diff --git src/bp-activity/classes/class-bp-activity-activity.php src/bp-activity/classes/class-bp-activity-activity.php index cf084c16f..71611dbe9 100644 --- src/bp-activity/classes/class-bp-activity-activity.php +++ src/bp-activity/classes/class-bp-activity-activity.php @@ -507,10 +507,10 @@ class BP_Activity_Activity { } } - // Sorting. + // Sanitize 'order'. $sort = $r['sort']; - if ( $sort != 'ASC' && $sort != 'DESC' ) { - $sort = 'DESC'; + if ( 'DESC' !== $sort ) { + $sort = bp_esc_sql_order( $sort ); } switch( $r['order_by'] ) { diff --git src/bp-blogs/bp-blogs-functions.php src/bp-blogs/bp-blogs-functions.php index c64e88ab7..743090230 100644 --- src/bp-blogs/bp-blogs-functions.php +++ src/bp-blogs/bp-blogs-functions.php @@ -91,12 +91,11 @@ function bp_blogs_get_blogs( $args = '' ) { * * @param array $args { * Array of arguments. - * @type int $offset The offset to use. - * @type int $limit The number of blogs to record at one time. - * @type array $blog_ids Blog IDs to record. If empty, all blogs will be recorded. - * @type array $site_id The network site ID to use. + * @type int $offset The offset to use. + * @type int $limit The number of blogs to record at one time. + * @type array $blog_ids Blog IDs to record. If empty, all blogs will be recorded. + * @type array $site_id The network site ID to use. * } - * * @return bool */ function bp_blogs_record_existing_blogs( $args = array() ) { diff --git src/bp-blogs/bp-blogs-template.php src/bp-blogs/bp-blogs-template.php index 5b06fcfce..f6f353658 100644 --- src/bp-blogs/bp-blogs-template.php +++ src/bp-blogs/bp-blogs-template.php @@ -97,6 +97,8 @@ function bp_blogs_directory_permalink() { /** * Rewind the blogs and reset blog index. + * + * @global BP_Blogs_Template $blogs_template {@link BP_Blogs_Template} */ function bp_rewind_blogs() { global $blogs_template; @@ -111,7 +113,7 @@ function bp_rewind_blogs() { * global, enabling the use of BuddyPress templates and template functions to * display a list of activity items. * - * @global object $blogs_template {@link BP_Blogs_Template} + * @global BP_Blogs_Template $blogs_template {@link BP_Blogs_Template} * * @param array|string $args { * Arguments for limiting the contents of the blogs loop. Most arguments @@ -133,7 +135,6 @@ function bp_rewind_blogs() { * @type string $type The order in which results should be fetched. * 'active', 'alphabetical', 'newest', or 'random'. * @type array $include_blog_ids Array of blog IDs to limit results to. - * @type string $sort 'ASC' or 'DESC'. Default: 'DESC'. * @type string $search_terms Limit results by a search term. Default: the value of `$_REQUEST['s']` or * `$_REQUEST['sites_search']`, if present. * @type int $user_id The ID of the user whose blogs should be retrieved. diff --git src/bp-core/bp-core-functions.php src/bp-core/bp-core-functions.php index e2acd9373..6007f05ac 100644 --- src/bp-core/bp-core-functions.php +++ src/bp-core/bp-core-functions.php @@ -92,7 +92,7 @@ function bp_is_running_wp( $version, $compare = '>=' ) { * * @since 1.2.6 * - * @global object $wpdb WordPress database object. + * @global wpdb $wpdb WordPress database object. * * @return string Filtered database prefix. */ @@ -383,6 +383,7 @@ function bp_esc_sql_order( $order = '' ) { * * @since 2.1.0 * + * @global wpdb $wpdb WordPress database object. * @see wpdb::esc_like() for more details on proper use. * * @param string $text The raw text to be escaped. @@ -394,9 +395,9 @@ function bp_esc_like( $text ) { if ( method_exists( $wpdb, 'esc_like' ) ) { return $wpdb->esc_like( $text ); - } else { - return addcslashes( $text, '_%\\' ); } + + return addcslashes( $text, '_%\\' ); } /** diff --git src/bp-friends/classes/class-bp-friends-friendship.php src/bp-friends/classes/class-bp-friends-friendship.php index 69cbf2eb0..dcce808e1 100644 --- src/bp-friends/classes/class-bp-friends-friendship.php +++ src/bp-friends/classes/class-bp-friends-friendship.php @@ -257,7 +257,7 @@ class BP_Friends_Friendship { * @type int $is_confirmed Whether the friendship has been accepted. * @type int $is_limited Whether the friendship is limited. * @type string $order_by Column name to order by. - * @type string $sort_order ASC or DESC. Default DESC. + * @type string $sort_order Optional. ASC or DESC. Default: 'DESC'. * } * @param string $operator Optional. Operator to use in `wp_list_filter()`. * @@ -369,7 +369,7 @@ class BP_Friends_Friendship { } // Adjust the sort direction of the results. - if ( 'ASC' === strtoupper( $r['sort_order'] ) ) { + if ( 'ASC' === bp_esc_sql_order( $r['sort_order'] ) ) { // `true` to preserve keys. $friendships = array_reverse( $friendships, true ); } diff --git src/bp-groups/classes/class-bp-groups-list-table.php src/bp-groups/classes/class-bp-groups-list-table.php index 4a102b3fd..7d3dff995 100644 --- src/bp-groups/classes/class-bp-groups-list-table.php +++ src/bp-groups/classes/class-bp-groups-list-table.php @@ -96,7 +96,7 @@ class BP_Groups_List_Table extends WP_List_Table { // Sort order. $order = 'DESC'; if ( ! empty( $_REQUEST['order'] ) ) { - $order = ( 'desc' == strtolower( $_REQUEST['order'] ) ) ? 'DESC' : 'ASC'; + $order = bp_esc_sql_order( $_REQUEST['order'] ); } // Order by - default to newest. diff --git src/bp-members/classes/class-bp-members-invitations-template.php src/bp-members/classes/class-bp-members-invitations-template.php index 3270eed7d..184ac23b7 100644 --- src/bp-members/classes/class-bp-members-invitations-template.php +++ src/bp-members/classes/class-bp-members-invitations-template.php @@ -184,21 +184,18 @@ class BP_Members_Invitations_Template { ); // Sort order direction. - $orders = array( 'ASC', 'DESC' ); - if ( ! empty( $_GET['sort_order'] ) && in_array( $_GET['sort_order'], $orders ) ) { + if ( ! empty( $_GET['sort_order'] ) ) { $r['sort_order'] = $_GET['sort_order']; - } else { - $r['sort_order'] = in_array( $r['sort_order'], $orders ) ? $r['sort_order'] : 'DESC'; } // Setup variables. $this->pag_arg = sanitize_key( $r['page_arg'] ); $this->pag_page = bp_sanitize_pagination_arg( $this->pag_arg, $r['page'] ); $this->pag_num = bp_sanitize_pagination_arg( 'num', $r['per_page'] ); + $this->sort_order = bp_esc_sql_order( $r['sort_order'] ); $this->user_id = $r['user_id']; $this->search_terms = $r['search_terms']; $this->order_by = $r['order_by']; - $this->sort_order = $r['sort_order']; $this->query_vars = array( 'id' => $r['id'], 'user_id' => $r['user_id'], @@ -252,11 +249,7 @@ class BP_Members_Invitations_Template { * @return bool True if there are items in the loop, otherwise false. */ public function has_invitations() { - if ( $this->current_invitation_count ) { - return true; - } - - return false; + return ! empty( $this->current_invitation_count ); } /** diff --git src/bp-messages/bp-messages-template.php src/bp-messages/bp-messages-template.php index b5441b294..47064ebb8 100644 --- src/bp-messages/bp-messages-template.php +++ src/bp-messages/bp-messages-template.php @@ -1634,11 +1634,11 @@ function bp_message_get_recipient_usernames() { * * @param array|string $args { * Array of arguments. All are optional. - * @type int $thread_id ID of the thread whose messages you are displaying. + * @type int $thread_id Optional. ID of the thread whose messages you are displaying. * Default: if viewing a thread, the thread ID will be parsed from * the URL (bp_action_variable( 0 )). - * @type string $order 'ASC' or 'DESC'. Default: 'ASC'. - * @type bool $update_meta_cache Whether to pre-fetch metadata for + * @type string $order Optional. 'ASC' or 'DESC'. Default: 'ASC'. + * @type bool $update_meta_cache Optional. Whether to pre-fetch metadata for * queried message items. Default: true. * @type int|null $page Page of messages being requested. Default to null, meaning all. * @type int|null $per_page Messages to return per page. Default to null, meaning all. diff --git src/bp-messages/classes/class-bp-messages-thread-template.php src/bp-messages/classes/class-bp-messages-thread-template.php index 3623f85a1..6a4429819 100644 --- src/bp-messages/classes/class-bp-messages-thread-template.php +++ src/bp-messages/classes/class-bp-messages-thread-template.php @@ -84,7 +84,8 @@ class BP_Messages_Thread_Template { * @see BP_Messages_Thread::populate() for full parameter info. * * @param int $thread_id ID of the message thread to display. - * @param string $order Order to show the thread's messages in. + * @param string $order Optional. Order to show the thread's messages in. + * Default: 'ASC'. * @param array $args Array of arguments for the query. */ public function __construct( $thread_id = 0, $order = 'ASC', $args = array() ) { diff --git src/bp-messages/classes/class-bp-messages-thread.php src/bp-messages/classes/class-bp-messages-thread.php index e1a7f1891..889e0a014 100644 --- src/bp-messages/classes/class-bp-messages-thread.php +++ src/bp-messages/classes/class-bp-messages-thread.php @@ -121,7 +121,7 @@ class BP_Messages_Thread { * queried message items. Default: true. * @type int|null $page Page of messages being requested. Default to null, meaning all. * @type int|null $per_page Messages to return per page. Default to null, meaning all. - * @type string $order The order to sort the messages. Either 'ASC' or 'DESC'. + * @type string $order Optional. The order to sort the messages. Either 'ASC' or 'DESC'. * Defaults to 'ASC'. * @type int|null $recipients_page Page of recipients being requested. Default to null, meaning all. * @type int|null $recipients_per_page Recipients to return per page. Defaults to null, meaning all. @@ -160,10 +160,6 @@ class BP_Messages_Thread { */ public function populate( $thread_id = 0, $order = 'ASC', $args = array() ) { - if ( ! in_array( strtoupper( $order ), array( 'ASC', 'DESC' ), true ) ) { - $order = 'ASC'; - } - $user_id = bp_displayed_user_id() ? bp_displayed_user_id() : @@ -177,13 +173,13 @@ class BP_Messages_Thread { 'update_meta_cache' => true, 'page' => null, 'per_page' => null, - 'order' => $order, + 'order' => bp_esc_sql_order( $order ), 'recipients_page' => null, 'recipients_per_page' => null, ) ); - $this->messages_order = $order; + $this->messages_order = $r['order']; $this->thread_id = (int) $thread_id; // Get messages for thread. @@ -373,10 +369,8 @@ class BP_Messages_Thread { ) ); - // Fallback. - if ( ! in_array( strtoupper( $r['order'] ), array( 'ASC', 'DESC' ), true ) ) { - $r['order'] = 'ASC'; - } + // Sanitize 'order'. + $r['order'] = bp_esc_sql_order( $r['order'] ); // Get messages from cache if available. $messages = wp_cache_get( $thread_id, 'bp_messages_threads' ); @@ -403,7 +397,7 @@ class BP_Messages_Thread { } // Flip if order is DESC. - if ( 'DESC' === strtoupper( $r['order'] ) ) { + if ( 'DESC' === $r['order'] ) { $messages = array_reverse( $messages ); } diff --git src/bp-notifications/bp-notifications-template.php src/bp-notifications/bp-notifications-template.php index f13267d3d..9ab7a998a 100644 --- src/bp-notifications/bp-notifications-template.php +++ src/bp-notifications/bp-notifications-template.php @@ -997,8 +997,8 @@ function bp_notifications_sort_order_form() { $selected = 'DESC'; // Check for a custom sort_order. - if ( !empty( $_REQUEST['sort_order'] ) ) { - if ( in_array( $_REQUEST['sort_order'], $orders ) ) { + if ( ! empty( $_REQUEST['sort_order'] ) ) { + if ( in_array( $_REQUEST['sort_order'], $orders, true ) ) { $selected = $_REQUEST['sort_order']; } } ?> diff --git src/bp-notifications/classes/class-bp-notifications-notification.php src/bp-notifications/classes/class-bp-notifications-notification.php index 1adb42cd1..0403ad7b9 100644 --- src/bp-notifications/classes/class-bp-notifications-notification.php +++ src/bp-notifications/classes/class-bp-notifications-notification.php @@ -446,8 +446,8 @@ class BP_Notifications_Notification { } // Sort order direction. - if ( ! empty( $args['sort_order'] ) && in_array( $args['sort_order'], array( 'ASC', 'DESC' ), true ) ) { - $sort_order = $args['sort_order']; + if ( ! empty( $args['sort_order'] ) ) { + $sort_order = bp_esc_sql_order( $args['sort_order'] ); $conditions['sort_order'] = "{$sort_order}"; } diff --git src/bp-notifications/classes/class-bp-notifications-template.php src/bp-notifications/classes/class-bp-notifications-template.php index 09dc3ffc7..ce8683e0d 100644 --- src/bp-notifications/classes/class-bp-notifications-template.php +++ src/bp-notifications/classes/class-bp-notifications-template.php @@ -175,22 +175,19 @@ class BP_Notifications_Template { ); // Sort order direction. - $orders = array( 'ASC', 'DESC' ); - if ( ! empty( $_GET['sort_order'] ) && in_array( $_GET['sort_order'], $orders, true ) ) { + if ( ! empty( $_GET['sort_order'] ) ) { $r['sort_order'] = $_GET['sort_order']; - } else { - $r['sort_order'] = in_array( $r['sort_order'], $orders ) ? $r['sort_order'] : 'DESC'; } // Setup variables. $this->pag_arg = sanitize_key( $r['page_arg'] ); $this->pag_page = bp_sanitize_pagination_arg( $this->pag_arg, $r['page'] ); $this->pag_num = bp_sanitize_pagination_arg( 'num', $r['per_page'] ); + $this->sort_order = bp_esc_sql_order( $r['sort_order'] ); $this->user_id = $r['user_id']; $this->is_new = $r['is_new']; $this->search_terms = $r['search_terms']; $this->order_by = $r['order_by']; - $this->sort_order = $r['sort_order']; $this->query_vars = array( 'id' => $r['id'], 'user_id' => $this->user_id, diff --git src/bp-xprofile/classes/class-bp-xprofile-field.php src/bp-xprofile/classes/class-bp-xprofile-field.php index 9607a6ed9..20eb7224b 100644 --- src/bp-xprofile/classes/class-bp-xprofile-field.php +++ src/bp-xprofile/classes/class-bp-xprofile-field.php @@ -561,19 +561,21 @@ class BP_XProfile_Field { * * @since 1.2.0 * - * @global object $wpdb + * @global BuddyPress $bp The one true BuddyPress instance. + * @global wpdb $wpdb WordPress database object. * - * @param bool $for_editing Whether or not the field is for editing. + * @param bool $for_editing Whether or not the field is for editing. Default to false. * @return array */ public function get_children( $for_editing = false ) { global $wpdb; + // Sanitize 'order_by'. + $order_by = bp_esc_sql_order( $this->order_by ); + // This is done here so we don't have problems with sql injection. - if ( empty( $for_editing ) && ( 'asc' === $this->order_by ) ) { - $sort_sql = 'ORDER BY name ASC'; - } elseif ( empty( $for_editing ) && ( 'desc' === $this->order_by ) ) { - $sort_sql = 'ORDER BY name DESC'; + if ( empty( $for_editing ) ) { + $sort_sql = "ORDER BY name {$order_by}"; } else { $sort_sql = 'ORDER BY option_order ASC'; } @@ -586,9 +588,8 @@ class BP_XProfile_Field { $parent_id = $this->id; } - $bp = buddypress(); - $sql = $wpdb->prepare( "SELECT * FROM {$bp->profile->table_name_fields} WHERE parent_id = %d AND group_id = %d {$sort_sql}", $parent_id, $this->group_id ); - + $bp = buddypress(); + $sql = $wpdb->prepare( "SELECT * FROM {$bp->profile->table_name_fields} WHERE parent_id = %d AND group_id = %d {$sort_sql}", $parent_id, $this->group_id ); $children = $wpdb->get_results( $sql ); /** @@ -597,7 +598,7 @@ class BP_XProfile_Field { * @since 1.2.5 * @since 3.0.0 Added the `$this` parameter. * - * @param object $children Found children for a field. + * @param array $children Found children for a field. * @param bool $for_editing Whether or not the field is for editing. * @param BP_XProfile_Field $this Field object */ diff --git tests/phpunit/testcases/messages/class.bp-messages-thread.php tests/phpunit/testcases/messages/class.bp-messages-thread.php index 946a87edb..f98ba4cec 100644 --- tests/phpunit/testcases/messages/class.bp-messages-thread.php +++ tests/phpunit/testcases/messages/class.bp-messages-thread.php @@ -140,6 +140,13 @@ class BP_Tests_BP_Messages_Thread extends BP_UnitTestCase { wp_list_pluck( $thread->messages, 'id' ) ); + // Testing sort with lowercase and space. + $thread = new BP_Messages_Thread( $message_1->thread_id, ' desc' ); + $this->assertEquals( + array( $message_2->id, $message_1->id ), + wp_list_pluck( $thread->messages, 'id' ) + ); + // Now sorting via the helper method. $messages = BP_Messages_Thread::get_messages( $message_1->thread_id, array( 'order' => 'desc' ) ); $this->assertEquals(