[wp-trac] [WordPress Trac] #57731: Bug: WP_User_Query returns wrong user details

WordPress Trac noreply at wordpress.org
Fri Feb 17 05:17:47 UTC 2023 

#57731: Bug: WP_User_Query returns wrong user details
---------------------------+------------------------------
 Reporter:  ak.singla      |       Owner:  (none)
     Type:  defect (bug)   |      Status:  new
 Priority:  normal         |   Milestone:  Awaiting Review
Component:  Users          |     Version:  6.1.1
 Severity:  major          |  Resolution:
 Keywords:  needs-testing  |     Focuses:
---------------------------+------------------------------

Comment (by ak.singla):

 Replying to [comment:3 dd32]:
 > > `'search_columns' => ['user_email', 'ID']`
 >
 > `search_columns` being explicitly set to search within `ID` does make
 this a little plugin-implementation specific though, WordPress only does
 this when the search field is explicitly numeric.

 Referring to search_columns (parameter, type: array), the user can use any
 combination from the available options.

 {{{
         search_columns (array) – List of database table columns to matches
 the search string across multiple columns.
         ‘ID‘ – Search by user id.
         ‘user_login‘ – Search by user login.
         ‘user_nicename‘ – Search by user nicename.
         ‘user_email‘ – Search by user email.
         ‘user_url‘ – Search by user url.
 }}}

 In File: wp-includes/class-wp-user-query.php, WordPress does check for the
 type of the search value, but only when the "search_columns" are not
 explicitly provided in the arguments.


 {{{
         $search_columns = array();
         if ( $qv['search_columns'] ) {
                 $search_columns = array_intersect( $qv['search_columns'],
 array( 'ID', 'user_login', 'user_email', 'user_url', 'user_nicename',
 'display_name' ) );
         }
         if ( ! $search_columns ) {
                 if ( false !== strpos( $search, '@' ) ) {
                         $search_columns = array( 'user_email' );
                 } elseif ( is_numeric( $search ) ) {
                         $search_columns = array( 'user_login', 'ID' );
                 } elseif ( preg_match( '|^https?://|', $search ) && ! (
 is_multisite() && wp_is_large_network( 'users' ) ) ) {
                         $search_columns = array( 'user_url' );
                 } else {
                         $search_columns = array( 'user_login', 'user_url',
 'user_email', 'user_nicename', 'display_name' );
                 }
         }
 }}}

 There seems to be a need for an added check before creating the SQL
 statement.

 > A better check for a plugin would be something like this:
 > {{{
 >    $search = 'abc at email.com';
 >    $user_query_args = array(
 >         'search'         => $search,
 >         'search_columns' => ( is_numeric( $search ) ? ['user_email',
 'ID'] : [ 'user_email' ] )
 >     );
 >     $user_query = new WP_User_Query($user_query_args);
 > }}}

 Yes, I have already used something similar to change search_columns based
 on the search term data type when we found this issue with one of our
 users having "999xxxxx at gmxxx.com" in his email ID.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/57731#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list