Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
05/08/2013 08:27:22 PM (12 years ago)
Author:
boonebgorges
Message:

Improved sanitization for Core component database methods

All constructed IN clauses for integer values are now run through
wp_parse_id_list().

Also adds tests for the relevant methods.

Fixes #4992

Props johnjamesjacoby, DJPaul

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/bp-core/bp-core-functions.php

    r6771 r7024  
    142142        // from the current blog
    143143        $posts_table_name = bp_is_multiblog_mode() ? $wpdb->posts : $wpdb->get_blog_prefix( bp_get_root_blog_id() ) . 'posts';
    144         $page_ids_sql     = implode( ',', (array) $page_ids );
     144        $page_ids_sql     = implode( ',', wp_parse_id_list( $page_ids ) );
    145145        $page_names       = $wpdb->get_results( "SELECT ID, post_name, post_parent, post_title FROM {$posts_table_name} WHERE ID IN ({$page_ids_sql}) AND post_status = 'publish' " );
    146146
Note: See TracChangeset for help on using the changeset viewer.