Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
02/26/2014 01:39:13 PM (11 years ago)
Author:
boonebgorges
Message:

Don't use mysql_real_escape_string() in BP_User_Query

Fixes #5432

Props imath

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/bp-core/bp-core-classes.php

    r7989 r7993  
    366366        // @todo remove need for bp_is_active() check
    367367        if ( false !== $search_terms && bp_is_active( 'xprofile' ) ) {
    368             $search_terms_clean = mysql_real_escape_string( mysql_real_escape_string( $search_terms ) );
     368            $search_terms_clean = esc_sql( esc_sql( $search_terms ) );
    369369            $search_terms_clean = like_escape( $search_terms_clean );
    370370            $found_user_ids_query = "SELECT user_id FROM {$bp->profile->table_name_data} WHERE value LIKE '%" . $search_terms_clean . "%'";
Note: See TracChangeset for help on using the changeset viewer.