Skip to:
Content

BuddyPress.org

Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#5100 closed defect (bug) (fixed)

$wpdb->escape() deprecated in WordPress 3.6.

Reported by: johnjamesjacoby's profile johnjamesjacoby Owned by: boonebgorges's profile boonebgorges
Milestone: 1.8.1 Priority: highest
Severity: normal Version: 1.5
Component: Core Keywords: has-patch
Cc:

Description

See: #WP24774 - [WP24718]

We currently use $wpdb->escape() in 25 locations. We'll want to switch to using esc_sql() or properly $wpdb->prepare()'ing instead.

Attachments (2)

wpdb-escape-deprecated.patch (13.7 KB) - added by needle 11 years ago.
5100.patch (14.5 KB) - added by boonebgorges 11 years ago.

Download all attachments as: .zip

Change History (7)

#1 @needle
11 years ago

I've created a patch for testing purposes, largely replacing $wpdb->escape() with esc_sql() except in 'bp-forums/bp-forums-functions.php' where a $wpdb->prepare() construction seemed more appropriate. Hope it helps - I'm finding having WP_DEBUG = true impossible now that the deprecated function warning is in place.

#2 @boonebgorges
11 years ago

Thanks, needle. Some of your $wpdb->prepare() changes in bp-forums won't work because of the syntax necessary for sql statements and the way that prepare() adds quotes. But the rest is good. I'll be committing a bunch of stuff in a few moments.

#3 @boonebgorges
11 years ago

  • Keywords has-patch added; needs-patch 2nd-opinion removed

Actually, I've decided not to commit anything until WP 3.6 is officially out, so that they don't change stuff again at the last minute. Patch attached (5100.patch) which implements most of needle's patch. I've also eliminated a couple of pointless calls to esc_sql(), namely where we're already run wp_parse_id_list() and so already have a guaranteed list of ints. Also adds a testcase for a touched method.

@boonebgorges
11 years ago

#4 @boonebgorges
11 years ago

  • Owner set to boonebgorges
  • Resolution set to fixed
  • Status changed from new to closed

In 7337:

Use esc_sql() instead of $wpdb->escape() throughout

WordPress 3.6 deprecated the use of $wpdb->escape() for sanitizing SQL
query fragments, in favor of the rewritten esc_sql(). This changeset
makes the appropriate changes throughout BuddyPress.

In a few places, this changeset also removes redundant sanitization, in
particular when using wp_parse_id_list().

Also adds a unit test for a touched method (BP_User_Query, when using
the 'exclude' parameter).

Fixes #5100

Props needle

#5 @boonebgorges
11 years ago

In 7338:

Use esc_sql() instead of $wpdb->escape() throughout

WordPress 3.6 deprecated the use of $wpdb->escape() for sanitizing SQL
query fragments, in favor of the rewritten esc_sql(). This changeset
makes the appropriate changes throughout BuddyPress.

In a few places, this changeset also removes redundant sanitization, in
particular when using wp_parse_id_list().

Also adds a unit test for a touched method (BP_User_Query, when using
the 'exclude' parameter).

Fixes #5100

Props needle

Note: See TracTickets for help on using tickets.