#1284 closed defect (bug) (fixed)
BP_Groups_Group::get_all method generates bad mysql request
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 1.1.3 | Priority: | major |
| Severity: | Version: | ||
| Component: | Keywords: | has-patch group mysql status public request | |
| Cc: | Fairweb, MrMaz |
Description
When using this method in the following context :
- current user is not an admin
- $public argument set to false
the mysql request string would be :
SELECT * FROM wp_bp_groups g AND g.status != 'hidden'
instead of
SELECT * FROM wp_bp_groups g WHERE g.status != 'hidden'
fix bp-groups-classes.php line 428
$hidden_sql = $only_public ? $wpdb->prepare( " AND g.status != 'hidden'") : $wpdb->prepare( "WHERE g.status != 'hidden'");
Attachments (1)
Change History (18)
#2
@
15 years ago
- Cc MrMaz added
- Keywords group mysql status public request added
- Milestone set to 1.1.3
- Owner set to MrMaz
- Status changed from new to accepted
#3
follow-up:
↓ 7
@
15 years ago
- Keywords has_patch added
- Resolution set to fixed
- Status changed from accepted to closed
#7
in reply to:
↑ 3
@
15 years ago
- Resolution set to fixed
- Status changed from accepted to closed
Replying to MrMaz:
Please test the patch and let me know if it resolves the issue, or tell me how I can test it myself.
I have tested, your patch seems to work fine. It's quite hard to tell you how to test as I'm using this method in a home made plugin. My function's result was only working when I was a site admin and that's where I found out the method had a problem.
Seems ok now thanks a lot.
#8
@
15 years ago
- Resolution fixed deleted
- Status changed from closed to reopened
Reopening because patch has not been applied to source yet.
#9
@
15 years ago
How does this patch react when the sort_by is set? In that case it will have multiple WHERE clauses... Haven't tested it yet, just thinking out loud...
#10
@
15 years ago
All where conditions and put into an array and then concatenated using join() so the "WHERE" only appears once.
#13
@
15 years ago
I'm not sure we need to overcomplicate things. Adding a WHERE 1=1 and then all the AND additions will work just fine in this case.
#14
@
15 years ago
- Resolution fixed deleted
- Status changed from closed to reopened
This "where 1=1" fix is a bad idea.
- Its a hack.
- Its the same thing as saying "where true" which could possibly throw off the query optimizer.
- 1=1 and other same int/string comparison expressions, like 'a'='a' etc, will show up in any decent security scanner that is sniffing for SQL injection attacks.
It doesn't sit right when I spend a good chunk of my time creating a solution that works properly, and its replaced with a hack that looks like SQL injection.
Please test the patch and let me know if it resolves the issue, or tell me how I can test it myself.