[buddypress-trac] [BuddyPress Trac] #5508: improve filterability (sorting) of Activity loop
buddypress-trac
noreply at wordpress.org
Sun Nov 13 03:26:11 UTC 2016
#5508: improve filterability (sorting) of Activity loop
-------------------------+----------------------
Reporter: mpa4hu | Owner:
Type: enhancement | Status: closed
Priority: normal | Milestone:
Component: Activity | Version: 2.0
Severity: normal | Resolution: wontfix
Keywords: has-patch |
-------------------------+----------------------
Changes (by boonebgorges):
* keywords: has-patch dev-feedback => has-patch
* status: new => closed
* resolution: => wontfix
* milestone: Future Release =>
Comment:
`$sort` is compared against a whitelist is for security. I don't think
that BP allows you to pass `sort` or `orderby` in URL params by default,
but if a plugin did so, you'd open yourself up for SQL injection. For this
reason, as a general rule, it's not good practice to allow non-
parameterized SQL values to be set via function parameter.
The situation described by @mpa4hu is quite specific, so I think it's OK
to suggest that this is the "proper" way to do it:
{{{
function bp5508_filter_orderby( $sql, $r ) {
if ( 'hottest' === $r['sort'] ) {
$orderby = 'foo';
} elseif ( 'recent' === $r['sort'] ) {
$orderby = 'bar';
}
$sql = preg_replace( 'ORDER BY a\.date_recorded (ASC|DESC), a\.id
(ASC|DESC)', 'ORDER BY ' . $orderby, $sql );
return $sql;
}
add_filter( 'bp_activity_paged_activities_sql', 'bp5508_filter_orderby' );
}}}
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/5508#comment:7>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list