Skip to:
Content

BuddyPress.org

Changeset 7338


Ignore:
Timestamp:
08/05/2013 02:42:16 PM (11 years ago)
Author:
boonebgorges
Message:

Use esc_sql() instead of $wpdb->escape() throughout

WordPress 3.6 deprecated the use of $wpdb->escape() for sanitizing SQL
query fragments, in favor of the rewritten esc_sql(). This changeset
makes the appropriate changes throughout BuddyPress.

In a few places, this changeset also removes redundant sanitization, in
particular when using wp_parse_id_list().

Also adds a unit test for a touched method (BP_User_Query, when using
the 'exclude' parameter).

Fixes #5100

Props needle

Location:
trunk
Files:
10 edited

Legend:

Unmodified
Added
Removed
  • trunk/bp-activity/bp-activity-classes.php

    r7318 r7338  
    173173        // Searching
    174174        if ( $search_terms ) {
    175             $search_terms = $wpdb->escape( $search_terms );
     175            $search_terms = esc_sql( $search_terms );
    176176            $where_conditions['search_sql'] = "a.content LIKE '%%" . esc_sql( like_escape( $search_terms ) ) . "%%'";
    177177        }
  • trunk/bp-activity/bp-activity-functions.php

    r7222 r7338  
    686686    // Sanitize value
    687687    if ( is_string( $meta_value ) )
    688         $meta_value = stripslashes( $wpdb->escape( $meta_value ) );
     688        $meta_value = stripslashes( esc_sql( $meta_value ) );
    689689
    690690    // Maybe, just maybe... serialize
  • trunk/bp-blogs/bp-blogs-functions.php

    r7298 r7338  
    716716
    717717    if ( is_string($meta_value) )
    718         $meta_value = stripslashes($wpdb->escape($meta_value));
     718        $meta_value = stripslashes( esc_sql( $meta_value ) );
    719719
    720720    $meta_value = maybe_serialize($meta_value);
  • trunk/bp-core/bp-core-classes.php

    r7334 r7338  
    331331        // 'exclude' - User ids to exclude from the results
    332332        if ( false !== $exclude ) {
    333             $exclude        = wp_parse_id_list( $exclude );
    334             $exclude_ids    = $wpdb->escape( implode( ',', (array) $exclude ) );
     333            $exclude_ids    = implode( ',', wp_parse_id_list( $exclude ) );
    335334            $sql['where'][] = "u.{$this->uid_name} NOT IN ({$exclude_ids})";
    336335        }
  • trunk/bp-forums/bp-forums-functions.php

    r7298 r7338  
    463463    // Get the topic ids
    464464    foreach ( (array) $topics as $topic ) $topic_ids[] = $topic->topic_id;
    465     $topic_ids = $wpdb->escape( join( ',', (array) $topic_ids ) );
     465    $topic_ids = implode( ',', wp_parse_id_list( $topic_ids ) );
    466466
    467467    // Fetch the topic's last poster details
     
    597597    // Get the user ids
    598598    foreach ( (array) $posts as $post ) $user_ids[] = $post->poster_id;
    599     $user_ids = $wpdb->escape( join( ',', (array) $user_ids ) );
     599    $user_ids = implode( ',', wp_parse_id_list( $user_ids ) );
    600600
    601601    // Fetch the poster's user_email, user_nicename and user_login
  • trunk/bp-groups/bp-groups-classes.php

    r7332 r7338  
    393393
    394394        if ( ! empty( $r['include'] ) ) {
    395             $include        = wp_parse_id_list( $r['include'] );
    396             $include        = $wpdb->escape( implode( ',', $include ) );
     395            $include        = implode( ',', wp_parse_id_list( $r['include'] ) );
    397396            $sql['include'] = " AND g.id IN ({$include})";
    398397        }
    399398
    400399        if ( ! empty( $r['exclude'] ) ) {
    401             $exclude        = wp_parse_id_list( $r['exclude'] );
    402             $exclude        = $wpdb->escape( implode( ',', $exclude ) );
     400            $exclude        = implode( ',', wp_parse_id_list( $r['exclude'] ) );
    403401            $sql['exclude'] = " AND g.id NOT IN ({$exclude})";
    404402        }
     
    507505        // Populate some extra information instead of querying each time in the loop
    508506        if ( !empty( $r['populate_extras'] ) ) {
    509             $group_ids = $wpdb->escape( join( ',', (array) $group_ids ) );
     507            $group_ids = implode( ',', wp_parse_id_list( $group_ids ) );
    510508            $paged_groups = BP_Groups_Group::get_group_extras( $paged_groups, $group_ids, $r['type'] );
    511509        }
     
    676674
    677675        if ( !empty( $exclude ) ) {
    678             $exclude     = wp_parse_id_list( $exclude );
    679             $exclude     = $wpdb->escape( implode( ',', $exclude ) );
     676            $exclude     = implode( ',', wp_parse_id_list( $exclude ) );
    680677            $exclude_sql = " AND g.id NOT IN ({$exclude})";
    681678        }
    682679
    683680        if ( !empty( $user_id ) ) {
    684             $user_id      = absint( $wpdb->escape( $user_id ) );
     681            $user_id      = absint( esc_sql( $user_id ) );
    685682            $paged_groups = $wpdb->get_results( "SELECT DISTINCT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_groupmeta} gm3, {$bp->groups->table_name_members} m, {$bbdb->forums} f, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND g.id = gm3.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND (gm3.meta_key = 'forum_id' AND gm3.meta_value = f.forum_id) AND f.topics > 0 {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql} ORDER BY f.topics DESC {$pag_sql}" );
    686683            $total_groups = $wpdb->get_var( "SELECT COUNT(DISTINCT g.id) FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_groupmeta} gm3, {$bbdb->forums} f, {$bp->groups->table_name} g WHERE g.id = gm1.group_id AND g.id = gm2.group_id AND g.id = gm3.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND (gm3.meta_key = 'forum_id' AND gm3.meta_value = f.forum_id) AND f.topics > 0 {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql}" );
     
    692689        if ( !empty( $populate_extras ) ) {
    693690            foreach ( (array) $paged_groups as $group ) $group_ids[] = $group->id;
    694             $group_ids = $wpdb->escape( join( ',', (array) $group_ids ) );
     691            $group_ids = implode( ',', wp_parse_id_list( $group_ids ) );
    695692            $paged_groups = BP_Groups_Group::get_group_extras( $paged_groups, $group_ids, 'newest' );
    696693        }
     
    718715
    719716        if ( !empty( $exclude ) ) {
    720             $exclude     = wp_parse_id_list( $exclude );
    721             $exclude     = $wpdb->escape( implode( ',', $exclude ) );
     717            $exclude     = implode( ',', wp_parse_id_list( $exclude ) );
    722718            $exclude_sql = " AND g.id NOT IN ({$exclude})";
    723719        }
    724720
    725721        if ( !empty( $user_id ) ) {
    726             $user_id = $wpdb->escape( $user_id );
     722            $user_id = esc_sql( $user_id );
    727723            $paged_groups = $wpdb->get_results( "SELECT DISTINCT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_groupmeta} gm3, {$bp->groups->table_name_members} m, {$bbdb->forums} f, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND g.id = gm3.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND (gm3.meta_key = 'forum_id' AND gm3.meta_value = f.forum_id) {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql} ORDER BY f.posts ASC {$pag_sql}" );
    728724            $total_groups = $wpdb->get_results( "SELECT COUNT(DISTINCT g.id) FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_groupmeta} gm3, {$bp->groups->table_name_members} m, {$bbdb->forums} f, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND g.id = gm3.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND (gm3.meta_key = 'forum_id' AND gm3.meta_value = f.forum_id) AND f.posts > 0 {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql} " );
     
    734730        if ( !empty( $populate_extras ) ) {
    735731            foreach ( (array) $paged_groups as $group ) $group_ids[] = $group->id;
    736             $group_ids = $wpdb->escape( join( ',', (array) $group_ids ) );
     732            $group_ids = implode( ',', wp_parse_id_list( $group_ids ) );
    737733            $paged_groups = BP_Groups_Group::get_group_extras( $paged_groups, $group_ids, 'newest' );
    738734        }
     
    756752
    757753        if ( !empty( $exclude ) ) {
    758             $exclude     = wp_parse_id_list( $exclude );
    759             $exclude     = $wpdb->escape( implode( ',', $exclude ) );
     754            $exclude     = implode( ',', wp_parse_id_list( $exclude ) );
    760755            $exclude_sql = " AND g.id NOT IN ({$exclude})";
    761756        }
     
    777772                $group_ids[] = $group->id;
    778773            }
    779             $group_ids    = $wpdb->escape( join( ',', (array) $group_ids ) );
     774            $group_ids    = implode( ',', wp_parse_id_list( $group_ids ) );
    780775            $paged_groups = BP_Groups_Group::get_group_extras( $paged_groups, $group_ids, 'newest' );
    781776        }
     
    802797        if ( !empty( $exclude ) ) {
    803798            $exclude     = wp_parse_id_list( $exclude );
    804             $exclude     = $wpdb->escape( implode( ',', $exclude ) );
     799            $exclude     = esc_sql( implode( ',', $exclude ) );
    805800            $exclude_sql = " AND g.id NOT IN ({$exclude})";
    806801        }
    807802
    808803        if ( !empty( $user_id ) ) {
    809             $user_id = $wpdb->escape( $user_id );
     804            $user_id = esc_sql( $user_id );
    810805            $paged_groups = $wpdb->get_results( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql} ORDER BY rand() {$pag_sql}" );
    811806            $total_groups = $wpdb->get_var( "SELECT COUNT(DISTINCT m.group_id) FROM {$bp->groups->table_name_members} m LEFT JOIN {$bp->groups->table_name_groupmeta} gm ON m.group_id = gm.group_id INNER JOIN {$bp->groups->table_name} g ON m.group_id = g.id WHERE gm.meta_key = 'last_activity'{$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql}" );
     
    817812        if ( !empty( $populate_extras ) ) {
    818813            foreach ( (array) $paged_groups as $group ) $group_ids[] = $group->id;
    819             $group_ids = $wpdb->escape( join( ',', (array) $group_ids ) );
     814            $group_ids = implode( ',', wp_parse_id_list( $group_ids ) );
    820815            $paged_groups = BP_Groups_Group::get_group_extras( $paged_groups, $group_ids, 'newest' );
    821816        }
     
    15121507
    15131508        if ( !empty( $exclude ) ) {
    1514             $exclude     = wp_parse_id_list( $exclude );
    1515             $exclude     = $wpdb->escape( implode( ',', $exclude ) );
     1509            $exclude     = implode( ',', wp_parse_id_list( $exclude ) );
    15161510            $exclude_sql = " AND g.id NOT IN ({$exclude})";
    15171511        } else {
     
    16741668        $exclude_sql = '';
    16751669        if ( !empty( $exclude ) ) {
    1676             $exclude     = wp_parse_id_list( $exclude );
    1677             $exclude     = $wpdb->escape( implode( ',', $exclude ) );
     1670            $exclude     = implode( ',', wp_parse_id_list( $exclude ) );
    16781671            $exclude_sql = " AND m.user_id NOT IN ({$exclude})";
    16791672        }
  • trunk/bp-groups/bp-groups-functions.php

    r7228 r7338  
    10461046
    10471047    if ( is_string( $meta_value ) )
    1048         $meta_value = stripslashes( $wpdb->escape( $meta_value ) );
     1048        $meta_value = stripslashes( esc_sql( $meta_value ) );
    10491049
    10501050    $meta_value = maybe_serialize( $meta_value );
  • trunk/bp-messages/bp-messages-classes.php

    r7334 r7338  
    151151
    152152        if ( !empty( $search_terms ) ) {
    153             $search_terms = like_escape( $wpdb->escape( $search_terms ) );
     153            $search_terms = like_escape( esc_sql( $search_terms ) );
    154154            $search_sql   = "AND ( subject LIKE '%%$search_terms%%' OR message LIKE '%%$search_terms%%' )";
    155155        }
  • trunk/bp-xprofile/bp-xprofile-functions.php

    r7228 r7338  
    590590
    591591    if ( is_string( $meta_value ) )
    592         $meta_value = stripslashes( $wpdb->escape( $meta_value ) );
     592        $meta_value = stripslashes( esc_sql( $meta_value ) );
    593593
    594594    $meta_value = maybe_serialize( $meta_value );
  • trunk/tests/testcases/core/class-bp-user-query.php

    r7135 r7338  
    201201        $this->assertEquals( $user_id, $found_user_id );
    202202    }
     203
     204    /**
     205     * @group exclude
     206     */
     207    public function test_bp_user_query_with_exclude() {
     208        // Grab list of existing users who should also be excluded
     209        global $wpdb;
     210        $existing_users = $wpdb->get_col( "SELECT ID FROM {$wpdb->users}" );
     211
     212        $u1 = $this->create_user();
     213        $u2 = $this->create_user();
     214
     215        $exclude = array_merge( array( $u1 ), $existing_users );
     216        $q = new BP_User_Query( array( 'exclude' => $exclude, ) );
     217
     218        $found_user_ids = null;
     219        if ( ! empty( $q->results ) ) {
     220            $found_user_ids = array_values( wp_parse_id_list( wp_list_pluck( $q->results, 'ID' ) ) );
     221        }
     222
     223        $this->assertEquals( array( $u2 ), $found_user_ids );
     224    }
    203225}
Note: See TracChangeset for help on using the changeset viewer.