Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
08/05/2013 02:42:16 PM (11 years ago)
Author:
boonebgorges
Message:

Use esc_sql() instead of $wpdb->escape() throughout

WordPress 3.6 deprecated the use of $wpdb->escape() for sanitizing SQL
query fragments, in favor of the rewritten esc_sql(). This changeset
makes the appropriate changes throughout BuddyPress.

In a few places, this changeset also removes redundant sanitization, in
particular when using wp_parse_id_list().

Also adds a unit test for a touched method (BP_User_Query, when using
the 'exclude' parameter).

Fixes #5100

Props needle

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/bp-groups/bp-groups-classes.php

    r7332 r7338  
    393393
    394394        if ( ! empty( $r['include'] ) ) {
    395             $include        = wp_parse_id_list( $r['include'] );
    396             $include        = $wpdb->escape( implode( ',', $include ) );
     395            $include        = implode( ',', wp_parse_id_list( $r['include'] ) );
    397396            $sql['include'] = " AND g.id IN ({$include})";
    398397        }
    399398
    400399        if ( ! empty( $r['exclude'] ) ) {
    401             $exclude        = wp_parse_id_list( $r['exclude'] );
    402             $exclude        = $wpdb->escape( implode( ',', $exclude ) );
     400            $exclude        = implode( ',', wp_parse_id_list( $r['exclude'] ) );
    403401            $sql['exclude'] = " AND g.id NOT IN ({$exclude})";
    404402        }
     
    507505        // Populate some extra information instead of querying each time in the loop
    508506        if ( !empty( $r['populate_extras'] ) ) {
    509             $group_ids = $wpdb->escape( join( ',', (array) $group_ids ) );
     507            $group_ids = implode( ',', wp_parse_id_list( $group_ids ) );
    510508            $paged_groups = BP_Groups_Group::get_group_extras( $paged_groups, $group_ids, $r['type'] );
    511509        }
     
    676674
    677675        if ( !empty( $exclude ) ) {
    678             $exclude     = wp_parse_id_list( $exclude );
    679             $exclude     = $wpdb->escape( implode( ',', $exclude ) );
     676            $exclude     = implode( ',', wp_parse_id_list( $exclude ) );
    680677            $exclude_sql = " AND g.id NOT IN ({$exclude})";
    681678        }
    682679
    683680        if ( !empty( $user_id ) ) {
    684             $user_id      = absint( $wpdb->escape( $user_id ) );
     681            $user_id      = absint( esc_sql( $user_id ) );
    685682            $paged_groups = $wpdb->get_results( "SELECT DISTINCT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_groupmeta} gm3, {$bp->groups->table_name_members} m, {$bbdb->forums} f, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND g.id = gm3.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND (gm3.meta_key = 'forum_id' AND gm3.meta_value = f.forum_id) AND f.topics > 0 {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql} ORDER BY f.topics DESC {$pag_sql}" );
    686683            $total_groups = $wpdb->get_var( "SELECT COUNT(DISTINCT g.id) FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_groupmeta} gm3, {$bbdb->forums} f, {$bp->groups->table_name} g WHERE g.id = gm1.group_id AND g.id = gm2.group_id AND g.id = gm3.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND (gm3.meta_key = 'forum_id' AND gm3.meta_value = f.forum_id) AND f.topics > 0 {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql}" );
     
    692689        if ( !empty( $populate_extras ) ) {
    693690            foreach ( (array) $paged_groups as $group ) $group_ids[] = $group->id;
    694             $group_ids = $wpdb->escape( join( ',', (array) $group_ids ) );
     691            $group_ids = implode( ',', wp_parse_id_list( $group_ids ) );
    695692            $paged_groups = BP_Groups_Group::get_group_extras( $paged_groups, $group_ids, 'newest' );
    696693        }
     
    718715
    719716        if ( !empty( $exclude ) ) {
    720             $exclude     = wp_parse_id_list( $exclude );
    721             $exclude     = $wpdb->escape( implode( ',', $exclude ) );
     717            $exclude     = implode( ',', wp_parse_id_list( $exclude ) );
    722718            $exclude_sql = " AND g.id NOT IN ({$exclude})";
    723719        }
    724720
    725721        if ( !empty( $user_id ) ) {
    726             $user_id = $wpdb->escape( $user_id );
     722            $user_id = esc_sql( $user_id );
    727723            $paged_groups = $wpdb->get_results( "SELECT DISTINCT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_groupmeta} gm3, {$bp->groups->table_name_members} m, {$bbdb->forums} f, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND g.id = gm3.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND (gm3.meta_key = 'forum_id' AND gm3.meta_value = f.forum_id) {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql} ORDER BY f.posts ASC {$pag_sql}" );
    728724            $total_groups = $wpdb->get_results( "SELECT COUNT(DISTINCT g.id) FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_groupmeta} gm3, {$bp->groups->table_name_members} m, {$bbdb->forums} f, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND g.id = gm3.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND (gm3.meta_key = 'forum_id' AND gm3.meta_value = f.forum_id) AND f.posts > 0 {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql} " );
     
    734730        if ( !empty( $populate_extras ) ) {
    735731            foreach ( (array) $paged_groups as $group ) $group_ids[] = $group->id;
    736             $group_ids = $wpdb->escape( join( ',', (array) $group_ids ) );
     732            $group_ids = implode( ',', wp_parse_id_list( $group_ids ) );
    737733            $paged_groups = BP_Groups_Group::get_group_extras( $paged_groups, $group_ids, 'newest' );
    738734        }
     
    756752
    757753        if ( !empty( $exclude ) ) {
    758             $exclude     = wp_parse_id_list( $exclude );
    759             $exclude     = $wpdb->escape( implode( ',', $exclude ) );
     754            $exclude     = implode( ',', wp_parse_id_list( $exclude ) );
    760755            $exclude_sql = " AND g.id NOT IN ({$exclude})";
    761756        }
     
    777772                $group_ids[] = $group->id;
    778773            }
    779             $group_ids    = $wpdb->escape( join( ',', (array) $group_ids ) );
     774            $group_ids    = implode( ',', wp_parse_id_list( $group_ids ) );
    780775            $paged_groups = BP_Groups_Group::get_group_extras( $paged_groups, $group_ids, 'newest' );
    781776        }
     
    802797        if ( !empty( $exclude ) ) {
    803798            $exclude     = wp_parse_id_list( $exclude );
    804             $exclude     = $wpdb->escape( implode( ',', $exclude ) );
     799            $exclude     = esc_sql( implode( ',', $exclude ) );
    805800            $exclude_sql = " AND g.id NOT IN ({$exclude})";
    806801        }
    807802
    808803        if ( !empty( $user_id ) ) {
    809             $user_id = $wpdb->escape( $user_id );
     804            $user_id = esc_sql( $user_id );
    810805            $paged_groups = $wpdb->get_results( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql} ORDER BY rand() {$pag_sql}" );
    811806            $total_groups = $wpdb->get_var( "SELECT COUNT(DISTINCT m.group_id) FROM {$bp->groups->table_name_members} m LEFT JOIN {$bp->groups->table_name_groupmeta} gm ON m.group_id = gm.group_id INNER JOIN {$bp->groups->table_name} g ON m.group_id = g.id WHERE gm.meta_key = 'last_activity'{$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql}" );
     
    817812        if ( !empty( $populate_extras ) ) {
    818813            foreach ( (array) $paged_groups as $group ) $group_ids[] = $group->id;
    819             $group_ids = $wpdb->escape( join( ',', (array) $group_ids ) );
     814            $group_ids = implode( ',', wp_parse_id_list( $group_ids ) );
    820815            $paged_groups = BP_Groups_Group::get_group_extras( $paged_groups, $group_ids, 'newest' );
    821816        }
     
    15121507
    15131508        if ( !empty( $exclude ) ) {
    1514             $exclude     = wp_parse_id_list( $exclude );
    1515             $exclude     = $wpdb->escape( implode( ',', $exclude ) );
     1509            $exclude     = implode( ',', wp_parse_id_list( $exclude ) );
    15161510            $exclude_sql = " AND g.id NOT IN ({$exclude})";
    15171511        } else {
     
    16741668        $exclude_sql = '';
    16751669        if ( !empty( $exclude ) ) {
    1676             $exclude     = wp_parse_id_list( $exclude );
    1677             $exclude     = $wpdb->escape( implode( ',', $exclude ) );
     1670            $exclude     = implode( ',', wp_parse_id_list( $exclude ) );
    16781671            $exclude_sql = " AND m.user_id NOT IN ({$exclude})";
    16791672        }
Note: See TracChangeset for help on using the changeset viewer.