#4992 closed defect (bug) (fixed)
Sanitization improvements to BP_Core_User methods
Reported by: | johnjamesjacoby | Owned by: | boonebgorges |
---|---|---|---|
Milestone: | 1.7.2 | Priority: | highest |
Severity: | critical | Version: | 1.2 |
Component: | Core | Keywords: | has-patch |
Cc: |
Description
As part of a bigger audit related to #4985, I've found several methods that trust the values passed into them that should also be utilizing wp_parse_id_list().
- get_users()
- get_specific_users()
- get_user_extras()
It's worth noting that get_user_extras() seems to expect an array already, though wp_parse_id_list() is smart enough to figure out strings. Patch attached.
Attachments (3)
Change History (7)
#2
@
11 years ago
Thanks, guys. I've reviewed the two patches. There were one or two places where each of you caught something that the other hadn't, so it's nice to have many eyes.
For the sake of standardization, I've gone with the following strategy and syntax for sanitizing integer lists for use in a query:
$include = implode( ',', wp_parse_id_list( $include ) );
- one line, easy to read
- No need to run through esc_sql(). All that does is addslashes() (
wpdb::_weak_escape()
). The return value ofwp_parse_id_list()
will always be an array of positive integers, so imploding them with commas will never result in anything that needs to be slashed (single quotes, double quotes, backslash, null character).
I'm also including, in the trunk commit, a number of tests for the more delicate of the database classes.
Includes other bp-core component IN () query usages