Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
05/08/2013 08:31:14 PM (11 years ago)
Author:
boonebgorges
Message:

Improved sanitization in the Core component database methods

All constructed IN clauses for integer values are now run through
wp_parse_id_list().

Fixes #4992 for the 1.7 branch

Props johnjamesjacoby, DJPaul

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/1.7/bp-core/bp-core-classes.php

    r7016 r7025  
    302302        if ( empty( $include ) && ! empty( $user_id ) && bp_is_active( 'friends' ) ) {
    303303            $friend_ids = friends_get_friend_user_ids( $user_id );
    304             $friend_ids = $wpdb->escape( implode( ',', (array) $friend_ids ) );
     304            $friend_ids = implode( ',', wp_parse_id_list( $friend_ids ) );
    305305
    306306            if ( ! empty( $friend_ids ) ) {
     
    804804
    805805        if ( !empty( $exclude ) ) {
     806            $exclude              = implode( ',', wp_parse_id_list( $exclude ) );
    806807            $sql['where_exclude'] = "AND u.ID NOT IN ({$exclude})";
    807808        }
     
    813814        } else {
    814815            if ( !empty( $include ) ) {
    815                 if ( is_array( $include ) ) {
    816                     $uids = $wpdb->escape( implode( ',', (array) $include ) );
    817                 } else {
    818                     $uids = $wpdb->escape( $include );
    819                 }
    820 
    821                 if ( !empty( $uids ) ) {
    822                     $sql['where_users'] = "AND u.ID IN ({$uids})";
    823                 }
     816                $include = implode( ',',  wp_parse_id_list( $include ) );
     817                $sql['where_users'] = "AND u.ID IN ({$include})";
    824818            } elseif ( !empty( $user_id ) && bp_is_active( 'friends' ) ) {
    825819                $friend_ids = friends_get_friend_user_ids( $user_id );
    826                 $friend_ids = $wpdb->escape( implode( ',', (array) $friend_ids ) );
    827820
    828821                if ( !empty( $friend_ids ) ) {
     822                    $friend_ids = implode( ',', wp_parse_id_list( $friend_ids ) );
    829823                    $sql['where_friends'] = "AND u.ID IN ({$friend_ids})";
    830824
     
    912906            }
    913907
    914             $user_ids = $wpdb->escape( join( ',', (array) $user_ids ) );
    915 
    916908            // Add additional data to the returned results
    917909            $paged_users = BP_Core_User::get_user_extras( $paged_users, $user_ids, $type );
     
    958950
    959951        if ( !empty( $exclude ) ) {
    960             $exclude     = wp_parse_id_list( $r['exclude'] );
    961             $exclude     = $wpdb->escape( implode( ',', $exclude ) );
     952            $exclude     = implode( ',', wp_parse_id_list( $r['exclude'] ) );
    962953            $exclude_sql = " AND u.id NOT IN ({$exclude})";
    963954        } else {
     
    980971        $user_ids = array();
    981972        foreach ( (array) $paged_users as $user )
    982             $user_ids[] = $user->id;
    983 
    984         $user_ids = $wpdb->escape( join( ',', (array) $user_ids ) );
     973            $user_ids[] = (int) $user->id;
    985974
    986975        // Add additional data to the returned results
     
    1010999            $pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) );
    10111000
     1001        $user_ids   = implode( ',', wp_parse_id_list( $user_ids ) );
    10121002        $status_sql = bp_core_get_status_sql();
    10131003
    1014         $total_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT COUNT(DISTINCT ID) FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ( " . $wpdb->escape( $user_ids ) . " ) " );
    1015         $paged_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT DISTINCT ID as id, user_registered, user_nicename, user_login, user_email FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ( " . $wpdb->escape( $user_ids ) . " ) {$pag_sql}" );
     1004        $total_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT COUNT(DISTINCT ID) FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ({$user_ids})" );
     1005        $paged_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT DISTINCT ID as id, user_registered, user_nicename, user_login, user_email FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ({$user_ids}) {$pag_sql}" );
    10161006
    10171007        $total_users = $wpdb->get_var( $total_users_sql );
     
    10681058            $user_ids[] = $user->id;
    10691059
    1070         $user_ids = $wpdb->escape( join( ',', (array) $user_ids ) );
    1071 
    10721060        // Add additional data to the returned results
    10731061        if ( $populate_extras )
     
    10951083        if ( empty( $user_ids ) )
    10961084            return $paged_users;
     1085
     1086        // Sanitize user IDs
     1087        $user_ids = implode( ',', wp_parse_id_list( $user_ids ) );
    10971088
    10981089        // Fetch the user's full name
Note: See TracChangeset for help on using the changeset viewer.