Changeset 9073 for trunk/src/bp-xprofile/bp-xprofile-filters.php

Timestamp:

10/08/2014 02:14:29 PM (10 years ago)

Author:

boonebgorges

Message:

Better detection for false positives in meta SQL filters.

Our wrappers for WP's _metadata() functions require some filtering of the SQL
string (to change a column name and, in the case of xprofile, to add an
'object_type' clause). Our str_replace() logic is too generous, creating the
possibility of matching quoted text, as when the meta value contains the string
'WHERE'.

This changeset modifies the filters so that quoted content is swapped out with
placeholders before we run our search-and-replace.

See #5919.
Props tometzky for feedback.

File:

• trunk/src/bp-xprofile/bp-xprofile-filters.php (modified) (3 diffs)

trunk/src/bp-xprofile/bp-xprofile-filters.php

@@ -336 +336 @@
     global $wpdb;
 
+    $raw_q = $q;
+
+    /*
+     * Replace quoted content with __QUOTE__ to avoid false positives.
+     * This regular expression will match nested quotes.
+     */
+    $quoted_regex = "/'[^'\\\\]*(?:\\\\.[^'\\\\]*)*'/s";
+    preg_match_all( $quoted_regex, $q, $quoted_matches );
+    $q = preg_replace( $quoted_regex, '__QUOTE__', $q );
+
     // Get the first word of the command
     preg_match( '/^(\S+)/', $q, $first_word_matches );
 
     if ( empty( $first_word_matches[0] ) ) {
-        return $q;
+        return $raw_q;
     }
 
@@ -347 +357 @@
 
     if ( empty( $matches[0] ) || empty( $matches[1] ) ) {
-        return $q;
+        return $raw_q;
     }
 
@@ -416 +426 @@
     }
 
+    // Put quoted content back into the string.
+    if ( ! empty( $quoted_matches[0] ) ) {
+        for ( $i = 0; $i < count( $quoted_matches[0] ); $i++ ) {
+            $quote_pos = strpos( $q, '__QUOTE__' );
+            $q = substr_replace( $q, $quoted_matches[0][ $i ], $quote_pos, 9 );
+        }
+    }
+
     return $q;
 }