Index: bp-groups/bp-groups-classes.php --- bp-groups/bp-groups-classes.php +++ bp-groups/bp-groups-classes.php @@ -371,18 +371,14 @@ $sql['user'] = $wpdb->prepare( " AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0", $user_id ); if ( !empty( $include ) ) { - if ( is_array( $include ) ) - $include = implode( ',', $include ); - - $include = $wpdb->escape( $include ); + $include = wp_parse_id_list( $r['include'] ); + $include = $wpdb->escape( implode( ',', $include ) ); $sql['include'] = " AND g.id IN ({$include})"; } if ( !empty( $exclude ) ) { - if ( is_array( $exclude ) ) - $exclude = implode( ',', $exclude ); - - $exclude = $wpdb->escape( $exclude ); + $exclude = wp_parse_id_list( $r['exclude'] ); + $exclude = $wpdb->escape( implode( ',', $exclude ) ); $sql['exclude'] = " AND g.id NOT IN ({$exclude})"; } @@ -484,7 +480,8 @@ } if ( !empty( $exclude ) ) { - $exclude = $wpdb->escape( $exclude ); + $exclude = wp_parse_id_list( $exclude ); + $exclude = $wpdb->escape( implode( ',', $exclude ) ); $exclude_sql = " AND g.id NOT IN ({$exclude})"; } @@ -525,7 +522,8 @@ } if ( !empty( $exclude ) ) { - $exclude = $wpdb->escape( $exclude ); + $exclude = wp_parse_id_list( $exclude ); + $exclude = $wpdb->escape( implode( ',', $exclude ) ); $exclude_sql = " AND g.id NOT IN ({$exclude})"; } @@ -562,7 +560,8 @@ } if ( !empty( $exclude ) ) { - $exclude = $wpdb->escape( $exclude ); + $exclude = wp_parse_id_list( $exclude ); + $exclude = $wpdb->escape( implode( ',', $exclude ) ); $exclude_sql = " AND g.id NOT IN ({$exclude})"; } @@ -606,7 +605,8 @@ } if ( !empty( $exclude ) ) { - $exclude = $wpdb->escape( $exclude ); + $exclude = wp_parse_id_list( $exclude ); + $exclude = $wpdb->escape( implode( ',', $exclude ) ); $exclude_sql = " AND g.id NOT IN ({$exclude})"; } @@ -1072,7 +1072,11 @@ $pag_sql = ( !empty( $limit ) && !empty( $page ) ) ? $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) ) : ''; - $exclude_sql = !empty( $exclude ) ? $wpdb->prepare( " AND g.id NOT IN (%s)", $exclude ) : ''; + if ( !empty( $exclude ) ) { + $exclude = wp_parse_id_list( $exclude ); + $exclude = $wpdb->escape( implode( ',', $exclude ) ); + $exclude_sql = " AND g.id NOT IN ({$exclude})"; + } $paged_groups = $wpdb->get_results( $wpdb->prepare( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND m.is_confirmed = 0 AND m.inviter_id != 0 AND m.invite_sent = 1 AND m.user_id = %d {$exclude_sql} ORDER BY m.date_modified ASC {$pag_sql}", $user_id ) ); $total_groups = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT(DISTINCT m.group_id) FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id AND m.is_confirmed = 0 AND m.inviter_id != 0 AND m.invite_sent = 1 AND m.user_id = %d {$exclude_sql} ORDER BY date_modified ASC", $user_id ) ); @@ -1227,7 +1231,8 @@ $exclude_sql = ''; if ( !empty( $exclude ) ) { - $exclude = implode( ',', wp_parse_id_list( $exclude ) ); + $exclude = wp_parse_id_list( $exclude ); + $exclude = $wpdb->escape( implode( ',', $exclude ) ); $exclude_sql = " AND m.user_id NOT IN ({$exclude})"; } Index: bp-themes/bp-default/_inc/ajax.php --- bp-themes/bp-default/_inc/ajax.php +++ bp-themes/bp-default/_inc/ajax.php @@ -124,7 +124,7 @@ // If page and search_terms have been passed via the AJAX post request, use those. if ( ! empty( $_POST['page'] ) && '-1' != $_POST['page'] ) - $qs[] = 'page=' . $_POST['page']; + $qs[] = 'page=' . absint( $_POST['page'] ); $object_search_text = bp_get_search_default_text( $object ); if ( ! empty( $_POST['search_terms'] ) && $object_search_text != $_POST['search_terms'] && 'false' != $_POST['search_terms'] && 'undefined' != $_POST['search_terms'] )