {
     746            $st = esc_sql( like_escape( $search_terms ) );
    740747            $sql['where'] .= " AND (  t.topic_title LIKE '%{$st}%' )";
    741748        }
     
    9981005
    9991006        if ( !empty( $filter ) ) {
    1000             $filter = like_escape( $wpdb->escape( $filter ) );
     1007            $filter     = esc_sql( like_escape( $filter ) );
    10011008            $filter_sql = " AND ( g.name LIKE '%%{$filter}%%' OR g.description LIKE '%%{$filter}%%' )";
    10021009        }
     
    10201027
    10211028        if ( !empty( $filter ) ) {
    1022             $filter = like_escape( $wpdb->escape( $filter ) );
     1029            $filter     = esc_sql( like_escape( $filter ) );
    10231030            $filter_sql = " AND ( g.name LIKE '%%{$filter}%%' OR g.description LIKE '%%{$filter}%%' )";
    10241031        }
     
    10421049
    10431050        if ( !empty( $filter ) ) {
    1044             $filter = like_escape( $wpdb->escape( $filter ) );
     1051            $filter     = esc_sql( like_escape( trim( $filter ) ) );
    10451052            $filter_sql = " AND ( g.name LIKE '%%{$filter}%%' OR g.description LIKE '%%{$filter}%%' )";
    10461053        }
     
    10731080        $pag_sql = ( !empty( $limit ) && !empty( $page ) ) ? $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) ) : '';
    10741081
    1075         $exclude_sql = !empty( $exclude ) ? $wpdb->prepare( " AND g.id NOT IN (%s)", $exclude ) : '';
     1082        if ( !empty( $exclude ) ) {
     1083            $exclude     = wp_parse_id_list( $exclude );
     1084            $exclude     = $wpdb->escape( implode( ',', $exclude ) );
     1085            $exclude_sql = " AND g.id NOT IN ({$exclude})";
     1086        } else {
     1087            $exclude_sql = '';
     1088        }
    10761089
    10771090        $paged_groups = $wpdb->get_results( $wpdb->prepare( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND m.is_confirmed = 0 AND m.inviter_id != 0 AND m.invite_sent = 1 AND m.user_id = %d {$exclude_sql} ORDER BY m.date_modified ASC {$pag_sql}", $user_id ) );
     
    11761189    }
    11771190
    1178     function get_random_groups( $user_id, $total_groups = 5 ) {
     1191    function get_random_groups( $user_id = 0, $total_groups = 5 ) {
    11791192        global $wpdb, $bp;
    11801193
    11811194        // If the user is logged in and viewing their random groups, we can show hidden and private groups
    11821195        if ( bp_is_my_profile() ) {
    1183             return $wpdb->get_col( $wpdb->prepare( "SELECT DISTINCT group_id FROM {$bp->groups->table_name_members} WHERE user_id = %d AND is_confirmed = 1 AND is_banned = 0 ORDER BY rand() LIMIT $total_groups", $user_id ) );
     1196            return $wpdb->get_col( $wpdb->prepare( "SELECT DISTINCT group_id FROM {$bp->groups->table_name_members} WHERE user_id = %d AND is_confirmed = 1 AND is_banned = 0 ORDER BY rand() LIMIT %d", $user_id, $total_groups ) );
    11841197        } else {
    1185             return $wpdb->get_col( $wpdb->prepare( "SELECT DISTINCT m.group_id FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id AND g.status != 'hidden' AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0 ORDER BY rand() LIMIT $total_groups", $user_id ) );
     1198            return $wpdb->get_col( $wpdb->prepare( "SELECT DISTINCT m.group_id FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id AND g.status != 'hidden' AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0 ORDER BY rand() LIMIT %d", $user_id, $total_groups ) );
    11861199        }
    11871200    }
     
    12281241        $exclude_sql = '';
    12291242        if ( !empty( $exclude ) ) {
    1230             $exclude = implode( ',', wp_parse_id_list( $exclude ) );
     1243            $exclude     = wp_parse_id_list( $exclude );
     1244            $exclude     = $wpdb->escape( implode( ',', $exclude ) );
    12311245            $exclude_sql = " AND m.user_id NOT IN ({$exclude})";
    12321246        }
  • branches/1.7/bp-templates/bp-legacy/buddypress-functions.php

    r6867 r7014  
    415415    // If page and search_terms have been passed via the AJAX post request, use those.
    416416    if ( ! empty( $_POST['page'] ) && '-1' != $_POST['page'] )
    417         $qs[] = 'page=' . $_POST['page'];
     417        $qs[] = 'page=' . absint( $_POST['page'] );
    418418
    419419    $object_search_text = bp_get_search_default_text( $object );
  • branches/1.7/bp-themes/bp-default/_inc/ajax.php

    r6740 r7014  
    125125    // If page and search_terms have been passed via the AJAX post request, use those.
    126126    if ( ! empty( $_POST['page'] ) && '-1' != $_POST['page'] )
    127         $qs[] = 'page=' . $_POST['page'];
     127        $qs[] = 'page=' . absint( $_POST['page'] );
    128128
    129129    $object_search_text = bp_get_search_default_text( $object );
Note: See TracChangeset for help on using the changeset viewer.