Skip to:
Content

BuddyPress.org

Changeset 7024


Ignore:
Timestamp:
05/08/2013 08:27:22 PM (12 years ago)
Author:
boonebgorges
Message:

Improved sanitization for Core component database methods

All constructed IN clauses for integer values are now run through
wp_parse_id_list().

Also adds tests for the relevant methods.

Fixes #4992

Props johnjamesjacoby, DJPaul

Location:
trunk
Files:
1 added
4 edited
1 moved

Legend:

Unmodified
Added
Removed
  • trunk/bp-core/bp-core-cache.php

    r6752 r7024  
    9393    }
    9494
    95     if ( !is_array( $object_ids ) ) {
    96         $object_ids = preg_replace( '|[^0-9,]|', '', $object_ids );
    97         $object_ids = explode( ',', $object_ids );
    98     }
    99 
    100     $object_ids = array_map( 'intval', $object_ids );
     95    $object_ids = wp_parse_id_list( $object_ids );
    10196
    10297    $cache = array();
  • trunk/bp-core/bp-core-classes.php

    r7017 r7024  
    300300        if ( ! empty( $user_id ) && bp_is_active( 'friends' ) ) {
    301301            $friend_ids = friends_get_friend_user_ids( $user_id );
    302             $friend_ids = $wpdb->escape( implode( ',', (array) $friend_ids ) );
     302            $friend_ids = implode( ',', wp_parse_id_list( $friend_ids ) );
    303303
    304304            if ( ! empty( $friend_ids ) ) {
     
    806806
    807807        if ( !empty( $exclude ) ) {
     808            $exclude              = implode( ',', wp_parse_id_list( $exclude ) );
    808809            $sql['where_exclude'] = "AND u.ID NOT IN ({$exclude})";
    809810        }
     
    815816        } else {
    816817            if ( !empty( $include ) ) {
    817                 if ( is_array( $include ) ) {
    818                     $uids = $wpdb->escape( implode( ',', (array) $include ) );
    819                 } else {
    820                     $uids = $wpdb->escape( $include );
    821                 }
    822 
    823                 if ( !empty( $uids ) ) {
    824                     $sql['where_users'] = "AND u.ID IN ({$uids})";
    825                 }
     818                $include = implode( ',',  wp_parse_id_list( $include ) );
     819                $sql['where_users'] = "AND u.ID IN ({$include})";
    826820            } elseif ( !empty( $user_id ) && bp_is_active( 'friends' ) ) {
    827821                $friend_ids = friends_get_friend_user_ids( $user_id );
    828                 $friend_ids = $wpdb->escape( implode( ',', (array) $friend_ids ) );
    829822
    830823                if ( !empty( $friend_ids ) ) {
     824                    $friend_ids = implode( ',', wp_parse_id_list( $friend_ids ) );
    831825                    $sql['where_friends'] = "AND u.ID IN ({$friend_ids})";
    832826
     
    914908            }
    915909
    916             $user_ids = $wpdb->escape( join( ',', (array) $user_ids ) );
    917 
    918910            // Add additional data to the returned results
    919911            $paged_users = BP_Core_User::get_user_extras( $paged_users, $user_ids, $type );
     
    960952
    961953        if ( !empty( $exclude ) ) {
    962             $exclude     = wp_parse_id_list( $r['exclude'] );
    963             $exclude     = $wpdb->escape( implode( ',', $exclude ) );
     954            $exclude     = implode( ',', wp_parse_id_list( $r['exclude'] ) );
    964955            $exclude_sql = " AND u.id NOT IN ({$exclude})";
    965956        } else {
     
    982973        $user_ids = array();
    983974        foreach ( (array) $paged_users as $user )
    984             $user_ids[] = $user->id;
    985 
    986         $user_ids = $wpdb->escape( join( ',', (array) $user_ids ) );
     975            $user_ids[] = (int) $user->id;
    987976
    988977        // Add additional data to the returned results
     
    10121001            $pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) );
    10131002
     1003        $user_ids   = implode( ',', wp_parse_id_list( $user_ids ) );
    10141004        $status_sql = bp_core_get_status_sql();
    10151005
    1016         $total_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT COUNT(DISTINCT ID) FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ( " . $wpdb->escape( $user_ids ) . " ) " );
    1017         $paged_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT DISTINCT ID as id, user_registered, user_nicename, user_login, user_email FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ( " . $wpdb->escape( $user_ids ) . " ) {$pag_sql}" );
     1006        $total_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT COUNT(DISTINCT ID) FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ({$user_ids})" );
     1007        $paged_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT DISTINCT ID as id, user_registered, user_nicename, user_login, user_email FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ({$user_ids}) {$pag_sql}" );
    10181008
    10191009        $total_users = $wpdb->get_var( $total_users_sql );
     
    10701060            $user_ids[] = $user->id;
    10711061
    1072         $user_ids = $wpdb->escape( join( ',', (array) $user_ids ) );
    1073 
    10741062        // Add additional data to the returned results
    10751063        if ( $populate_extras )
     
    10971085        if ( empty( $user_ids ) )
    10981086            return $paged_users;
     1087
     1088        // Sanitize user IDs
     1089        $user_ids = implode( ',', wp_parse_id_list( $user_ids ) );
    10991090
    11001091        // Fetch the user's full name
  • trunk/bp-core/bp-core-filters.php

    r6827 r7024  
    131131        return $comments;
    132132
    133     $user_ids = implode( ',', $user_ids );
     133    $user_ids = implode( ',', wp_parse_id_list( $user_ids ) );
    134134
    135135    if ( !$userdata = $wpdb->get_results( "SELECT ID as user_id, user_login, user_nicename FROM {$wpdb->users} WHERE ID IN ({$user_ids})" ) )
  • trunk/bp-core/bp-core-functions.php

    r6771 r7024  
    142142        // from the current blog
    143143        $posts_table_name = bp_is_multiblog_mode() ? $wpdb->posts : $wpdb->get_blog_prefix( bp_get_root_blog_id() ) . 'posts';
    144         $page_ids_sql     = implode( ',', (array) $page_ids );
     144        $page_ids_sql     = implode( ',', wp_parse_id_list( $page_ids ) );
    145145        $page_names       = $wpdb->get_results( "SELECT ID, post_name, post_parent, post_title FROM {$posts_table_name} WHERE ID IN ({$page_ids_sql}) AND post_status = 'publish' " );
    146146
  • trunk/tests/testcases/core/class-bp-user-query.php

    r7022 r7024  
    44 * @group core
    55 */
    6 class BP_Tests_Core_Classes extends BP_UnitTestCase {
     6class BP_Tests_BP_User_Query_TestCases extends BP_UnitTestCase {
    77    protected $old_current_user = 0;
    88
     
    148148
    149149        $this->assertEquals( $user_id, $found_user_id );
    150 
    151150    }
    152 
    153151}
Note: See TracChangeset for help on using the changeset viewer.