Skip to:
Content

BuddyPress.org

Changeset 8541


Ignore:
Timestamp:
06/19/2014 01:36:57 AM (9 years ago)
Author:
boonebgorges
Message:

Refactor all uses of like_escape() to use bp_esc_like()

WordPress 4.0 will deprecate like_escape(), due to a history of inconsistent
documentation and usage. Its replacement is a new method, $wpdb->esc_like(),
which will be available only in WP 4.0. For this reason, and because the
return value of $wpdb->esc_like() will not always be identical to that of
like_escape(), BP cannot do a straight swap of the old function for the new
one. Instead, we introduce a wrapper function that uses the core method if
available, and otherwise reproduces the logic of that method (for earlier
versions of WordPress).

Fixes #5701
slightly different syntax in some cases

Location:
trunk/src
Files:
9 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-activity/bp-activity-classes.php

    r8491 r8541  
    338338        // Searching
    339339        if ( $search_terms ) {
    340             $search_terms = esc_sql( $search_terms );
    341             $where_conditions['search_sql'] = "a.content LIKE '%%" . esc_sql( like_escape( $search_terms ) ) . "%%'";
     340            $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%';
     341            $where_conditions['search_sql'] = $wpdb->prepare( 'a.content LIKE %s', $search_terms_like );
    342342        }
    343343
  • trunk/src/bp-blogs/bp-blogs-classes.php

    r8505 r8541  
    157157
    158158        if ( !empty( $search_terms ) ) {
    159             $filter = esc_sql( like_escape( $search_terms ) );
    160             $paged_blogs = $wpdb->get_results( "SELECT b.blog_id, b.user_id as admin_user_id, u.user_email as admin_user_email, wb.domain, wb.path, bm.meta_value as last_activity, bm2.meta_value as name FROM {$bp->blogs->table_name} b, {$bp->blogs->table_name_blogmeta} bm, {$bp->blogs->table_name_blogmeta} bm2, {$wpdb->base_prefix}blogs wb, {$wpdb->users} u WHERE b.blog_id = wb.blog_id AND b.user_id = u.ID AND b.blog_id = bm.blog_id AND b.blog_id = bm2.blog_id AND wb.archived = '0' AND wb.spam = 0 AND wb.mature = 0 AND wb.deleted = 0 {$hidden_sql} AND bm.meta_key = 'last_activity' AND bm2.meta_key = 'name' AND bm2.meta_value LIKE '%%$filter%%' {$user_sql} {$include_sql} GROUP BY b.blog_id {$order_sql} {$pag_sql}" );
    161             $total_blogs = $wpdb->get_var( "SELECT COUNT(DISTINCT b.blog_id) FROM {$bp->blogs->table_name} b, {$wpdb->base_prefix}blogs wb, {$bp->blogs->table_name_blogmeta} bm, {$bp->blogs->table_name_blogmeta} bm2 WHERE b.blog_id = wb.blog_id AND bm.blog_id = b.blog_id AND bm2.blog_id = b.blog_id AND wb.archived = '0' AND wb.spam = 0 AND wb.mature = 0 AND wb.deleted = 0 {$hidden_sql} AND bm.meta_key = 'name' AND bm2.meta_key = 'description' AND ( bm.meta_value LIKE '%%$filter%%' || bm2.meta_value LIKE '%%$filter%%' ) {$user_sql} {$include_sql}" );
     159            $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%';
     160            $search_terms_sql  = $wpdb->prepare( 'bm2.meta_value LIKE %s', $search_terms_like );
     161            $paged_blogs = $wpdb->get_results( "SELECT b.blog_id, b.user_id as admin_user_id, u.user_email as admin_user_email, wb.domain, wb.path, bm.meta_value as last_activity, bm2.meta_value as name FROM {$bp->blogs->table_name} b, {$bp->blogs->table_name_blogmeta} bm, {$bp->blogs->table_name_blogmeta} bm2, {$wpdb->base_prefix}blogs wb, {$wpdb->users} u WHERE b.blog_id = wb.blog_id AND b.user_id = u.ID AND b.blog_id = bm.blog_id AND b.blog_id = bm2.blog_id AND wb.archived = '0' AND wb.spam = 0 AND wb.mature = 0 AND wb.deleted = 0 {$hidden_sql} AND bm.meta_key = 'last_activity' AND bm2.meta_key = 'name' AND {$search_terms_sql} {$user_sql} {$include_sql} GROUP BY b.blog_id {$order_sql} {$pag_sql}" );
     162            $total_blogs = $wpdb->get_var( "SELECT COUNT(DISTINCT b.blog_id) FROM {$bp->blogs->table_name} b, {$wpdb->base_prefix}blogs wb, {$bp->blogs->table_name_blogmeta} bm, {$bp->blogs->table_name_blogmeta} bm2 WHERE b.blog_id = wb.blog_id AND bm.blog_id = b.blog_id AND bm2.blog_id = b.blog_id AND wb.archived = '0' AND wb.spam = 0 AND wb.mature = 0 AND wb.deleted = 0 {$hidden_sql} AND bm.meta_key = 'name' AND bm2.meta_key = 'description' AND {$search_terms_sql} {$user_sql} {$include_sql}" );
    162163        } else {
    163164            $paged_blogs = $wpdb->get_results( "SELECT b.blog_id, b.user_id as admin_user_id, u.user_email as admin_user_email, wb.domain, wb.path, bm.meta_value as last_activity, bm2.meta_value as name FROM {$bp->blogs->table_name} b, {$bp->blogs->table_name_blogmeta} bm, {$bp->blogs->table_name_blogmeta} bm2, {$wpdb->base_prefix}blogs wb, {$wpdb->users} u WHERE b.blog_id = wb.blog_id AND b.user_id = u.ID AND b.blog_id = bm.blog_id AND b.blog_id = bm2.blog_id {$user_sql} AND wb.archived = '0' AND wb.spam = 0 AND wb.mature = 0 AND wb.deleted = 0 {$hidden_sql} AND bm.meta_key = 'last_activity' AND bm2.meta_key = 'name' {$include_sql} GROUP BY b.blog_id {$order_sql} {$pag_sql}" );
     
    343344        global $wpdb, $bp;
    344345
    345         $filter = esc_sql( like_escape( $filter ) );
     346        $search_terms_like = '%' . bp_esc_like( $filter ) . '%';
     347        $search_terms_sql  = $wpdb->prepare( 'bm.meta_value LIKE %s', $search_terms_like );
    346348
    347349        $hidden_sql = '';
     
    354356        }
    355357
    356         $paged_blogs = $wpdb->get_results( "SELECT DISTINCT bm.blog_id FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE ( ( bm.meta_key = 'name' OR bm.meta_key = 'description' ) AND bm.meta_value LIKE '%%$filter%%' ) {$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY meta_value ASC{$pag_sql}" );
    357         $total_blogs = $wpdb->get_var( "SELECT COUNT(DISTINCT bm.blog_id) FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE ( ( bm.meta_key = 'name' OR bm.meta_key = 'description' ) AND bm.meta_value LIKE '%%$filter%%' ) {$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY meta_value ASC" );
     358        $paged_blogs = $wpdb->get_results( "SELECT DISTINCT bm.blog_id FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE ( ( bm.meta_key = 'name' OR bm.meta_key = 'description' ) AND {$search_terms_sql} ) {$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY meta_value ASC{$pag_sql}" );
     359        $total_blogs = $wpdb->get_var( "SELECT COUNT(DISTINCT bm.blog_id) FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE ( ( bm.meta_key = 'name' OR bm.meta_key = 'description' ) AND {$search_terms_sql} ) {$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY meta_value ASC" );
    358360
    359361        return array( 'blogs' => $paged_blogs, 'total' => $total_blogs );
     
    404406        global $bp, $wpdb;
    405407
    406         $letter = esc_sql( like_escape( $letter ) );
     408        $letter_like = '%' . bp_esc_like( $letter ) . '%';
     409        $letter_sql  = $wpdb->prepare( 'bm.meta_value LIKE %s', $letter_like );
    407410
    408411        $hidden_sql = '';
     
    414417            $pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) );
    415418
    416         $paged_blogs = $wpdb->get_results( "SELECT DISTINCT bm.blog_id FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE bm.meta_key = 'name' AND bm.meta_value LIKE '$letter%%' {$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY bm.meta_value ASC{$pag_sql}" );
    417         $total_blogs = $wpdb->get_var( "SELECT COUNT(DISTINCT bm.blog_id) FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE bm.meta_key = 'name' AND bm.meta_value LIKE '$letter%%' {$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY bm.meta_value ASC" );
     419        $paged_blogs = $wpdb->get_results( "SELECT DISTINCT bm.blog_id FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE bm.meta_key = 'name' AND {$letter_sql} {$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY bm.meta_value ASC{$pag_sql}" );
     420        $total_blogs = $wpdb->get_var( "SELECT COUNT(DISTINCT bm.blog_id) FROM {$bp->blogs->table_name_blogmeta} bm LEFT JOIN {$wpdb->base_prefix}blogs wb ON bm.blog_id = wb.blog_id WHERE bm.meta_key = 'name' AND {$letter_sql} {$hidden_sql} AND wb.mature = 0 AND wb.spam = 0 AND wb.archived = '0' AND wb.deleted = 0 ORDER BY bm.meta_value ASC" );
    418421
    419422        return array( 'blogs' => $paged_blogs, 'total' => $total_blogs );
  • trunk/src/bp-core/bp-core-classes.php

    r8332 r8541  
    365365        // xprofile field matches happen in bp_xprofile_bp_user_query_search()
    366366        if ( false !== $search_terms ) {
    367             $search_terms_clean = esc_sql( esc_sql( $search_terms ) );
    368             $sql['where']['search'] = "u.{$this->uid_name} IN ( SELECT ID FROM {$wpdb->users} WHERE ( user_login LIKE '%{$search_terms_clean}%' OR user_nicename LIKE '%{$search_terms_clean}%' ) )";
     367            $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%';
     368            $sql['where']['search'] = $wpdb->prepare( "u.{$this->uid_name} IN ( SELECT ID FROM {$wpdb->users} WHERE ( user_login LIKE %s OR user_nicename LIKE %s ) )", $search_terms_like, $search_terms_like );
    369369        }
    370370
     
    968968
    969969        if ( !empty( $search_terms ) && bp_is_active( 'xprofile' ) ) {
    970             $search_terms             = esc_sql( like_escape( $search_terms ) );
    971             $sql['where_searchterms'] = "AND spd.value LIKE '%%$search_terms%%'";
     970            $search_terms_like        = '%' . bp_esc_like( $search_terms ) . '%';
     971            $sql['where_searchterms'] = $wpdb->prepare( "AND spd.value LIKE %s", $search_terms_like );
    972972        }
    973973
     
    10861086        }
    10871087
    1088         $letter     = esc_sql( like_escape( $letter ) );
    1089         $status_sql = bp_core_get_status_sql( 'u.' );
     1088        $letter_like = bp_esc_like( $letter ) . '%';
     1089        $status_sql  = bp_core_get_status_sql( 'u.' );
    10901090
    10911091        if ( !empty( $exclude ) ) {
     
    10961096        }
    10971097
    1098         $total_users_sql = apply_filters( 'bp_core_users_by_letter_count_sql', $wpdb->prepare( "SELECT COUNT(DISTINCT u.ID) FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id LEFT JOIN {$bp->profile->table_name_fields} pf ON pd.field_id = pf.id WHERE {$status_sql} AND pf.name = %s {$exclude_sql} AND pd.value LIKE '{$letter}%%'  ORDER BY pd.value ASC", bp_xprofile_fullname_field_name() ) );
    1099         $paged_users_sql = apply_filters( 'bp_core_users_by_letter_sql',       $wpdb->prepare( "SELECT DISTINCT u.ID as id, u.user_registered, u.user_nicename, u.user_login, u.user_email FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id LEFT JOIN {$bp->profile->table_name_fields} pf ON pd.field_id = pf.id WHERE {$status_sql} AND pf.name = %s {$exclude_sql} AND pd.value LIKE '{$letter}%%' ORDER BY pd.value ASC{$pag_sql}", bp_xprofile_fullname_field_name() ) );
     1098        $total_users_sql = apply_filters( 'bp_core_users_by_letter_count_sql', $wpdb->prepare( "SELECT COUNT(DISTINCT u.ID) FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id LEFT JOIN {$bp->profile->table_name_fields} pf ON pd.field_id = pf.id WHERE {$status_sql} AND pf.name = %s {$exclude_sql} AND pd.value LIKE %s ORDER BY pd.value ASC", bp_xprofile_fullname_field_name(), $letter_like ) );
     1099        $paged_users_sql = apply_filters( 'bp_core_users_by_letter_sql',       $wpdb->prepare( "SELECT DISTINCT u.ID as id, u.user_registered, u.user_nicename, u.user_login, u.user_email FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id LEFT JOIN {$bp->profile->table_name_fields} pf ON pd.field_id = pf.id WHERE {$status_sql} AND pf.name = %s {$exclude_sql} AND pd.value LIKE %s ORDER BY pd.value ASC{$pag_sql}", bp_xprofile_fullname_field_name(), $letter_like ) );
    11001100
    11011101        $total_users = $wpdb->get_var( $total_users_sql );
     
    11851185        $pag_sql  = $limit && $page ? $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * intval( $limit ) ), intval( $limit ) ) : '';
    11861186
    1187         $search_terms = esc_sql( like_escape( $search_terms ) );
    1188         $status_sql   = bp_core_get_status_sql( 'u.' );
    1189 
    1190         $total_users_sql = apply_filters( 'bp_core_search_users_count_sql', "SELECT COUNT(DISTINCT u.ID) as id FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id WHERE {$status_sql} AND pd.value LIKE '%%{$search_terms}%%' ORDER BY pd.value ASC", $search_terms );
    1191         $paged_users_sql = apply_filters( 'bp_core_search_users_sql',       "SELECT DISTINCT u.ID as id, u.user_registered, u.user_nicename, u.user_login, u.user_email FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id WHERE {$status_sql} AND pd.value LIKE '%%{$search_terms}%%' ORDER BY pd.value ASC{$pag_sql}", $search_terms, $pag_sql );
     1187        $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%';
     1188        $status_sql        = bp_core_get_status_sql( 'u.' );
     1189
     1190        $total_users_sql = apply_filters( 'bp_core_search_users_count_sql', $wpdb->prepare( "SELECT COUNT(DISTINCT u.ID) as id FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id WHERE {$status_sql} AND pd.value LIKE %s ORDER BY pd.value ASC", $search_terms_like ), $search_terms );
     1191        $paged_users_sql = apply_filters( 'bp_core_search_users_sql',       $wpdb->prepare( "SELECT DISTINCT u.ID as id, u.user_registered, u.user_nicename, u.user_login, u.user_email FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id WHERE {$status_sql} AND pd.value LIKE %s ORDER BY pd.value ASC{$pag_sql}", $search_terms_like ), $search_terms, $pag_sql );
    11921192
    11931193        $total_users = $wpdb->get_var( $total_users_sql );
  • trunk/src/bp-core/bp-core-functions.php

    r8511 r8541  
    263263    $order = strtoupper( trim( $order ) );
    264264    return 'DESC' === $order ? 'DESC' : 'ASC';
     265}
     266
     267/**
     268 * Escape special characters in a SQL LIKE clause.
     269 *
     270 * In WordPress 4.0, like_escape() was deprecated, due to incorrect
     271 * documentation and improper sanitization leading to a history of misuse. To
     272 * maintain compatibility with versions of WP before 4.0, we duplicate the
     273 * logic of the replacement, wpdb::esc_like().
     274 *
     275 * @since BuddyPress (2.1.0)
     276 *
     277 * @see wpdb::esc_like() for more details on proper use.
     278 *
     279 * @param string $text The raw text to be escaped.
     280 * @return string Text in the form of a LIKE phrase. Not SQL safe. Run through
     281 *         wpdb::prepare() before use.
     282 */
     283function bp_esc_like( $text ) {
     284    global $wpdb;
     285
     286    if ( method_exists( $wpdb, 'esc_like' ) ) {
     287        return $wpdb->esc_like( $text );
     288    } else {
     289        return addcslashes( $text, '_%\\' );
     290    }
    265291}
    266292
  • trunk/src/bp-friends/bp-friends-classes.php

    r8105 r8541  
    291291            $user_id = bp_loggedin_user_id();
    292292
    293         $filter = esc_sql( like_escape( $filter ) );
     293        // Only search for matching strings at the beginning of the
     294        // name (@todo - figure out why this restriction)
     295        $search_terms_like = bp_esc_like( $filter ) . '%';
    294296
    295297        $pag_sql = '';
     
    308310        // filter the user_ids based on the search criteria.
    309311        if ( bp_is_active( 'xprofile' ) ) {
    310             $sql       = "SELECT DISTINCT user_id FROM {$bp->profile->table_name_data} WHERE user_id IN ({$fids}) AND value LIKE '{$filter}%%' {$pag_sql}";
    311             $total_sql = "SELECT COUNT(DISTINCT user_id) FROM {$bp->profile->table_name_data} WHERE user_id IN ({$fids}) AND value LIKE '{$filter}%%'";
     312            $sql       = $wpdb->prepare( "SELECT DISTINCT user_id FROM {$bp->profile->table_name_data} WHERE user_id IN ({$fids}) AND value LIKE %s {$pag_sql}", $search_terms_like );
     313            $total_sql = $wpdb->prepare( "SELECT COUNT(DISTINCT user_id) FROM {$bp->profile->table_name_data} WHERE user_id IN ({$fids}) AND value LIKE %s", $search_terms_like );
    312314        } else {
    313             $sql       = "SELECT DISTINCT user_id FROM {$wpdb->usermeta} WHERE user_id IN ({$fids}) AND meta_key = 'nickname' AND meta_value LIKE '{$filter}%%' {$pag_sql}";
    314             $total_sql = "SELECT COUNT(DISTINCT user_id) FROM {$wpdb->usermeta} WHERE user_id IN ({$fids}) AND meta_key = 'nickname' AND meta_value LIKE '{$filter}%%'";
     315            $sql       = $wpdb->prepare( "SELECT DISTINCT user_id FROM {$wpdb->usermeta} WHERE user_id IN ({$fids}) AND meta_key = 'nickname' AND meta_value LIKE %s' {$pag_sql}", $search_terms_like );
     316            $total_sql = $wpdb->prepare( "SELECT COUNT(DISTINCT user_id) FROM {$wpdb->usermeta} WHERE user_id IN ({$fids}) AND meta_key = 'nickname' AND meta_value LIKE %s", $search_terms_like );
    315317        }
    316318
     
    444446        global $wpdb, $bp;
    445447
    446         $filter = esc_sql( like_escape( $filter ) );
     448        // Only search for matching strings at the beginning of the
     449        // name (@todo - figure out why this restriction)
     450        $search_terms_like = bp_esc_like( $filter ) . '%';
    447451
    448452        $usermeta_table = $wpdb->base_prefix . 'usermeta';
     
    455459        // filter the user_ids based on the search criteria.
    456460        if ( bp_is_active( 'xprofile' ) ) {
    457             $sql = "SELECT DISTINCT d.user_id as id FROM {$bp->profile->table_name_data} d, {$users_table} u WHERE d.user_id = u.id AND d.value LIKE '{$filter}%%' ORDER BY d.value DESC {$pag_sql}";
     461            $sql = $wpdb->prepare( "SELECT DISTINCT d.user_id as id FROM {$bp->profile->table_name_data} d, {$users_table} u WHERE d.user_id = u.id AND d.value LIKE %s ORDER BY d.value DESC {$pag_sql}", $search_terms_like );
    458462        } else {
    459             $sql = "SELECT DISTINCT user_id as id FROM {$usermeta_table} WHERE meta_value LIKE '{$filter}%%' ORDER BY d.value DESC {$pag_sql}";
     463            $sql = $wpdb->prepare( "SELECT DISTINCT user_id as id FROM {$usermeta_table} WHERE meta_value LIKE %s ORDER BY d.value DESC {$pag_sql}", $search_terms_like );
    460464        }
    461465
     
    479483        global $wpdb, $bp;
    480484
    481         $filter = esc_sql( like_escape( $filter ) );
     485        // Only search for matching strings at the beginning of the
     486        // name (@todo - figure out why this restriction)
     487        $search_terms_like = bp_esc_like( $filter ) . '%';
    482488
    483489        $usermeta_table = $wpdb->prefix . 'usermeta';
     
    486492        // filter the user_ids based on the search criteria.
    487493        if ( bp_is_active( 'xprofile' ) ) {
    488             $sql = "SELECT COUNT(DISTINCT d.user_id) FROM {$bp->profile->table_name_data} d, {$users_table} u WHERE d.user_id = u.id AND d.value LIKE '{$filter}%%'";
     494            $sql = $wpdb->prepare( "SELECT COUNT(DISTINCT d.user_id) FROM {$bp->profile->table_name_data} d, {$users_table} u WHERE d.user_id = u.id AND d.value LIKE %s", $search_terms_like );
    489495        } else {
    490             $sql = "SELECT COUNT(DISTINCT user_id) FROM {$usermeta_table} WHERE meta_value LIKE '{$filter}%%'";
     496            $sql = $wpdb->prepare( "SELECT COUNT(DISTINCT user_id) FROM {$usermeta_table} WHERE meta_value LIKE %s", $search_terms_like );
    491497        }
    492498
  • trunk/src/bp-groups/bp-groups-classes.php

    r8537 r8541  
    446446            $user_id = bp_displayed_user_id();
    447447
    448         $filter = esc_sql( like_escape( $filter ) );
     448        $search_terms_like = bp_esc_like( $filter ) . '%';
    449449
    450450        $pag_sql = $order_sql = $hidden_sql = '';
     
    461461        $gids = esc_sql( implode( ',', wp_parse_id_list( $gids['groups'] ) ) );
    462462
    463         $paged_groups = $wpdb->get_results( "SELECT id as group_id FROM {$bp->groups->table_name} WHERE ( name LIKE '{$filter}%%' OR description LIKE '{$filter}%%' ) AND id IN ({$gids}) {$pag_sql}" );
    464         $total_groups = $wpdb->get_var( "SELECT COUNT(id) FROM {$bp->groups->table_name} WHERE ( name LIKE '{$filter}%%' OR description LIKE '{$filter}%%' ) AND id IN ({$gids})" );
     463        $paged_groups = $wpdb->get_results( $wpdb->prepare( "SELECT id as group_id FROM {$bp->groups->table_name} WHERE ( name LIKE %s OR description LIKE %s ) AND id IN ({$gids}) {$pag_sql}", $search_terms_like, $search_terms_like ) );
     464        $total_groups = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(id) FROM {$bp->groups->table_name} WHERE ( name LIKE %s OR description LIKE %s ) AND id IN ({$gids})", $search_terms_like, $search_terms_like ) );
    465465
    466466        return array( 'groups' => $paged_groups, 'total' => $total_groups );
     
    487487        global $wpdb, $bp;
    488488
    489         $filter = esc_sql( like_escape( $filter ) );
     489        $search_terms_like = '%' . bp_esc_like( $filter ) . '%';
    490490
    491491        $pag_sql = $order_sql = $hidden_sql = '';
     
    503503            $hidden_sql = "AND status != 'hidden'";
    504504
    505         $paged_groups = $wpdb->get_results( "SELECT id as group_id FROM {$bp->groups->table_name} WHERE ( name LIKE '%%{$filter}%%' OR description LIKE '%%{$filter}%%' ) {$hidden_sql} {$order_sql} {$pag_sql}" );
    506         $total_groups = $wpdb->get_var( "SELECT COUNT(id) FROM {$bp->groups->table_name} WHERE ( name LIKE '%%{$filter}%%' OR description LIKE '%%{$filter}%%' ) {$hidden_sql}" );
     505        $paged_groups = $wpdb->get_results( $wpdb->prepare( "SELECT id as group_id FROM {$bp->groups->table_name} WHERE ( name LIKE %s OR description LIKE %s ) {$hidden_sql} {$order_sql} {$pag_sql}", $search_terms_like, $search_terms_like ) );
     506        $total_groups = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(id) FROM {$bp->groups->table_name} WHERE ( name LIKE %s OR description LIKE %s ) {$hidden_sql}", $search_terms_like, $search_terms_like ) );
    507507
    508508        return array( 'groups' => $paged_groups, 'total' => $total_groups );
     
    703703
    704704        if ( ! empty( $r['search_terms'] ) ) {
    705             $search_terms = esc_sql( like_escape( $r['search_terms'] ) );
    706             $sql['search'] = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";
     705            $search_terms_like = '%' . bp_esc_like( $r['search_terms'] ) . '%';
     706            $sql['search'] = $wpdb->prepare( " AND ( g.name LIKE %s OR g.description LIKE %s )", $search_terms_like, $search_terms_like );
    707707        }
    708708
     
    785785
    786786        if ( ! empty( $sql['search'] ) ) {
    787             $total_sql['where'][] = "( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";
     787            $total_sql['where'][] = $wpdb->prepare( "( g.name LIKE %s OR g.description LIKE %s )", $search_terms_like, $search_terms_like );
    788788        }
    789789
     
    10301030
    10311031        if ( !empty( $search_terms ) ) {
    1032             $search_terms = esc_sql( like_escape( $search_terms ) );
    1033             $search_sql = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";
     1032            $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%';
     1033            $search_sql        = $wpdb->prepare( ' AND ( g.name LIKE %s OR g.description LIKE %s ) ', $search_terms_like, $search_terms_like );
    10341034        }
    10351035
     
    10941094
    10951095        if ( !empty( $search_terms ) ) {
    1096             $search_terms = esc_sql( like_escape( $search_terms ) );
    1097             $search_sql = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";
     1096            $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%';
     1097            $search_sql        = $wpdb->prepare( ' AND ( g.name LIKE %s OR g.description LIKE %s ) ', $search_terms_like, $search_terms_like );
    10981098        }
    10991099
     
    11651165            $hidden_sql = " AND status != 'hidden'";
    11661166
    1167         $letter = esc_sql( like_escape( $letter ) );
     1167        $letter_like = bp_esc_like( $letter ) . '%';
    11681168
    11691169        if ( !empty( $limit ) && !empty( $page ) ) {
     
    11711171        }
    11721172
    1173         $total_groups = $wpdb->get_var( "SELECT COUNT(DISTINCT g.id) FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name} g WHERE g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND g.name LIKE '{$letter}%%' {$hidden_sql} {$exclude_sql}" );
    1174 
    1175         $paged_groups = $wpdb->get_results( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name} g WHERE g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND g.name LIKE '{$letter}%%' {$hidden_sql} {$exclude_sql} ORDER BY g.name ASC {$pag_sql}" );
     1173        $total_groups = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(DISTINCT g.id) FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name} g WHERE g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND g.name LIKE %s {$hidden_sql} {$exclude_sql}", $letter_like ) );
     1174
     1175        $paged_groups = $wpdb->get_results( $wpdb->prepare( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name} g WHERE g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND g.name LIKE %s {$hidden_sql} {$exclude_sql} ORDER BY g.name ASC {$pag_sql}", $letter_like ) );
    11761176
    11771177        if ( !empty( $populate_extras ) ) {
     
    12211221
    12221222        if ( !empty( $search_terms ) ) {
    1223             $search_terms = esc_sql( like_escape( $search_terms ) );
    1224             $search_sql = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";
     1223            $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%';
     1224            $search_sql = $wpdb->prepare( " AND ( g.name LIKE %s OR g.description LIKE %s )", $search_terms_like, $search_terms_like );
    12251225        }
    12261226
     
    14381438
    14391439        if ( !empty( $search_terms ) ) {
    1440             $st = esc_sql( like_escape( $search_terms ) );
    1441             $sql['where'] .= " AND (  t.topic_title LIKE '%{$st}%' )";
     1440            $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%';
     1441            $sql['where'] .= $wpdb->prepare( " AND ( t.topic_title LIKE %s )", $search_terms_like );
    14421442        }
    14431443
     
    22622262        global $wpdb, $bp;
    22632263
    2264         $pag_sql = $hidden_sql = $filter_sql = '';
     2264        $user_id_sql = $pag_sql = $hidden_sql = $filter_sql = '';
     2265
     2266        $user_id_sql = $wpdb->prepare( 'm.user_id = %d', $user_id );
    22652267
    22662268        if ( !empty( $limit ) && !empty( $page ) )
     
    22682270
    22692271        if ( !empty( $filter ) ) {
    2270             $filter     = esc_sql( like_escape( $filter ) );
    2271             $filter_sql = " AND ( g.name LIKE '%%{$filter}%%' OR g.description LIKE '%%{$filter}%%' )";
     2272            $search_terms_like = '%' . bp_esc_like( $filter ) . '%';
     2273            $filter_sql = $wpdb->prepare( " AND ( g.name LIKE %s OR g.description LIKE %s )", $search_terms_like, $search_terms_like );
    22722274        }
    22732275
     
    22752277            $hidden_sql = " AND g.status != 'hidden'";
    22762278
    2277         $paged_groups = $wpdb->get_results( $wpdb->prepare( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count'{$hidden_sql}{$filter_sql} AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0 ORDER BY m.date_modified DESC {$pag_sql}", $user_id ) );
    2278         $total_groups = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(DISTINCT m.group_id) FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id{$hidden_sql}{$filter_sql} AND m.user_id = %d AND m.is_banned = 0 AND m.is_confirmed = 1 ORDER BY m.date_modified DESC", $user_id ) );
     2279        $paged_groups = $wpdb->get_results( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count'{$hidden_sql}{$filter_sql} AND {$user_id_sql} AND m.is_confirmed = 1 AND m.is_banned = 0 ORDER BY m.date_modified DESC {$pag_sql}" );
     2280        $total_groups = $wpdb->get_var( "SELECT COUNT(DISTINCT m.group_id) FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id{$hidden_sql}{$filter_sql} AND {$user_id_sql} AND m.is_banned = 0 AND m.is_confirmed = 1 ORDER BY m.date_modified DESC" );
    22792281
    22802282        return array( 'groups' => $paged_groups, 'total' => $total_groups );
     
    22992301        global $wpdb, $bp;
    23002302
    2301         $pag_sql = $hidden_sql = $filter_sql = '';
     2303        $user_id_sql = $pag_sql = $hidden_sql = $filter_sql = '';
     2304
     2305        $user_id_sql = $wpdb->prepare( 'm.user_id = %d', $user_id );
    23022306
    23032307        if ( !empty( $limit ) && !empty( $page ) )
     
    23052309
    23062310        if ( !empty( $filter ) ) {
    2307             $filter     = esc_sql( like_escape( $filter ) );
    2308             $filter_sql = " AND ( g.name LIKE '%%{$filter}%%' OR g.description LIKE '%%{$filter}%%' )";
     2311            $search_terms_like = '%' . bp_esc_like( $filter ) . '%';
     2312            $filter_sql = $wpdb->prepare( " AND ( g.name LIKE %s OR g.description LIKE %s )", $search_terms_like, $search_terms_like );
    23092313        }
    23102314
     
    23122316            $hidden_sql = " AND g.status != 'hidden'";
    23132317
    2314         $paged_groups = $wpdb->get_results( $wpdb->prepare( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count'{$hidden_sql}{$filter_sql} AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_admin = 1 ORDER BY m.date_modified ASC {$pag_sql}", $user_id ) );
    2315         $total_groups = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(DISTINCT m.group_id) FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id{$hidden_sql}{$filter_sql} AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_admin = 1 ORDER BY date_modified ASC", $user_id ) );
     2318        $paged_groups = $wpdb->get_results( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count'{$hidden_sql}{$filter_sql} AND {$user_id_sql} AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_admin = 1 ORDER BY m.date_modified ASC {$pag_sql}" );
     2319        $total_groups = $wpdb->get_var( "SELECT COUNT(DISTINCT m.group_id) FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id{$hidden_sql}{$filter_sql} AND {$user_id_sql} AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_admin = 1 ORDER BY date_modified ASC" );
    23162320
    23172321        return array( 'groups' => $paged_groups, 'total' => $total_groups );
     
    23362340        global $wpdb, $bp;
    23372341
    2338         $pag_sql = $hidden_sql = $filter_sql = '';
     2342        $user_id_sql = $pag_sql = $hidden_sql = $filter_sql = '';
     2343
     2344        $user_id_sql = $wpdb->prepare( 'm.user_id = %d', $user_id );
    23392345
    23402346        if ( !empty( $limit ) && !empty( $page ) )
     
    23422348
    23432349        if ( !empty( $filter ) ) {
    2344             $filter     = esc_sql( like_escape( $filter ) );
    2345             $filter_sql = " AND ( g.name LIKE '%%{$filter}%%' OR g.description LIKE '%%{$filter}%%' )";
     2350            $search_terms_like = '%' . bp_esc_like( $filter ) . '%';
     2351            $filter_sql = $wpdb->prepare( " AND ( g.name LIKE %s OR g.description LIKE %s )", $search_terms_like, $search_terms_like );
    23462352        }
    23472353
     
    23492355            $hidden_sql = " AND g.status != 'hidden'";
    23502356
    2351         $paged_groups = $wpdb->get_results( $wpdb->prepare( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count'{$hidden_sql}{$filter_sql} AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_mod = 1 ORDER BY m.date_modified ASC {$pag_sql}", $user_id ) );
    2352         $total_groups = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(DISTINCT m.group_id) FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id{$hidden_sql}{$filter_sql} AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_mod = 1 ORDER BY date_modified ASC", $user_id ) );
     2357        $paged_groups = $wpdb->get_results( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count'{$hidden_sql}{$filter_sql} AND {$user_id_sql} AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_mod = 1 ORDER BY m.date_modified ASC {$pag_sql}" );
     2358        $total_groups = $wpdb->get_var( "SELECT COUNT(DISTINCT m.group_id) FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id{$hidden_sql}{$filter_sql} AND {$user_id_sql} AND m.is_confirmed = 1 AND m.is_banned = 0 AND m.is_mod = 1 ORDER BY date_modified ASC" );
    23532359
    23542360        return array( 'groups' => $paged_groups, 'total' => $total_groups );
  • trunk/src/bp-members/bp-members-classes.php

    r8318 r8541  
    151151            // Search terms
    152152            if ( ! empty( $r['usersearch'] ) ) {
    153                 $search_terms_clean = esc_sql( esc_sql( $r['usersearch'] ) );
    154                 $search_terms_clean = like_escape( $search_terms_clean );
    155                 $sql['where'][]     = "( user_login LIKE '%" . $search_terms_clean . "%' OR user_email LIKE '%" . $search_terms_clean . "%' OR meta LIKE '%" . $search_terms_clean . "%' )";
     153                $search_terms_like = '%' . bp_esc_like( $r['usersearch'] ) . '%';
     154                $sql['where'][]    = $wpdb->prepare( "( user_login LIKE %s OR user_email LIKE %s OR meta LIKE %s )", $search_terms_like, $search_terms_like, $search_terms_like );
    156155            }
    157156
     
    209208
    210209            /**
    211              * add a boolean in case the last time an activation link 
     210             * add a boolean in case the last time an activation link
    212211             * has been sent happened less than a day ago
    213212             */
  • trunk/src/bp-messages/bp-messages-classes.php

    r8479 r8541  
    251251        global $wpdb, $bp;
    252252
    253         $pag_sql = $type_sql = $search_sql = '';
     253        $user_id_sql = $pag_sql = $type_sql = $search_sql = '';
     254
    254255        if ( $limit && $page ) {
    255256            $pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) );
     
    263264
    264265        if ( ! empty( $search_terms ) ) {
    265             $search_terms = like_escape( esc_sql( $search_terms ) );
    266             $search_sql   = "AND ( subject LIKE '%%$search_terms%%' OR message LIKE '%%$search_terms%%' )";
     266            $search_terms_like = '%' . bp_esc_like( $search_terms ) . '%';
     267            $search_sql        = $wpdb->prepare( "AND ( subject LIKE %s OR message LIKE %s )", $search_terms_like, $search_terms_like );
    267268        }
    268269
    269270        if ( 'sentbox' == $box ) {
    270             $thread_ids    = $wpdb->get_results( $wpdb->prepare( "SELECT m.thread_id, MAX(m.date_sent) AS date_sent FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND m.sender_id = r.user_id AND m.sender_id = %d AND r.is_deleted = 0 {$search_sql} GROUP BY m.thread_id ORDER BY date_sent DESC {$pag_sql}", $user_id ) );
    271             $total_threads = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT( DISTINCT m.thread_id ) FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND m.sender_id = r.user_id AND m.sender_id = %d AND r.is_deleted = 0 {$search_sql} ", $user_id ) );
     271            $user_id_sql = $wpdb->prepare( 'm.sender_id = %d', $user_id );
     272            $thread_ids  = $wpdb->get_results( "SELECT m.thread_id, MAX(m.date_sent) AS date_sent FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND m.sender_id = r.user_id AND {$user_id_sql} AND r.is_deleted = 0 {$search_sql} GROUP BY m.thread_id ORDER BY date_sent DESC {$pag_sql}" );
     273            $total_threads = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT( DISTINCT m.thread_id ) FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND m.sender_id = r.user_id AND {$user_id_sql} AND r.is_deleted = 0 {$search_sql} ", $user_id ) );
    272274        } else {
    273             $thread_ids = $wpdb->get_results( $wpdb->prepare( "SELECT m.thread_id, MAX(m.date_sent) AS date_sent FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND r.is_deleted = 0 AND r.user_id = %d AND r.sender_only = 0 {$type_sql} {$search_sql} GROUP BY m.thread_id ORDER BY date_sent DESC {$pag_sql}", $user_id ) );
    274             $total_threads = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT( DISTINCT m.thread_id ) FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND r.is_deleted = 0 AND r.user_id = %d AND r.sender_only = 0 {$type_sql} {$search_sql} ", $user_id ) );
     275            $user_id_sql = $wpdb->prepare( 'r.user_id = %d', $user_id );
     276            $thread_ids = $wpdb->get_results( "SELECT m.thread_id, MAX(m.date_sent) AS date_sent FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND r.is_deleted = 0 AND {$user_id_sql} AND r.sender_only = 0 {$type_sql} {$search_sql} GROUP BY m.thread_id ORDER BY date_sent DESC {$pag_sql}" );
     277            $total_threads = $wpdb->get_var( "SELECT COUNT( DISTINCT m.thread_id ) FROM {$bp->messages->table_name_recipients} r, {$bp->messages->table_name_messages} m WHERE m.thread_id = r.thread_id AND r.is_deleted = 0 AND {$user_id_sql} AND r.sender_only = 0 {$type_sql} {$search_sql}" );
    275278        }
    276279
  • trunk/src/bp-notifications/bp-notifications-classes.php

    r8176 r8541  
    328328        // search_terms
    329329        if ( ! empty( $args['search_terms'] ) ) {
    330             $search_terms = like_escape( esc_sql( $args['search_terms'] ) );
    331             $where_conditions['search_terms'] = "( component_name LIKE '%%$search_terms%%' OR component_action LIKE '%%$search_terms%%' )";
     330            $search_terms_like = '%' . bp_esc_like( $args['search_terms'] ) . '%';
     331            $where_conditions['search_terms'] = $wpdb->prepare( "( component_name LIKE %s OR component_action LIKE %s )", $search_terms_like, $search_terms_like );
    332332        }
    333333
Note: See TracChangeset for help on using the changeset viewer.