diff --git a/bp-core/bp-core-cache.php b/bp-core/bp-core-cache.php
index 1c0ba2d..66d8890 100644
--- a/bp-core/bp-core-cache.php
+++ b/bp-core/bp-core-cache.php
@@ -92,17 +92,11 @@ function bp_update_meta_cache( $args = array() ) {
 		$object_column = $object_type . '_id';
 	}
 
-	if ( !is_array( $object_ids ) ) {
-		$object_ids = preg_replace( '|[^0-9,]|', '', $object_ids );
-		$object_ids = explode( ',', $object_ids );
-	}
-
-	$object_ids = array_map( 'intval', $object_ids );
-
+	$object_ids = wp_parse_id_list( $object_ids );
 	$cache = array();
 
 	// Get meta info
-	$id_list   = join( ',', $object_ids );
+	$id_list   = esc_sql( join( ',', $object_ids ) );
 	$meta_list = $wpdb->get_results( $wpdb->prepare( "SELECT {$object_column}, meta_key, meta_value FROM {$meta_table} WHERE {$object_column} IN ($id_list)", $object_type ), ARRAY_A );
 
 	if ( !empty( $meta_list ) ) {
diff --git a/bp-core/bp-core-classes.php b/bp-core/bp-core-classes.php
index 102dbd8..57ee5ba 100644
--- a/bp-core/bp-core-classes.php
+++ b/bp-core/bp-core-classes.php
@@ -298,7 +298,7 @@ class BP_User_Query {
 		// 'user_id' - When a user id is passed, limit to the friends of the user
 		// @todo remove need for bp_is_active() check
 		if ( ! empty( $user_id ) && bp_is_active( 'friends' ) ) {
-			$friend_ids = friends_get_friend_user_ids( $user_id );
+			$friend_ids = wp_parse_id_list( friends_get_friend_user_ids( $user_id ) );
 			$friend_ids = $wpdb->escape( implode( ',', (array) $friend_ids ) );
 
 			if ( ! empty( $friend_ids ) ) {
@@ -323,7 +323,7 @@ class BP_User_Query {
 			$found_user_ids = $wpdb->get_col( $found_user_ids_query );
 
 			if ( ! empty( $found_user_ids ) ) {
-				$sql['where'][] = "u.{$this->uid_name} IN (" . implode( ',', wp_parse_id_list( $found_user_ids ) ) . ")";
+				$sql['where'][] = "u.{$this->uid_name} IN (" . esc_sql( implode( ',', wp_parse_id_list( $found_user_ids ) ) ) . ")";
 			} else {
 				$sql['where'][] = $this->no_results['where'];
 			}
@@ -341,7 +341,8 @@ class BP_User_Query {
 			$found_user_ids = $wpdb->get_col( $meta_sql );
 
 			if ( ! empty( $found_user_ids ) ) {
-				$sql['where'][] = "u.{$this->uid_name} IN (" . implode( ',', wp_parse_id_list( $found_user_ids ) ) . ")";
+				$found_user_ids = esc_sql( implode( ',', wp_parse_id_list( $found_user_ids ) ) );
+				$sql['where'][] = "u.{$this->uid_name} IN ({$found_user_ids})";
 			}
 		}
 
@@ -458,7 +459,7 @@ class BP_User_Query {
 		}
 
 		// Turn user ID's into a query-usable, comma separated value
-		$user_ids_sql = implode( ',', wp_parse_id_list( $this->user_ids ) );
+		$user_ids_sql = esc_sql( implode( ',', wp_parse_id_list( $this->user_ids ) ) );
 
 		/**
 		 * Use this action to independently populate your own custom extras.
@@ -805,6 +806,7 @@ class BP_Core_User {
 		}
 
 		if ( !empty( $exclude ) ) {
+			$exclude = esc_sql( implode( ',', wp_parse_id_list( $exclude ) ) );
 			$sql['where_exclude'] = "AND u.ID NOT IN ({$exclude})";
 		}
 
@@ -814,18 +816,14 @@ class BP_Core_User {
 			$sql['where_users'] = "AND 0 = 1";
 		} else {
 			if ( !empty( $include ) ) {
-				if ( is_array( $include ) ) {
-					$uids = $wpdb->escape( implode( ',', (array) $include ) );
-				} else {
-					$uids = $wpdb->escape( $include );
-				}
+				$uids = esc_sql( implode( ',', wp_parse_id_list( $include ) ) );;
 
 				if ( !empty( $uids ) ) {
 					$sql['where_users'] = "AND u.ID IN ({$uids})";
 				}
 			} elseif ( !empty( $user_id ) && bp_is_active( 'friends' ) ) {
 				$friend_ids = friends_get_friend_user_ids( $user_id );
-				$friend_ids = $wpdb->escape( implode( ',', (array) $friend_ids ) );
+				$friend_ids = $wpdb->escape( implode( ',', wp_parse_id_list( $friend_ids ) ) );
 
 				if ( !empty( $friend_ids ) ) {
 					$sql['where_friends'] = "AND u.ID IN ({$friend_ids})";
@@ -910,10 +908,10 @@ class BP_Core_User {
 			$user_ids = array();
 
 			foreach ( (array) $paged_users as $user ) {
-				$user_ids[] = $user->id;
+				$user_ids[] = (int) $user->id;
 			}
 
-			$user_ids = $wpdb->escape( join( ',', (array) $user_ids ) );
+			$user_ids = $wpdb->escape( join( ',', $user_ids ) );
 
 			// Add additional data to the returned results
 			$paged_users = BP_Core_User::get_user_extras( $paged_users, $user_ids, $type );
@@ -981,9 +979,9 @@ class BP_Core_User {
 		 */
 		$user_ids = array();
 		foreach ( (array) $paged_users as $user )
-			$user_ids[] = $user->id;
+			$user_ids[] = (int) $user->id;
 
-		$user_ids = $wpdb->escape( join( ',', (array) $user_ids ) );
+		$user_ids = $wpdb->escape( join( ',', $user_ids ) );
 
 		// Add additional data to the returned results
 		if ( $populate_extras ) {
@@ -1013,6 +1011,7 @@ class BP_Core_User {
 
 		$status_sql = bp_core_get_status_sql();
 
+		$user_ids = implode( ',', wp_parse_id_list( $user_ids ) );
 		$total_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT COUNT(DISTINCT ID) FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ( " . $wpdb->escape( $user_ids ) . " ) " );
 		$paged_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT DISTINCT ID as id, user_registered, user_nicename, user_login, user_email FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ( " . $wpdb->escape( $user_ids ) . " ) {$pag_sql}" );
 
@@ -1097,6 +1096,8 @@ class BP_Core_User {
 		if ( empty( $user_ids ) )
 			return $paged_users;
 
+		$user_ids = esc_sql( implode( ',', wp_parse_id_list( $user_ids ) ) );
+
 		// Fetch the user's full name
 		if ( bp_is_active( 'xprofile' ) && 'alphabetical' != $type ) {
 			$names = $wpdb->get_results( $wpdb->prepare( "SELECT pd.user_id as id, pd.value as fullname FROM {$bp->profile->table_name_fields} pf, {$bp->profile->table_name_data} pd WHERE pf.id = pd.field_id AND pf.name = %s AND pd.user_id IN ( {$user_ids} )", bp_xprofile_fullname_field_name() ) );
diff --git a/bp-core/bp-core-filters.php b/bp-core/bp-core-filters.php
index d984c24..2a70dc6 100644
--- a/bp-core/bp-core-filters.php
+++ b/bp-core/bp-core-filters.php
@@ -130,7 +130,7 @@ function bp_core_filter_comments( $comments, $post_id ) {
 	if ( empty( $user_ids ) )
 		return $comments;
 
-	$user_ids = implode( ',', $user_ids );
+	$user_ids = esc_sql( implode( ',', wp_parse_id_list( $user_ids ) ) );
 
 	if ( !$userdata = $wpdb->get_results( "SELECT ID as user_id, user_login, user_nicename FROM {$wpdb->users} WHERE ID IN ({$user_ids})" ) )
 		return $comments;
diff --git a/bp-core/bp-core-functions.php b/bp-core/bp-core-functions.php
index 96b7564..0d24386 100644
--- a/bp-core/bp-core-functions.php
+++ b/bp-core/bp-core-functions.php
@@ -141,7 +141,7 @@ function bp_core_get_directory_pages() {
 		// Always get page data from the root blog, except on multiblog mode, when it comes
 		// from the current blog
 		$posts_table_name = bp_is_multiblog_mode() ? $wpdb->posts : $wpdb->get_blog_prefix( bp_get_root_blog_id() ) . 'posts';
-		$page_ids_sql     = implode( ',', (array) $page_ids );
+		$page_ids_sql     = esc_sql( implode( ',', wp_parse_id_list( $page_ids ) ) );
 		$page_names       = $wpdb->get_results( "SELECT ID, post_name, post_parent, post_title FROM {$posts_table_name} WHERE ID IN ({$page_ids_sql}) AND post_status = 'publish' " );
 
 		foreach ( (array) $page_ids as $component_id => $page_id ) {