Commit 1e271199 authored by lechuck's avatar lechuck Committed by lechuck
Browse files

Buddypress upgrade to 1.7.2

parent 08867d98
......@@ -170,7 +170,7 @@ class BP_Activity_Activity {
// Searching
if ( $search_terms ) {
$search_terms = $wpdb->escape( $search_terms );
$where_conditions['search_sql'] = "a.content LIKE '%%" . like_escape( $search_terms ) . "%%'";
$where_conditions['search_sql'] = "a.content LIKE '%%" . esc_sql( like_escape( $search_terms ) ) . "%%'";
}
// Filtering
......@@ -238,15 +238,11 @@ class BP_Activity_Activity {
$total_activities = $wpdb->get_var( $total_activities_sql );
// Get the fullnames of users so we don't have to query in the loop
$activity_user_ids = array();
if ( bp_is_active( 'xprofile' ) && $activities ) {
foreach ( (array) $activities as $activity ) {
if ( (int) $activity->user_id )
$activity_user_ids[] = $activity->user_id;
}
if ( bp_is_active( 'xprofile' ) && !empty( $activities ) ) {
$activity_user_ids = wp_list_pluck( $activities, 'user_id' );
$activity_user_ids = implode( ',', wp_parse_id_list( $activity_user_ids ) );
$activity_user_ids = implode( ',', array_unique( (array) $activity_user_ids ) );
if ( !empty( $activity_user_ids ) ) {
if ( !empty( $activity_user_ids ) ) {
if ( $names = $wpdb->get_results( "SELECT user_id, value AS user_fullname FROM {$bp->profile->table_name_data} WHERE field_id = 1 AND user_id IN ({$activity_user_ids})" ) ) {
foreach ( (array) $names as $name )
$tmp_names[$name->user_id] = $name->user_fullname;
......@@ -319,10 +315,10 @@ class BP_Activity_Activity {
$where_args[] = $wpdb->prepare( "type = %s", $type );
if ( !empty( $item_id ) )
$where_args[] = $wpdb->prepare( "item_id = %s", $item_id );
$where_args[] = $wpdb->prepare( "item_id = %d", $item_id );
if ( !empty( $secondary_item_id ) )
$where_args[] = $wpdb->prepare( "secondary_item_id = %s", $secondary_item_id );
$where_args[] = $wpdb->prepare( "secondary_item_id = %d", $secondary_item_id );
if ( !empty( $action ) )
$where_args[] = $wpdb->prepare( "action = %s", $action );
......@@ -384,10 +380,10 @@ class BP_Activity_Activity {
$where_args[] = $wpdb->prepare( "primary_link = %s", $primary_link );
if ( !empty( $item_id ) )
$where_args[] = $wpdb->prepare( "item_id = %s", $item_id );
$where_args[] = $wpdb->prepare( "item_id = %d", $item_id );
if ( !empty( $secondary_item_id ) )
$where_args[] = $wpdb->prepare( "secondary_item_id = %s", $secondary_item_id );
$where_args[] = $wpdb->prepare( "secondary_item_id = %d", $secondary_item_id );
if ( !empty( $date_recorded ) )
$where_args[] = $wpdb->prepare( "date_recorded = %s", $date_recorded );
......@@ -416,24 +412,18 @@ class BP_Activity_Activity {
return $activity_ids;
}
function delete_activity_item_comments( $activity_ids ) {
function delete_activity_item_comments( $activity_ids = array() ) {
global $bp, $wpdb;
if ( is_array( $activity_ids ) )
$activity_ids = implode ( ',', array_map( 'absint', $activity_ids ) );
else
$activity_ids = implode ( ',', array_map( 'absint', explode ( ',', $activity_ids ) ) );
$activity_ids = implode( ',', wp_parse_id_list( $activity_ids ) );
return $wpdb->query( "DELETE FROM {$bp->activity->table_name} WHERE type = 'activity_comment' AND item_id IN ({$activity_ids})" );
}
function delete_activity_meta_entries( $activity_ids ) {
function delete_activity_meta_entries( $activity_ids = array() ) {
global $bp, $wpdb;
if ( is_array( $activity_ids ) )
$activity_ids = implode ( ',', array_map( 'absint', $activity_ids ) );
else
$activity_ids = implode ( ',', array_map( 'absint', explode ( ',', $activity_ids ) ) );
$activity_ids = implode( ',', wp_parse_id_list( $activity_ids ) );
return $wpdb->query( "DELETE FROM {$bp->activity->table_name_meta} WHERE activity_id IN ({$activity_ids})" );
}
......
......@@ -23,10 +23,14 @@ function bp_blogs_register_activity_actions() {
global $bp;
// Bail if activity is not active
if ( ! bp_is_active( 'activity' ) )
if ( ! bp_is_active( 'activity' ) ) {
return false;
}
if ( is_multisite() ) {
bp_activity_set_action( $bp->blogs->id, 'new_blog', __( 'New site created', 'buddypress' ) );
}
bp_activity_set_action( $bp->blogs->id, 'new_blog', __( 'New site created', 'buddypress' ) );
bp_activity_set_action( $bp->blogs->id, 'new_blog_post', __( 'New post published', 'buddypress' ) );
bp_activity_set_action( $bp->blogs->id, 'new_blog_comment', __( 'New post comment posted', 'buddypress' ) );
......
......@@ -109,7 +109,7 @@ class BP_Blogs_Blog {
}
if ( !empty( $search_terms ) ) {
$filter = like_escape( $wpdb->escape( $search_terms ) );
$filter = esc_sql( like_escape( $search_terms ) );
$paged_blogs = $wpdb->get_results( "SELECT b.blog_id, b.user_id as admin_user_id, u.user_email as admin_user_email, wb.domain, wb.path, bm.meta_value as last_activity, bm2.meta_value as name FROM {$bp->blogs->table_name} b, {$bp->blogs->table_name_blogmeta} bm, {$bp->blogs->table_name_blogmeta} bm2, {$wpdb->base_prefix}blogs wb, {$wpdb->users} u WHERE b.blog_id = wb.blog_id AND b.user_id = u.ID AND b.blog_id = bm.blog_id AND b.blog_id = bm2.blog_id AND wb.archived = '0' AND wb.spam = 0 AND wb.mature = 0 AND wb.deleted = 0 {$hidden_sql} AND bm.meta_key = 'last_activity' AND bm2.meta_key = 'name' AND bm2.meta_value LIKE '%%$filter%%' {$user_sql} GROUP BY b.blog_id {$order_sql} {$pag_sql}" );
$total_blogs = $wpdb->get_var( "SELECT COUNT(DISTINCT b.blog_id) FROM {$bp->blogs->table_name} b, {$wpdb->base_prefix}blogs wb, {$bp->blogs->table_name_blogmeta} bm, {$bp->blogs->table_name_blogmeta} bm2 WHERE b.blog_id = wb.blog_id AND bm.blog_id = b.blog_id AND bm2.blog_id = b.blog_id AND wb.archived = '0' AND wb.spam = 0 AND wb.mature = 0 AND wb.deleted = 0 {$hidden_sql} AND bm.meta_key = 'name' AND bm2.meta_key = 'description' AND ( bm.meta_value LIKE '%%$filter%%' || bm2.meta_value LIKE '%%$filter%%' ) {$user_sql}" );
} else {
......@@ -119,10 +119,9 @@ class BP_Blogs_Blog {
$blog_ids = array();
foreach ( (array) $paged_blogs as $blog ) {
$blog_ids[] = $blog->blog_id;
$blog_ids[] = (int) $blog->blog_id;
}
$blog_ids = $wpdb->escape( join( ',', (array) $blog_ids ) );
$paged_blogs = BP_Blogs_Blog::get_blog_extras( $paged_blogs, $blog_ids, $type );
return array( 'blogs' => $paged_blogs, 'total' => $total_blogs );
......@@ -211,8 +210,9 @@ class BP_Blogs_Blog {
function search_blogs( $filter, $limit = null, $page = null ) {
global $wpdb, $bp;
$filter = like_escape( $wpdb->escape( $filter ) );
$filter = esc_sql( like_escape( $filter ) );
$hidden_sql = '';
if ( !bp_current_user_can( 'bp_moderate' ) )
$hidden_sql = "AND wb.public = 1";
......@@ -241,8 +241,9 @@ class BP_Blogs_Blog {
function get_by_letter( $letter, $limit = null, $page = null ) {
global $bp, $wpdb;
$letter = like_escape( $wpdb->escape( $letter ) );
$letter = esc_sql( like_escape( $letter ) );
$hidden_sql = '';
if ( !bp_current_user_can( 'bp_moderate' ) )
$hidden_sql = "AND wb.public = 1";
......@@ -261,6 +262,8 @@ class BP_Blogs_Blog {
if ( empty( $blog_ids ) )
return $paged_blogs;
$blog_ids = implode( ',', wp_parse_id_list( $blog_ids ) );
for ( $i = 0, $count = count( $paged_blogs ); $i < $count; ++$i ) {
$blog_prefix = $wpdb->get_blog_prefix( $paged_blogs[$i]->blog_id );
$paged_blogs[$i]->latest_post = $wpdb->get_row( "SELECT ID, post_content, post_title, post_excerpt, guid FROM {$blog_prefix}posts WHERE post_status = 'publish' AND post_type = 'post' AND id != 1 ORDER BY id DESC LIMIT 1" );
......
......@@ -92,12 +92,7 @@ function bp_update_meta_cache( $args = array() ) {
$object_column = $object_type . '_id';
}
if ( !is_array( $object_ids ) ) {
$object_ids = preg_replace( '|[^0-9,]|', '', $object_ids );
$object_ids = explode( ',', $object_ids );
}
$object_ids = array_map( 'intval', $object_ids );
$object_ids = wp_parse_id_list( $object_ids );
$cache = array();
......
......@@ -301,7 +301,7 @@ class BP_User_Query {
// @todo remove need for bp_is_active() check
if ( empty( $include ) && ! empty( $user_id ) && bp_is_active( 'friends' ) ) {
$friend_ids = friends_get_friend_user_ids( $user_id );
$friend_ids = $wpdb->escape( implode( ',', (array) $friend_ids ) );
$friend_ids = implode( ',', wp_parse_id_list( $friend_ids ) );
if ( ! empty( $friend_ids ) ) {
$sql['where'][] = "u.{$this->uid_name} IN ({$friend_ids})";
......@@ -803,6 +803,7 @@ class BP_Core_User {
}
if ( !empty( $exclude ) ) {
$exclude = implode( ',', wp_parse_id_list( $exclude ) );
$sql['where_exclude'] = "AND u.ID NOT IN ({$exclude})";
}
......@@ -812,20 +813,13 @@ class BP_Core_User {
$sql['where_users'] = "AND 0 = 1";
} else {
if ( !empty( $include ) ) {
if ( is_array( $include ) ) {
$uids = $wpdb->escape( implode( ',', (array) $include ) );
} else {
$uids = $wpdb->escape( $include );
}
if ( !empty( $uids ) ) {
$sql['where_users'] = "AND u.ID IN ({$uids})";
}
$include = implode( ',', wp_parse_id_list( $include ) );
$sql['where_users'] = "AND u.ID IN ({$include})";
} elseif ( !empty( $user_id ) && bp_is_active( 'friends' ) ) {
$friend_ids = friends_get_friend_user_ids( $user_id );
$friend_ids = $wpdb->escape( implode( ',', (array) $friend_ids ) );
if ( !empty( $friend_ids ) ) {
$friend_ids = implode( ',', wp_parse_id_list( $friend_ids ) );
$sql['where_friends'] = "AND u.ID IN ({$friend_ids})";
// User has no friends, return false since there will be no users to fetch.
......@@ -836,7 +830,7 @@ class BP_Core_User {
}
if ( !empty( $search_terms ) && bp_is_active( 'xprofile' ) ) {
$search_terms = like_escape( $wpdb->escape( $search_terms ) );
$search_terms = esc_sql( like_escape( $search_terms ) );
$sql['where_searchterms'] = "AND spd.value LIKE '%%$search_terms%%'";
}
......@@ -911,8 +905,6 @@ class BP_Core_User {
$user_ids[] = $user->id;
}
$user_ids = $wpdb->escape( join( ',', (array) $user_ids ) );
// Add additional data to the returned results
$paged_users = BP_Core_User::get_user_extras( $paged_users, $user_ids, $type );
}
......@@ -953,10 +945,15 @@ class BP_Core_User {
}
}
$letter = like_escape( $wpdb->escape( $letter ) );
$letter = esc_sql( like_escape( $letter ) );
$status_sql = bp_core_get_status_sql( 'u.' );
$exclude_sql = ( !empty( $exclude ) ) ? " AND u.ID NOT IN ({$exclude})" : "";
if ( !empty( $exclude ) ) {
$exclude = implode( ',', wp_parse_id_list( $r['exclude'] ) );
$exclude_sql = " AND u.id NOT IN ({$exclude})";
} else {
$exclude_sql = '';
}
$total_users_sql = apply_filters( 'bp_core_users_by_letter_count_sql', $wpdb->prepare( "SELECT COUNT(DISTINCT u.ID) FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id LEFT JOIN {$bp->profile->table_name_fields} pf ON pd.field_id = pf.id WHERE {$status_sql} AND pf.name = %s {$exclude_sql} AND pd.value LIKE '{$letter}%%' ORDER BY pd.value ASC", bp_xprofile_fullname_field_name() ) );
$paged_users_sql = apply_filters( 'bp_core_users_by_letter_sql', $wpdb->prepare( "SELECT DISTINCT u.ID as id, u.user_registered, u.user_nicename, u.user_login, u.user_email FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id LEFT JOIN {$bp->profile->table_name_fields} pf ON pd.field_id = pf.id WHERE {$status_sql} AND pf.name = %s {$exclude_sql} AND pd.value LIKE '{$letter}%%' ORDER BY pd.value ASC{$pag_sql}", bp_xprofile_fullname_field_name() ) );
......@@ -973,9 +970,7 @@ class BP_Core_User {
*/
$user_ids = array();
foreach ( (array) $paged_users as $user )
$user_ids[] = $user->id;
$user_ids = $wpdb->escape( join( ',', (array) $user_ids ) );
$user_ids[] = (int) $user->id;
// Add additional data to the returned results
if ( $populate_extras ) {
......@@ -1003,10 +998,11 @@ class BP_Core_User {
if ( $limit && $page )
$pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) );
$user_ids = implode( ',', wp_parse_id_list( $user_ids ) );
$status_sql = bp_core_get_status_sql();
$total_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT COUNT(DISTINCT ID) FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ( " . $wpdb->escape( $user_ids ) . " ) " );
$paged_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT DISTINCT ID as id, user_registered, user_nicename, user_login, user_email FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ( " . $wpdb->escape( $user_ids ) . " ) {$pag_sql}" );
$total_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT COUNT(DISTINCT ID) FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ({$user_ids})" );
$paged_users_sql = apply_filters( 'bp_core_get_specific_users_count_sql', "SELECT DISTINCT ID as id, user_registered, user_nicename, user_login, user_email FROM {$wpdb->users} WHERE {$status_sql} AND ID IN ({$user_ids}) {$pag_sql}" );
$total_users = $wpdb->get_var( $total_users_sql );
$paged_users = $wpdb->get_results( $paged_users_sql );
......@@ -1045,7 +1041,7 @@ class BP_Core_User {
$user_ids = array();
$pag_sql = $limit && $page ? $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * intval( $limit ) ), intval( $limit ) ) : '';
$search_terms = like_escape( $wpdb->escape( $search_terms ) );
$search_terms = esc_sql( like_escape( $search_terms ) );
$status_sql = bp_core_get_status_sql( 'u.' );
$total_users_sql = apply_filters( 'bp_core_search_users_count_sql', "SELECT COUNT(DISTINCT u.ID) as id FROM {$wpdb->users} u LEFT JOIN {$bp->profile->table_name_data} pd ON u.ID = pd.user_id WHERE {$status_sql} AND pd.value LIKE '%%{$search_terms}%%' ORDER BY pd.value ASC", $search_terms );
......@@ -1061,8 +1057,6 @@ class BP_Core_User {
foreach ( (array) $paged_users as $user )
$user_ids[] = $user->id;
$user_ids = $wpdb->escape( join( ',', (array) $user_ids ) );
// Add additional data to the returned results
if ( $populate_extras )
$paged_users = BP_Core_User::get_user_extras( $paged_users, $user_ids );
......@@ -1089,6 +1083,9 @@ class BP_Core_User {
if ( empty( $user_ids ) )
return $paged_users;
// Sanitize user IDs
$user_ids = implode( ',', wp_parse_id_list( $user_ids ) );
// Fetch the user's full name
if ( bp_is_active( 'xprofile' ) && 'alphabetical' != $type ) {
$names = $wpdb->get_results( $wpdb->prepare( "SELECT pd.user_id as id, pd.value as fullname FROM {$bp->profile->table_name_fields} pf, {$bp->profile->table_name_data} pd WHERE pf.id = pd.field_id AND pf.name = %s AND pd.user_id IN ( {$user_ids} )", bp_xprofile_fullname_field_name() ) );
......
......@@ -130,7 +130,7 @@ function bp_core_filter_comments( $comments, $post_id ) {
if ( empty( $user_ids ) )
return $comments;
$user_ids = implode( ',', $user_ids );
$user_ids = implode( ',', wp_parse_id_list( $user_ids ) );
if ( !$userdata = $wpdb->get_results( "SELECT ID as user_id, user_login, user_nicename FROM {$wpdb->users} WHERE ID IN ({$user_ids})" ) )
return $comments;
......
......@@ -141,7 +141,7 @@ function bp_core_get_directory_pages() {
// Always get page data from the root blog, except on multiblog mode, when it comes
// from the current blog
$posts_table_name = bp_is_multiblog_mode() ? $wpdb->posts : $wpdb->get_blog_prefix( bp_get_root_blog_id() ) . 'posts';
$page_ids_sql = implode( ',', (array) $page_ids );
$page_ids_sql = implode( ',', wp_parse_id_list( $page_ids ) );
$page_names = $wpdb->get_results( "SELECT ID, post_name, post_parent, post_title FROM {$posts_table_name} WHERE ID IN ({$page_ids_sql}) AND post_status = 'publish' " );
foreach ( (array) $page_ids as $component_id => $page_id ) {
......
......@@ -144,7 +144,7 @@ class BP_Friends_Friendship {
if ( empty( $user_id ) )
$user_id = bp_loggedin_user_id();
$filter = like_escape( $wpdb->escape( $filter ) );
$filter = esc_sql( like_escape( $filter ) );
if ( !empty( $limit ) && !empty( $page ) )
$pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) );
......@@ -153,7 +153,7 @@ class BP_Friends_Friendship {
return false;
// Get all the user ids for the current user's friends.
$fids = implode( ',', $friend_ids );
$fids = implode( ',', wp_parse_id_list( $friend_ids ) );
if ( empty( $fids ) )
return false;
......@@ -198,6 +198,8 @@ class BP_Friends_Friendship {
function get_bulk_last_active( $user_ids ) {
global $wpdb;
$user_ids = implode( ',', wp_parse_id_list( $user_ids ) );
return $wpdb->get_results( $wpdb->prepare( "SELECT meta_value as last_activity, user_id FROM {$wpdb->usermeta} WHERE meta_key = %s AND user_id IN ( {$user_ids} ) ORDER BY meta_value DESC", bp_get_user_meta_key( 'last_activity' ) ) );
}
......@@ -222,7 +224,7 @@ class BP_Friends_Friendship {
function search_users( $filter, $user_id, $limit = null, $page = null ) {
global $wpdb, $bp;
$filter = like_escape( $wpdb->escape( $filter ) );
$filter = esc_sql( like_escape( $filter ) );
$usermeta_table = $wpdb->base_prefix . 'usermeta';
$users_table = $wpdb->base_prefix . 'users';
......@@ -248,7 +250,7 @@ class BP_Friends_Friendship {
function search_users_count( $filter ) {
global $wpdb, $bp;
$filter = like_escape( $wpdb->escape( $filter ) );
$filter = esc_sql( like_escape( $filter ) );
$usermeta_table = $wpdb->prefix . 'usermeta';
$users_table = $wpdb->base_prefix . 'users';
......@@ -274,6 +276,8 @@ class BP_Friends_Friendship {
if ( !bp_is_active( 'xprofile' ) )
return false;
$user_ids = implode( ',', wp_parse_id_list( $user_ids ) );
return $wpdb->get_results( $wpdb->prepare( "SELECT user_id FROM {$bp->profile->table_name_data} pd, {$bp->profile->table_name_fields} pf WHERE pf.id = pd.field_id AND pf.name = %s AND pd.user_id IN ( {$user_ids} ) ORDER BY pd.value ASC", bp_xprofile_fullname_field_name() ) );
}
......
......@@ -16,13 +16,20 @@ if ( !defined( 'ABSPATH' ) ) exit;
function groups_register_activity_actions() {
global $bp;
if ( !bp_is_active( 'activity' ) )
if ( ! bp_is_active( 'activity' ) ) {
return false;
}
bp_activity_set_action( $bp->groups->id, 'created_group', __( 'Created a group', 'buddypress' ) );
bp_activity_set_action( $bp->groups->id, 'joined_group', __( 'Joined a group', 'buddypress' ) );
bp_activity_set_action( $bp->groups->id, 'new_forum_topic', __( 'New group forum topic', 'buddypress' ) );
bp_activity_set_action( $bp->groups->id, 'new_forum_post', __( 'New group forum post', 'buddypress' ) );
// These actions are for the legacy forums
// Since the bbPress plugin also shares the same 'forums' identifier, we also
// check for the legacy forums loader class to be extra cautious
if ( bp_is_active( 'forums' ) && class_exists( 'BP_Forums_Component' ) ) {
bp_activity_set_action( $bp->groups->id, 'new_forum_topic', __( 'New group forum topic', 'buddypress' ) );
bp_activity_set_action( $bp->groups->id, 'new_forum_post', __( 'New group forum post', 'buddypress' ) );
}
do_action( 'groups_register_activity_actions' );
}
......
......@@ -173,7 +173,7 @@ class BP_Groups_Group {
// Fetch the user IDs of all the members of the group
$user_ids = BP_Groups_Member::get_group_member_ids( $this->id );
$user_id_str = implode( ',', (array) $user_ids );
$user_id_str = esc_sql( implode( ',', wp_parse_id_list( $user_ids ) ) );
// Modify group count usermeta for members
$wpdb->query( "UPDATE {$wpdb->usermeta} SET meta_value = meta_value - 1 WHERE meta_key = 'total_group_count' AND user_id IN ( {$user_id_str} )" );
......@@ -221,7 +221,7 @@ class BP_Groups_Group {
if ( empty( $user_id ) )
$user_id = bp_displayed_user_id();
$filter = like_escape( $wpdb->escape( $filter ) );
$filter = esc_sql( like_escape( $filter ) );
if ( !empty( $limit ) && !empty( $page ) )
$pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) );
......@@ -232,7 +232,7 @@ class BP_Groups_Group {
if ( empty( $gids['groups'] ) )
return false;
$gids = implode( ',', $gids['groups'] );
$gids = esc_sql( implode( ',', wp_parse_id_list( $gids['groups'] ) ) );
$paged_groups = $wpdb->get_results( "SELECT id as group_id FROM {$bp->groups->table_name} WHERE ( name LIKE '{$filter}%%' OR description LIKE '{$filter}%%' ) AND id IN ({$gids}) {$pag_sql}" );
$total_groups = $wpdb->get_var( "SELECT COUNT(id) FROM {$bp->groups->table_name} WHERE ( name LIKE '{$filter}%%' OR description LIKE '{$filter}%%' ) AND id IN ({$gids})" );
......@@ -240,18 +240,21 @@ class BP_Groups_Group {
return array( 'groups' => $paged_groups, 'total' => $total_groups );
}
/**
* @todo Deprecate in favor of get()
*/
function search_groups( $filter, $limit = null, $page = null, $sort_by = false, $order = false ) {
global $wpdb, $bp;
$filter = like_escape( $wpdb->escape( $filter ) );
$filter = esc_sql( like_escape( $filter ) );
if ( !empty( $limit ) && !empty( $page ) )
$pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) );
if ( !empty( $sort_by ) && !empty( $order ) ) {
$sort_by = $wpdb->escape( $sort_by );
$order = $wpdb->escape( $order );
$order_sql = "ORDER BY $sort_by $order";
$sort_by = esc_sql( $sort_by );
$order = esc_sql( $order );
$order_sql = "ORDER BY {$sort_by} {$order}";
}
if ( !bp_current_user_can( 'bp_moderate' ) )
......@@ -363,7 +366,7 @@ class BP_Groups_Group {
$sql['hidden'] = " AND g.status != 'hidden'";
if ( !empty( $search_terms ) ) {
$search_terms = like_escape( $wpdb->escape( $search_terms ) );
$search_terms = esc_sql( like_escape( $search_terms ) );
$sql['search'] = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";
}
......@@ -371,18 +374,14 @@ class BP_Groups_Group {
$sql['user'] = $wpdb->prepare( " AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0", $user_id );
if ( !empty( $include ) ) {
if ( is_array( $include ) )
$include = implode( ',', $include );
$include = $wpdb->escape( $include );
$include = wp_parse_id_list( $r['include'] );
$include = $wpdb->escape( implode( ',', $include ) );
$sql['include'] = " AND g.id IN ({$include})";
}
if ( !empty( $exclude ) ) {
if ( is_array( $exclude ) )
$exclude = implode( ',', $exclude );
$exclude = $wpdb->escape( $exclude );
$exclude = wp_parse_id_list( $r['exclude'] );
$exclude = $wpdb->escape( implode( ',', $exclude ) );
$sql['exclude'] = " AND g.id NOT IN ({$exclude})";
}
......@@ -479,17 +478,18 @@ class BP_Groups_Group {
$hidden_sql = " AND g.status != 'hidden'";
if ( !empty( $search_terms ) ) {
$search_terms = like_escape( $wpdb->escape( $search_terms ) );
$search_terms = esc_sql( like_escape( $search_terms ) );
$search_sql = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";
}
if ( !empty( $exclude ) ) {
$exclude = $wpdb->escape( $exclude );
$exclude = wp_parse_id_list( $exclude );
$exclude = $wpdb->escape( implode( ',', $exclude ) );
$exclude_sql = " AND g.id NOT IN ({$exclude})";
}
if ( !empty( $user_id ) ) {
$user_id = $wpdb->escape( $user_id );
$user_id = absint( $wpdb->escape( $user_id ) );
$paged_groups = $wpdb->get_results( "SELECT DISTINCT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_groupmeta} gm3, {$bp->groups->table_name_members} m, {$bbdb->forums} f, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND g.id = gm3.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND (gm3.meta_key = 'forum_id' AND gm3.meta_value = f.forum_id) AND f.topics > 0 {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql} ORDER BY f.topics DESC {$pag_sql}" );
$total_groups = $wpdb->get_var( "SELECT COUNT(DISTINCT g.id) FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_groupmeta} gm3, {$bbdb->forums} f, {$bp->groups->table_name} g WHERE g.id = gm1.group_id AND g.id = gm2.group_id AND g.id = gm3.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND (gm3.meta_key = 'forum_id' AND gm3.meta_value = f.forum_id) AND f.topics > 0 {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql}" );
} else {
......@@ -520,12 +520,13 @@ class BP_Groups_Group {
$hidden_sql = " AND g.status != 'hidden'";
if ( !empty( $search_terms ) ) {
$search_terms = like_escape( $wpdb->escape( $search_terms ) );
$search_terms = esc_sql( like_escape( $search_terms ) );
$search_sql = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";
}
if ( !empty( $exclude ) ) {
$exclude = $wpdb->escape( $exclude );
$exclude = wp_parse_id_list( $exclude );
$exclude = $wpdb->escape( implode( ',', $exclude ) );
$exclude_sql = " AND g.id NOT IN ({$exclude})";
}
......@@ -562,14 +563,15 @@ class BP_Groups_Group {
}
if ( !empty( $exclude ) ) {
$exclude = $wpdb->escape( $exclude );
$exclude = wp_parse_id_list( $exclude );
$exclude = $wpdb->escape( implode( ',', $exclude ) );
$exclude_sql = " AND g.id NOT IN ({$exclude})";
}
if ( !bp_current_user_can( 'bp_moderate' ) )
$hidden_sql = " AND status != 'hidden'";
$letter = like_escape( $wpdb->escape( $letter ) );
$letter = esc_sql( like_escape( $letter ) );
if ( !empty( $limit ) && !empty( $page ) ) {
$pag_sql = $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) );
......@@ -601,12 +603,13 @@ class BP_Groups_Group {
$hidden_sql = "AND g.status != 'hidden'";
if ( !empty( $search_terms ) ) {
$search_terms = like_escape( $wpdb->escape( $search_terms ) );
$search_terms = esc_sql( like_escape( $search_terms ) );
$search_sql = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";
}
if ( !empty( $exclude ) ) {
$exclude = $wpdb->escape( $exclude );
$exclude = wp_parse_id_list( $exclude );
$exclude = $wpdb->escape( implode( ',', $exclude ) );
$exclude_sql = " AND g.id NOT IN ({$exclude})";
}
......@@ -634,6 +637,9 @@ class BP_Groups_Group {
if ( empty( $group_ids ) )
return $paged_groups;
// Sanitize group IDs
$group_ids = implode( ',', wp_parse_id_list( $group_ids ) );
// Fetch the logged in users status within each group
$user_status = $wpdb->get_col( $wpdb->prepare( "SELECT group_id FROM {$bp->groups->table_name_members} WHERE user_id = %d AND group_id IN ( {$group_ids} ) AND is_confirmed = 1 AND is_banned = 0", bp_loggedin_user_id() ) );
for ( $i = 0, $count = count( $paged_groups ); $i < $count; ++$i ) {
......@@ -735,8 +741,8 @@ class BP_Groups_Group {
$sql['from'] = "FROM {$bbdb->topics} AS t INNER JOIN {$bp->groups->table_name_groupmeta} AS gm ON t.forum_id = gm.meta_value INNER JOIN {$bp->groups->table_name} AS g ON gm.group_id = g.id";
$sql['where'] = "WHERE gm.meta_key = 'forum_id' {$status_sql} AND t.topic_status = '0' AND t.topic_sticky != '2'";
if ( $search_terms ) {
$st = like_escape( $search_terms );
if ( !empty( $search_terms ) ) {
$st = esc_sql( like_escape( $search_terms ) );
$sql['where'] .= " AND ( t.topic_title LIKE '%{$st}%' )";
}