Skip to:
Content

BuddyPress.org

Changeset 7020


Ignore:
Timestamp:
05/08/2013 02:45:42 AM (11 years ago)
Author:
johnjamesjacoby
Message:

More array sanitization hardening using wp_parse_id_list() in bp-groups-classes.php. See #4989 (1.7 branch)

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/1.7/bp-groups/bp-groups-classes.php

    r7016 r7020  
    174174        // Fetch the user IDs of all the members of the group
    175175        $user_ids    = BP_Groups_Member::get_group_member_ids( $this->id );
    176         $user_id_str = implode( ',', (array) $user_ids );
     176        $user_id_str = esc_sql( implode( ',', wp_parse_id_list( $user_ids ) ) );
    177177
    178178        // Modify group count usermeta for members
     
    233233            return false;
    234234
    235         $gids = implode( ',', $gids['groups'] );
     235        $gids = esc_sql( implode( ',', wp_parse_id_list( $gids['groups'] ) ) );
    236236
    237237        $paged_groups = $wpdb->get_results( "SELECT id as group_id FROM {$bp->groups->table_name} WHERE ( name LIKE '{$filter}%%' OR description LIKE '{$filter}%%' ) AND id IN ({$gids}) {$pag_sql}" );
     
    639639
    640640        // Sanitize group IDs
    641         $group_ids = wp_parse_id_list( $group_ids );
    642         $group_ids = implode( ',', $group_ids );
     641        $group_ids = implode( ',', wp_parse_id_list( $group_ids ) );
    643642
    644643        // Fetch the logged in users status within each group
     
    12661265            $user_ids[] = $user->user_id;
    12671266
    1268         $user_ids = $wpdb->escape( join( ',', (array) $user_ids ) );
     1267        $user_ids = implode( ',', wp_parse_id_list( $user_ids ) );
    12691268
    12701269        if ( bp_is_active( 'friends' ) ) {
Note: See TracChangeset for help on using the changeset viewer.