Skip to:
Content

BuddyPress.org

Opened 2 years ago

Closed 2 years ago

#9017 closed defect (bug) (fixed)

`BP_Activity_Query::get_sql_for_clause()` can wrongly use `$wpdb->prepare()`

Reported by: imath's profile imath Owned by: imath's profile imath
Milestone: 12.0.0 Priority: normal
Severity: normal Version:
Component: Activity Keywords: has-patch
Cc:

Description

I wasn't able to find which part of the code is trying to query activities comparing hide_sitewide to [ 0, 1 ], but this is causing a doing it wrong notice with $wpdb->prepare().

To avoid it, I believe we simply need to make sure the placeholder used with $wpdb->prepare() is an integer as expected.

I'll suggest a PR asap.

Change History (2)

This ticket was mentioned in PR #186 on buddypress/buddypress by @imath.
2 years ago #1

  • Keywords has-patch added; needs-patch removed

Avoid wrong usage of $wpdb->prepare() in BP_Activity_Query::get_sql_for_clause()

Trac ticket: https://buddypress.trac.wordpress.org/ticket/9017

#2 @imath
2 years ago

  • Owner set to imath
  • Resolution set to fixed
  • Status changed from new to closed

In 13634:

Avoid $wpdb->prepare() wrong usage when getting favorited activities

In the BP_Activity_Query::get_sql_for_clause() method, make sure the placeholder used with $wpdb->prepare() is an integer as expected when setting the hide_sitewide clause.

Fixes #9017
Closes https://github.com/buddypress/buddypress/pull/186

Note: See TracTickets for help on using tickets.