Changeset 7014
- Timestamp:
- 05/07/2013 11:42:23 PM (12 years ago)
- Location:
- branches/1.7
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/1.7/bp-core/bp-core-classes.php
r6654 r7014 837 837 838 838 if ( !empty( $search_terms ) && bp_is_active( 'xprofile' ) ) { 839 $search_terms = like_escape( $wpdb->escape( $search_terms) );839 $search_terms = esc_sql( like_escape( trim( $search_terms ) ) ); 840 840 $sql['where_searchterms'] = "AND spd.value LIKE '%%$search_terms%%'"; 841 841 } … … 954 954 } 955 955 956 $letter = like_escape( $wpdb->escape( $letter) );956 $letter = esc_sql( like_escape( trim( $letter ) ) ); 957 957 $status_sql = bp_core_get_status_sql( 'u.' ); 958 958 959 $exclude_sql = ( !empty( $exclude ) ) ? " AND u.ID NOT IN ({$exclude})" : ""; 959 if ( !empty( $exclude ) ) { 960 $exclude = wp_parse_id_list( $r['exclude'] ); 961 $exclude = $wpdb->escape( implode( ',', $exclude ) ); 962 $exclude_sql = " AND u.id NOT IN ({$exclude})"; 963 } else { 964 $exclude_sql = ''; 965 } 960 966 961 967 $total_users_sql = apply_filters( 'bp_core_users_by_letter_count_sql', $wpdb->prepare( "SELECT COUNT(DISTINCT u.ID) FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id LEFT JOIN {$bp->profile->table_name_fields} pf ON pd.field_id = pf.id WHERE {$status_sql} AND pf.name = %s {$exclude_sql} AND pd.value LIKE '{$letter}%%' ORDER BY pd.value ASC", bp_xprofile_fullname_field_name() ) ); … … 1046 1052 $pag_sql = $limit && $page ? $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * intval( $limit ) ), intval( $limit ) ) : ''; 1047 1053 1048 $search_terms = like_escape( $wpdb->escape( $search_terms) );1054 $search_terms = esc_sql( like_escape( trim( $search_terms ) ) ); 1049 1055 $status_sql = bp_core_get_status_sql( 'u.' ); 1050 1056 -
branches/1.7/bp-groups/bp-groups-classes.php
r6712 r7014 222 222 $user_id = bp_displayed_user_id(); 223 223 224 $filter = like_escape( $wpdb->escape( $filter ) );224 $filter = esc_sql( like_escape( $filter ) ); 225 225 226 226 if ( !empty( $limit ) && !empty( $page ) ) … … 241 241 } 242 242 243 /** 244 * @todo Deprecate in favor of get() 245 */ 243 246 function search_groups( $filter, $limit = null, $page = null, $sort_by = false, $order = false ) { 244 247 global $wpdb, $bp; 245 248 246 $filter = like_escape( $wpdb->escape( $filter ) );249 $filter = esc_sql( like_escape( $filter ) ); 247 250 248 251 if ( !empty( $limit ) && !empty( $page ) ) … … 250 253 251 254 if ( !empty( $sort_by ) && !empty( $order ) ) { 252 $sort_by = $wpdb->escape( $sort_by );253 $order = $wpdb->escape( $order );254 $order_sql = "ORDER BY $sort_by $order";255 $sort_by = esc_sql( $sort_by ); 256 $order = esc_sql( $order ); 257 $order_sql = "ORDER BY {$sort_by} {$order}"; 255 258 } 256 259 … … 364 367 365 368 if ( !empty( $search_terms ) ) { 366 $search_terms = like_escape( $wpdb->escape( $search_terms ) );369 $search_terms = esc_sql( like_escape( $search_terms ) ); 367 370 $sql['search'] = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )"; 368 371 } … … 372 375 373 376 if ( !empty( $include ) ) { 374 if ( is_array( $include ) ) 375 $include = implode( ',', $include ); 376 377 $include = $wpdb->escape( $include ); 377 $include = wp_parse_id_list( $r['include'] ); 378 $include = $wpdb->escape( implode( ',', $include ) ); 378 379 $sql['include'] = " AND g.id IN ({$include})"; 379 380 } 380 381 381 382 if ( !empty( $exclude ) ) { 382 if ( is_array( $exclude ) ) 383 $exclude = implode( ',', $exclude ); 384 385 $exclude = $wpdb->escape( $exclude ); 383 $exclude = wp_parse_id_list( $r['exclude'] ); 384 $exclude = $wpdb->escape( implode( ',', $exclude ) ); 386 385 $sql['exclude'] = " AND g.id NOT IN ({$exclude})"; 387 386 } … … 480 479 481 480 if ( !empty( $search_terms ) ) { 482 $search_terms = like_escape( $wpdb->escape( $search_terms) );481 $search_terms = esc_sql( like_escape( trim( $search_terms ) ) ); 483 482 $search_sql = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )"; 484 483 } 485 484 486 485 if ( !empty( $exclude ) ) { 487 $exclude = $wpdb->escape( $exclude ); 486 $exclude = wp_parse_id_list( $exclude ); 487 $exclude = $wpdb->escape( implode( ',', $exclude ) ); 488 488 $exclude_sql = " AND g.id NOT IN ({$exclude})"; 489 489 } 490 490 491 491 if ( !empty( $user_id ) ) { 492 $user_id = $wpdb->escape( $user_id);492 $user_id = absint( $wpdb->escape( $user_id ) ); 493 493 $paged_groups = $wpdb->get_results( "SELECT DISTINCT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_groupmeta} gm3, {$bp->groups->table_name_members} m, {$bbdb->forums} f, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND g.id = gm3.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND (gm3.meta_key = 'forum_id' AND gm3.meta_value = f.forum_id) AND f.topics > 0 {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql} ORDER BY f.topics DESC {$pag_sql}" ); 494 494 $total_groups = $wpdb->get_var( "SELECT COUNT(DISTINCT g.id) FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_groupmeta} gm3, {$bbdb->forums} f, {$bp->groups->table_name} g WHERE g.id = gm1.group_id AND g.id = gm2.group_id AND g.id = gm3.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND (gm3.meta_key = 'forum_id' AND gm3.meta_value = f.forum_id) AND f.topics > 0 {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql}" ); … … 521 521 522 522 if ( !empty( $search_terms ) ) { 523 $search_terms = like_escape( $wpdb->escape( $search_terms) );523 $search_terms = esc_sql( like_escape( trim( $search_terms ) ) ); 524 524 $search_sql = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )"; 525 525 } 526 526 527 527 if ( !empty( $exclude ) ) { 528 $exclude = $wpdb->escape( $exclude ); 528 $exclude = wp_parse_id_list( $exclude ); 529 $exclude = $wpdb->escape( implode( ',', $exclude ) ); 529 530 $exclude_sql = " AND g.id NOT IN ({$exclude})"; 530 531 } … … 563 564 564 565 if ( !empty( $exclude ) ) { 565 $exclude = $wpdb->escape( $exclude ); 566 $exclude = wp_parse_id_list( $exclude ); 567 $exclude = $wpdb->escape( implode( ',', $exclude ) ); 566 568 $exclude_sql = " AND g.id NOT IN ({$exclude})"; 567 569 } … … 570 572 $hidden_sql = " AND status != 'hidden'"; 571 573 572 $letter = like_escape( $wpdb->escape( $letter ) );574 $letter = esc_sql( like_escape( $letter ) ); 573 575 574 576 if ( !empty( $limit ) && !empty( $page ) ) { … … 602 604 603 605 if ( !empty( $search_terms ) ) { 604 $search_terms = like_escape( $wpdb->escape( $search_terms) );606 $search_terms = esc_sql( like_escape( trim( $search_terms ) ) ); 605 607 $search_sql = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )"; 606 608 } 607 609 608 610 if ( !empty( $exclude ) ) { 609 $exclude = $wpdb->escape( $exclude ); 611 $exclude = wp_parse_id_list( $exclude ); 612 $exclude = $wpdb->escape( implode( ',', $exclude ) ); 610 613 $exclude_sql = " AND g.id NOT IN ({$exclude})"; 611 614 } … … 634 637 if ( empty( $group_ids ) ) 635 638 return $paged_groups; 639 640 // Sanitize group IDs 641 $group_ids = wp_parse_id_list( $group_ids ); 642 $group_ids = implode( ',', $group_ids ); 636 643 637 644 // Fetch the logged in users status within each group … … 736 743 $sql['where'] = "WHERE gm.meta_key = 'forum_id' {$status_sql} AND t.topic_status = '0' AND t.topic_sticky != '2'"; 737 744 738 if ( $search_terms) {739 $st = like_escape( $search_terms);745 if ( !empty( $search_terms ) ) { 746 $st = esc_sql( like_escape( $search_terms ) ); 740 747 $sql['where'] .= " AND ( t.topic_title LIKE '%{$st}%' )"; 741 748 } … … 998 1005 999 1006 if ( !empty( $filter ) ) { 1000 $filter = like_escape( $wpdb->escape( $filter ) );1007 $filter = esc_sql( like_escape( $filter ) ); 1001 1008 $filter_sql = " AND ( g.name LIKE '%%{$filter}%%' OR g.description LIKE '%%{$filter}%%' )"; 1002 1009 } … … 1020 1027 1021 1028 if ( !empty( $filter ) ) { 1022 $filter = like_escape( $wpdb->escape( $filter ) );1029 $filter = esc_sql( like_escape( $filter ) ); 1023 1030 $filter_sql = " AND ( g.name LIKE '%%{$filter}%%' OR g.description LIKE '%%{$filter}%%' )"; 1024 1031 } … … 1042 1049 1043 1050 if ( !empty( $filter ) ) { 1044 $filter = like_escape( $wpdb->escape( $filter) );1051 $filter = esc_sql( like_escape( trim( $filter ) ) ); 1045 1052 $filter_sql = " AND ( g.name LIKE '%%{$filter}%%' OR g.description LIKE '%%{$filter}%%' )"; 1046 1053 } … … 1073 1080 $pag_sql = ( !empty( $limit ) && !empty( $page ) ) ? $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) ) : ''; 1074 1081 1075 $exclude_sql = !empty( $exclude ) ? $wpdb->prepare( " AND g.id NOT IN (%s)", $exclude ) : ''; 1082 if ( !empty( $exclude ) ) { 1083 $exclude = wp_parse_id_list( $exclude ); 1084 $exclude = $wpdb->escape( implode( ',', $exclude ) ); 1085 $exclude_sql = " AND g.id NOT IN ({$exclude})"; 1086 } else { 1087 $exclude_sql = ''; 1088 } 1076 1089 1077 1090 $paged_groups = $wpdb->get_results( $wpdb->prepare( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND m.is_confirmed = 0 AND m.inviter_id != 0 AND m.invite_sent = 1 AND m.user_id = %d {$exclude_sql} ORDER BY m.date_modified ASC {$pag_sql}", $user_id ) ); … … 1176 1189 } 1177 1190 1178 function get_random_groups( $user_id , $total_groups = 5 ) {1191 function get_random_groups( $user_id = 0, $total_groups = 5 ) { 1179 1192 global $wpdb, $bp; 1180 1193 1181 1194 // If the user is logged in and viewing their random groups, we can show hidden and private groups 1182 1195 if ( bp_is_my_profile() ) { 1183 return $wpdb->get_col( $wpdb->prepare( "SELECT DISTINCT group_id FROM {$bp->groups->table_name_members} WHERE user_id = %d AND is_confirmed = 1 AND is_banned = 0 ORDER BY rand() LIMIT $total_groups", $user_id) );1196 return $wpdb->get_col( $wpdb->prepare( "SELECT DISTINCT group_id FROM {$bp->groups->table_name_members} WHERE user_id = %d AND is_confirmed = 1 AND is_banned = 0 ORDER BY rand() LIMIT %d", $user_id, $total_groups ) ); 1184 1197 } else { 1185 return $wpdb->get_col( $wpdb->prepare( "SELECT DISTINCT m.group_id FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id AND g.status != 'hidden' AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0 ORDER BY rand() LIMIT $total_groups", $user_id) );1198 return $wpdb->get_col( $wpdb->prepare( "SELECT DISTINCT m.group_id FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id AND g.status != 'hidden' AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0 ORDER BY rand() LIMIT %d", $user_id, $total_groups ) ); 1186 1199 } 1187 1200 } … … 1228 1241 $exclude_sql = ''; 1229 1242 if ( !empty( $exclude ) ) { 1230 $exclude = implode( ',', wp_parse_id_list( $exclude ) ); 1243 $exclude = wp_parse_id_list( $exclude ); 1244 $exclude = $wpdb->escape( implode( ',', $exclude ) ); 1231 1245 $exclude_sql = " AND m.user_id NOT IN ({$exclude})"; 1232 1246 } -
branches/1.7/bp-templates/bp-legacy/buddypress-functions.php
r6867 r7014 415 415 // If page and search_terms have been passed via the AJAX post request, use those. 416 416 if ( ! empty( $_POST['page'] ) && '-1' != $_POST['page'] ) 417 $qs[] = 'page=' . $_POST['page'];417 $qs[] = 'page=' . absint( $_POST['page'] ); 418 418 419 419 $object_search_text = bp_get_search_default_text( $object ); -
branches/1.7/bp-themes/bp-default/_inc/ajax.php
r6740 r7014 125 125 // If page and search_terms have been passed via the AJAX post request, use those. 126 126 if ( ! empty( $_POST['page'] ) && '-1' != $_POST['page'] ) 127 $qs[] = 'page=' . $_POST['page'];127 $qs[] = 'page=' . absint( $_POST['page'] ); 128 128 129 129 $object_search_text = bp_get_search_default_text( $object );
Note: See TracChangeset
for help on using the changeset viewer.