[buddypress-trac] [BuddyPress] #4992: Sanitization improvements to BP_Core_User methods

buddypress-trac noreply at wordpress.org
Wed May 8 20:22:55 UTC 2013

#4992: Sanitization improvements to BP_Core_User methods
 Reporter:  johnjamesjacoby  |       Owner:
     Type:  defect (bug)     |      Status:  new
 Priority:  highest          |   Milestone:  1.7.2
Component:  Core             |     Version:  1.2
 Severity:  critical         |  Resolution:
 Keywords:  has-patch        |

Comment (by boonebgorges):

 Thanks, guys. I've reviewed the two patches. There were one or two places
 where each of you caught something that the other hadn't, so it's nice to
 have many eyes.

 For the sake of standardization, I've gone with the following strategy and
 syntax for sanitizing integer lists for use in a query:

 $include = implode( ',', wp_parse_id_list( $include ) );

 - one line, easy to read
 - No need to run through esc_sql(). All that does is addslashes()
 (`wpdb::_weak_escape()`). The return value of `wp_parse_id_list()` will
 always be an array of positive integers, so imploding them with commas
 will never result in anything that needs to be slashed (single quotes,
 double quotes, backslash, null character).

 I'm also including, in the trunk commit, a number of tests for the more
 delicate of the database classes.

Ticket URL: <https://buddypress.trac.wordpress.org/ticket/4992#comment:2>
BuddyPress <http://buddypress.org/>

More information about the buddypress-trac mailing list