Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
05/07/2013 11:42:23 PM (11 years ago)
Author:
boonebgorges
Message:

Audit of parameter sanitization in Groups and Core database classes

  • Uses wp_parse_id_list() to sanitize parameters of integer arrays
  • Implements a more consistent approach to LIKE clause sanitization

See #4989

Props johnjamesjacoby

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/1.7/bp-core/bp-core-classes.php

    r6654 r7014  
    837837
    838838        if ( !empty( $search_terms ) && bp_is_active( 'xprofile' ) ) {
    839             $search_terms             = like_escape( $wpdb->escape( $search_terms ) );
     839            $search_terms             = esc_sql( like_escape( trim( $search_terms ) ) );
    840840            $sql['where_searchterms'] = "AND spd.value LIKE '%%$search_terms%%'";
    841841        }
     
    954954        }
    955955
    956         $letter     = like_escape( $wpdb->escape( $letter ) );
     956        $letter     = esc_sql( like_escape( trim( $letter ) ) );
    957957        $status_sql = bp_core_get_status_sql( 'u.' );
    958958
    959         $exclude_sql = ( !empty( $exclude ) ) ? " AND u.ID NOT IN ({$exclude})" : "";
     959        if ( !empty( $exclude ) ) {
     960            $exclude     = wp_parse_id_list( $r['exclude'] );
     961            $exclude     = $wpdb->escape( implode( ',', $exclude ) );
     962            $exclude_sql = " AND u.id NOT IN ({$exclude})";
     963        } else {
     964            $exclude_sql = '';
     965        }
    960966
    961967        $total_users_sql = apply_filters( 'bp_core_users_by_letter_count_sql', $wpdb->prepare( "SELECT COUNT(DISTINCT u.ID) FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id LEFT JOIN {$bp->profile->table_name_fields} pf ON pd.field_id = pf.id WHERE {$status_sql} AND pf.name = %s {$exclude_sql} AND pd.value LIKE '{$letter}%%'  ORDER BY pd.value ASC", bp_xprofile_fullname_field_name() ) );
     
    10461052        $pag_sql  = $limit && $page ? $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * intval( $limit ) ), intval( $limit ) ) : '';
    10471053
    1048         $search_terms = like_escape( $wpdb->escape( $search_terms ) );
     1054        $search_terms = esc_sql( like_escape( trim( $search_terms ) ) );
    10491055        $status_sql   = bp_core_get_status_sql( 'u.' );
    10501056
Note: See TracChangeset for help on using the changeset viewer.