Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
05/08/2013 08:27:22 PM (11 years ago)
Author:
boonebgorges
Message:

Improved sanitization for Core component database methods

All constructed IN clauses for integer values are now run through
wp_parse_id_list().

Also adds tests for the relevant methods.

Fixes #4992

Props johnjamesjacoby, DJPaul

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/bp-core/bp-core-classes.php

    r7017 r7024  
    300300        if ( ! empty( $user_id ) && bp_is_active( 'friends' ) ) {
    301301            $friend_ids = friends_get_friend_user_ids( $user_id );
    302             $friend_ids = $wpdb->escape( implode( ',', (array) $friend_ids ) );
     302            $friend_ids = implode( ',', wp_parse_id_list( $friend_ids ) );
    303303
    304304            if ( ! empty( $friend_ids ) ) {
     
    806806
    807807        if ( !empty( $exclude ) ) {
     808            $exclude              = implode( ',', wp_parse_id_list( $exclude ) );
    808809            $sql['where_exclude'] = "AND u.ID NOT IN ({$exclude})";
    809810        }
     
    815816        } else {
    816817            if ( !empty( $include ) ) {
    817                 if ( is_array( $include ) ) {
    818                     $uids = $wpdb->escape( implode( ',', (array) $include ) );
    819                 } else {
    820                     $uids = $wpdb->escape( $include );
    821                 }
    822 
    823                 if ( !empty( $uids ) ) {
    824                     $sql['where_users'] = "AND u.ID IN ({$uids})";
    825                 }
     818                $include = implode( ',',  wp_parse_id_list( $include ) );
     819                $sql['where_users'] = "AND u.ID IN ({$include})";
    826820            } elseif ( !empty( $user_id ) && bp_is_active( 'friends' ) ) {
    827821                $friend_ids = friends_get_friend_user_ids( $user_id );
    828                 $friend_ids = $wpdb->escape( implode( ',', (array) $friend_ids ) );
    829822
    830823                if ( !empty( $friend_ids ) ) {
     824                    $friend_ids = implode( ',', wp_parse_id_list( $friend_ids ) );
    831825                    $sql['where_friends'] = "AND u.ID IN ({$friend_ids})";
    832826
     
    914908            }
    915909
    916             $user_ids = $wpdb->escape( join( ',', (array) $user_ids ) );
    917 
    918910            // Add additional data to the returned results
    919911            $paged_users = BP_Core_User::get_user_extras( $paged_users, $user_ids, $type );
     
    960952
    961953        if ( !empty( $exclude ) ) {
    962             $exclude     = wp_parse_id_list( $r['exclude'] );
    963             $exclude     = $wpdb->escape( implode( ',', $exclude ) );
     954            $exclude     = implode( ',', wp_parse_id_list( $r['exclude'] ) );
    964955            $exclude_sql = " AND u.id NOT IN ({$exclude})";
    965956        } else {
     
    982973        $user_ids = array();
    983974        foreach ( (array) $paged_users as $user )
    984             $user_ids[] = $user->id;
    985 
    986         $user_ids = $wpdb->escape( join( ',', (array) $user_ids ) );
     975            $user_ids[] = (int) $user->id;
    987976
    988977        // Add additional data to the returned results
     
    10121001            $pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) );
    10131002
     1003        $user_ids   = implode( ',', wp_parse_id_list( $user_ids ) );
    10141004        $status_sql = bp_core_get_status_sql();
    10151005
    1016         $total_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT COUNT(DISTINCT ID) FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ( " . $wpdb->escape( $user_ids ) . " ) " );
    1017         $paged_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT DISTINCT ID as id, user_registered, user_nicename, user_login, user_email FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ( " . $wpdb->escape( $user_ids ) . " ) {$pag_sql}" );
     1006        $total_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT COUNT(DISTINCT ID) FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ({$user_ids})" );
     1007        $paged_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT DISTINCT ID as id, user_registered, user_nicename, user_login, user_email FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ({$user_ids}) {$pag_sql}" );
    10181008
    10191009        $total_users = $wpdb->get_var( $total_users_sql );
     
    10701060            $user_ids[] = $user->id;
    10711061
    1072         $user_ids = $wpdb->escape( join( ',', (array) $user_ids ) );
    1073 
    10741062        // Add additional data to the returned results
    10751063        if ( $populate_extras )
     
    10971085        if ( empty( $user_ids ) )
    10981086            return $paged_users;
     1087
     1088        // Sanitize user IDs
     1089        $user_ids = implode( ',', wp_parse_id_list( $user_ids ) );
    10991090
    11001091        // Fetch the user's full name
Note: See TracChangeset for help on using the changeset viewer.