Changeset 9073 for trunk/tests/phpunit/testcases/xprofile/functions.php

Timestamp:

10/08/2014 02:14:29 PM (11 years ago)

Author:

boonebgorges

Message:

Better detection for false positives in meta SQL filters.

Our wrappers for WP's _metadata() functions require some filtering of the SQL
string (to change a column name and, in the case of xprofile, to add an
'object_type' clause). Our str_replace() logic is too generous, creating the
possibility of matching quoted text, as when the meta value contains the string
'WHERE'.

This changeset modifies the filters so that quoted content is swapped out with
placeholders before we run our search-and-replace.

See #5919.
Props tometzky for feedback.

File:

• trunk/tests/phpunit/testcases/xprofile/functions.php (modified) (1 diff)

trunk/tests/phpunit/testcases/xprofile/functions.php

@@ -474 +474 @@
     /**
      * @group xprofilemeta
+     * @group bp_xprofile_update_meta
+     * @ticket BP5919
+     */
+    public function test_bp_xprofile_update_meta_where_sql_filter_keywords_are_in_quoted_value() {
+        $g = $this->factory->xprofile_group->create();
+        $value = "SELECT object_id FROM wp_bp_xprofile_groups WHERE \"foo\" VALUES (foo = 'bar'";
+        bp_xprofile_add_meta( $g, 'group', 'foo', 'bar' );
+        bp_xprofile_update_meta( $g, 'group', 'foo', $value );
+        $this->assertSame( $value, bp_xprofile_get_meta( $g, 'group', 'foo' ) );
+    }
+
+    /**
+     * @group xprofilemeta
+     * @group bp_xprofile_update_meta
+     * @ticket BP5919
+     */
+    public function test_bp_xprofile_update_meta_where_meta_id_is_in_quoted_value() {
+        $g = $this->factory->xprofile_group->create();
+        $value = "foo meta_id bar";
+        bp_xprofile_add_meta( $g, 'group', 'foo', 'bar' );
+        bp_xprofile_update_meta( $g, 'group', 'foo', $value );
+        $this->assertSame( $value, bp_xprofile_get_meta( $g, 'group', 'foo' ) );
+    }
+
+    /**
+     * @group xprofilemeta
      * @group bp_xprofile_add_meta
      */