Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
03/14/2014 12:07:18 AM (11 years ago)
Author:
boonebgorges
Message:

Don't improperly sanitize meta_key in _meta() functions

Many BP meta functions have always stripped certain characters from the
$meta_key parameter before performing their operations. This is a terrible idea
on a number of levels: it doesn't provide any feedback to the user, it silently
performs actions that are not equivalent to the ones intended by the user, and
it doesn't serve any real purpose (since any necessary sanitization happens at
the level of $wpdb). Moreover, it wasn't even applied consistently across all
functions. A truly delightful grab bag.

This changeset removes the sanitization, and updates the necessary unit tests
to reflect the change.

See #5399

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/bp-blogs/bp-blogs-functions.php

    r8125 r8129  
    854854    }
    855855
    856     // Legacy - sanitize meta_key
    857     $meta_key = preg_replace( '|[^a-z0-9_]|i', '', $meta_key );
    858 
    859856    // Legacy - if no meta_key is passed, delete all for the blog_id
    860857    if ( empty( $meta_key ) ) {
     
    898895function bp_blogs_get_blogmeta( $blog_id, $meta_key = '', $single = true ) {
    899896
    900     // Legacy - Sanitize meta_key
    901     $meta_key = preg_replace('|[^a-z0-9_]|i', '', $meta_key);
    902 
    903897    add_filter( 'query', 'bp_filter_metaid_column_name' );
    904898    $retval = get_metadata( 'blog', $blog_id, $meta_key, $single );
     
    934928function bp_blogs_update_blogmeta( $blog_id, $meta_key, $meta_value, $prev_value = '' ) {
    935929
    936     // Legacy - Sanitize meta_key
    937     $meta_key = preg_replace( '|[^a-z0-9_]|i', '', $meta_key );
    938 
    939930    add_filter( 'query', 'bp_filter_metaid_column_name' );
    940931    $retval = update_metadata( 'blog', $blog_id, $meta_key, $meta_value, $prev_value );
Note: See TracChangeset for help on using the changeset viewer.