[wp-trac] [WordPress Trac] #57731: Bug: WP_User_Query returns wrong user details
WordPress Trac
noreply at wordpress.org
Fri Feb 17 01:34:18 UTC 2023
#57731: Bug: WP_User_Query returns wrong user details
---------------------------+------------------------------
Reporter: ak.singla | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version: 6.1.1
Severity: major | Resolution:
Keywords: needs-testing | Focuses:
---------------------------+------------------------------
Comment (by dd32):
Replying to [comment:2 psykro]:
> {{{ user_email LIKE '123abc at email.com' OR ID = '123abc at email.com' }}}
>
> If you run it, it will result in user ID 123 being returned.
It seems unexpected that we'd be looking up non-numeric data in a numeric
field, so it's probably worthwhile considering this a WordPress bug, even
if it's a plugin explicitly asking for it, and ultimately just SQL casting
a numeric-like-string to integers, which is something that even PHP does (
`intval( '123abc at email.com' ) === 123` - but `is_numeric(
'123abc at email.com' ) === false` ) and WordPress has had to work around in
other areas of code before.
> `'search_columns' => ['user_email', 'ID']`
`search_columns` being explicitly set to search within `ID` does make this
a little plugin-implementation specific though, WordPress only does this
when the search field is explicitly numeric.
A better check for a plugin would be something like this:
{{{
$search = 'abc at email.com';
$user_query_args = array(
'search' => $search,
'search_columns' => ( is_numeric( $search ) ? ['user_email', 'ID']
: [ 'user_email' ] )
);
$user_query = new WP_User_Query($user_query_args);
}}}
This isn't a 6.1 regression though from what I can see, but I'd be
supportive of defensive checks added here somewhat similar to
https://github.com/WordPress/wordpress-develop/compare/trunk...fix/57731
-search-id-with-string
--
Ticket URL: <https://core.trac.wordpress.org/ticket/57731#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list