Skip to:
Content

BuddyPress.org

Changeset 7026


Ignore:
Timestamp:
05/08/2013 08:59:47 PM (11 years ago)
Author:
boonebgorges
Message:

Improved sanitization for Friends component database methods

  • All integer lists for IN clauses are run through wp_parse_id_list()
  • Search terms now escaped in the correct order

Also adds unit tests for touched methods

Fixes #4993

Props johnjamesjacoby

Location:
trunk
Files:
2 added
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/bp-friends/bp-friends-classes.php

    r6574 r7026  
    145145            $user_id = bp_loggedin_user_id();
    146146
    147         $filter = like_escape( $wpdb->escape( $filter ) );
     147        $filter = esc_sql( like_escape( $filter ) );
    148148
    149149        if ( !empty( $limit ) && !empty( $page ) )
     
    154154
    155155        // Get all the user ids for the current user's friends.
    156         $fids = implode( ',', $friend_ids );
     156        $fids = implode( ',', wp_parse_id_list( $friend_ids ) );
    157157
    158158        if ( empty( $fids ) )
     
    199199        global $wpdb;
    200200
     201        $user_ids = implode( ',', wp_parse_id_list( $user_ids ) );
     202
    201203        return $wpdb->get_results( $wpdb->prepare( "SELECT meta_value as last_activity, user_id FROM {$wpdb->usermeta} WHERE meta_key = %s AND user_id IN ( {$user_ids} ) ORDER BY meta_value DESC", bp_get_user_meta_key( 'last_activity' ) ) );
    202204    }
     
    223225        global $wpdb, $bp;
    224226
    225         $filter = like_escape( $wpdb->escape( $filter ) );
     227        $filter = esc_sql( like_escape( $filter ) );
    226228
    227229        $usermeta_table = $wpdb->base_prefix . 'usermeta';
     
    249251        global $wpdb, $bp;
    250252
    251         $filter = like_escape( $wpdb->escape( $filter ) );
     253        $filter = esc_sql( like_escape( $filter ) );
    252254
    253255        $usermeta_table = $wpdb->prefix . 'usermeta';
     
    274276        if ( !bp_is_active( 'xprofile' ) )
    275277            return false;
     278
     279        $user_ids = implode( ',', wp_parse_id_list( $user_ids ) );
    276280
    277281        return $wpdb->get_results( $wpdb->prepare( "SELECT user_id FROM {$bp->profile->table_name_data} pd, {$bp->profile->table_name_fields} pf WHERE pf.id = pd.field_id AND pf.name = %s AND pd.user_id IN ( {$user_ids} ) ORDER BY pd.value ASC", bp_xprofile_fullname_field_name() ) );
Note: See TracChangeset for help on using the changeset viewer.