<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[BuddyPress][7337] branches/1.8: Use esc_sql() instead of $wpdb->escape() throughout</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://buddypress.trac.wordpress.org/changeset/7337">7337</a></dd>
<dt>Author</dt> <dd>boonebgorges</dd>
<dt>Date</dt> <dd>2013-08-05 14:41:51 +0000 (Mon, 05 Aug 2013)</dd>
</dl>

<h3>Log Message</h3>
<pre>Use esc_sql() instead of $wpdb->escape() throughout

WordPress 3.6 deprecated the use of $wpdb->escape() for sanitizing SQL
query fragments, in favor of the rewritten esc_sql(). This changeset
makes the appropriate changes throughout BuddyPress.

In a few places, this changeset also removes redundant sanitization, in
particular when using wp_parse_id_list().

Also adds a unit test for a touched method (BP_User_Query, when using
the 'exclude' parameter).

Fixes <a href="http://buddypress.trac.wordpress.org/ticket/5100">#5100</a>

Props needle</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#branches18bpactivitybpactivityclassesphp">branches/1.8/bp-activity/bp-activity-classes.php</a></li>
<li><a href="#branches18bpactivitybpactivityfunctionsphp">branches/1.8/bp-activity/bp-activity-functions.php</a></li>
<li><a href="#branches18bpblogsbpblogsfunctionsphp">branches/1.8/bp-blogs/bp-blogs-functions.php</a></li>
<li><a href="#branches18bpcorebpcoreclassesphp">branches/1.8/bp-core/bp-core-classes.php</a></li>
<li><a href="#branches18bpforumsbpforumsfunctionsphp">branches/1.8/bp-forums/bp-forums-functions.php</a></li>
<li><a href="#branches18bpgroupsbpgroupsclassesphp">branches/1.8/bp-groups/bp-groups-classes.php</a></li>
<li><a href="#branches18bpgroupsbpgroupsfunctionsphp">branches/1.8/bp-groups/bp-groups-functions.php</a></li>
<li><a href="#branches18bpmessagesbpmessagesclassesphp">branches/1.8/bp-messages/bp-messages-classes.php</a></li>
<li><a href="#branches18bpxprofilebpxprofilefunctionsphp">branches/1.8/bp-xprofile/bp-xprofile-functions.php</a></li>
<li><a href="#branches18teststestcasescoreclassbpuserqueryphp">branches/1.8/tests/testcases/core/class-bp-user-query.php</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="branches18bpactivitybpactivityclassesphp"></a>
<div class="modfile"><h4>Modified: branches/1.8/bp-activity/bp-activity-classes.php (7336 => 7337)</h4>
<pre class="diff"><span>
<span class="info">--- branches/1.8/bp-activity/bp-activity-classes.php 2013-08-05 14:13:08 UTC (rev 7336)
+++ branches/1.8/bp-activity/bp-activity-classes.php    2013-08-05 14:41:51 UTC (rev 7337)
</span><span class="lines">@@ -172,7 +172,7 @@
</span><span class="cx"> 
</span><span class="cx">          // Searching
</span><span class="cx">          if ( $search_terms ) {
</span><del>-                       $search_terms = $wpdb->escape( $search_terms );
</del><ins>+                        $search_terms = esc_sql( $search_terms );
</ins><span class="cx">                   $where_conditions['search_sql'] = "a.content LIKE '%%" . esc_sql( like_escape( $search_terms ) ) . "%%'";
</span><span class="cx">          }
</span><span class="cx"> 
</span></span></pre></div>
<a id="branches18bpactivitybpactivityfunctionsphp"></a>
<div class="modfile"><h4>Modified: branches/1.8/bp-activity/bp-activity-functions.php (7336 => 7337)</h4>
<pre class="diff"><span>
<span class="info">--- branches/1.8/bp-activity/bp-activity-functions.php       2013-08-05 14:13:08 UTC (rev 7336)
+++ branches/1.8/bp-activity/bp-activity-functions.php  2013-08-05 14:41:51 UTC (rev 7337)
</span><span class="lines">@@ -685,7 +685,7 @@
</span><span class="cx"> 
</span><span class="cx">  // Sanitize value
</span><span class="cx">  if ( is_string( $meta_value ) )
</span><del>-               $meta_value = stripslashes( $wpdb->escape( $meta_value ) );
</del><ins>+                $meta_value = stripslashes( esc_sql( $meta_value ) );
</ins><span class="cx"> 
</span><span class="cx">  // Maybe, just maybe... serialize
</span><span class="cx">  $meta_value = maybe_serialize( $meta_value );
</span></span></pre></div>
<a id="branches18bpblogsbpblogsfunctionsphp"></a>
<div class="modfile"><h4>Modified: branches/1.8/bp-blogs/bp-blogs-functions.php (7336 => 7337)</h4>
<pre class="diff"><span>
<span class="info">--- branches/1.8/bp-blogs/bp-blogs-functions.php     2013-08-05 14:13:08 UTC (rev 7336)
+++ branches/1.8/bp-blogs/bp-blogs-functions.php        2013-08-05 14:41:51 UTC (rev 7337)
</span><span class="lines">@@ -708,7 +708,7 @@
</span><span class="cx">  $meta_key = preg_replace( '|[^a-z0-9_]|i', '', $meta_key );
</span><span class="cx"> 
</span><span class="cx">  if ( is_string($meta_value) )
</span><del>-               $meta_value = stripslashes($wpdb->escape($meta_value));
</del><ins>+                $meta_value = stripslashes( esc_sql( $meta_value ) );
</ins><span class="cx"> 
</span><span class="cx">  $meta_value = maybe_serialize($meta_value);
</span><span class="cx"> 
</span></span></pre></div>
<a id="branches18bpcorebpcoreclassesphp"></a>
<div class="modfile"><h4>Modified: branches/1.8/bp-core/bp-core-classes.php (7336 => 7337)</h4>
<pre class="diff"><span>
<span class="info">--- branches/1.8/bp-core/bp-core-classes.php 2013-08-05 14:13:08 UTC (rev 7336)
+++ branches/1.8/bp-core/bp-core-classes.php    2013-08-05 14:41:51 UTC (rev 7337)
</span><span class="lines">@@ -324,8 +324,7 @@
</span><span class="cx"> 
</span><span class="cx">          // 'exclude' - User ids to exclude from the results
</span><span class="cx">          if ( false !== $exclude ) {
</span><del>-                       $exclude        = wp_parse_id_list( $exclude );
-                       $exclude_ids    = $wpdb->escape( implode( ',', (array) $exclude ) );
</del><ins>+                        $exclude_ids    = implode( ',', wp_parse_id_list( $exclude ) );
</ins><span class="cx">                   $sql['where'][] = "u.{$this->uid_name} NOT IN ({$exclude_ids})";
</span><span class="cx">          }
</span><span class="cx"> 
</span></span></pre></div>
<a id="branches18bpforumsbpforumsfunctionsphp"></a>
<div class="modfile"><h4>Modified: branches/1.8/bp-forums/bp-forums-functions.php (7336 => 7337)</h4>
<pre class="diff"><span>
<span class="info">--- branches/1.8/bp-forums/bp-forums-functions.php   2013-08-05 14:13:08 UTC (rev 7336)
+++ branches/1.8/bp-forums/bp-forums-functions.php      2013-08-05 14:41:51 UTC (rev 7337)
</span><span class="lines">@@ -456,7 +456,7 @@
</span><span class="cx"> 
</span><span class="cx">  // Get the topic ids
</span><span class="cx">  foreach ( (array) $topics as $topic ) $topic_ids[] = $topic->topic_id;
</span><del>-       $topic_ids = $wpdb->escape( join( ',', (array) $topic_ids ) );
</del><ins>+        $topic_ids = implode( ',', wp_parse_id_list( $topic_ids ) );
</ins><span class="cx"> 
</span><span class="cx">  // Fetch the topic's last poster details
</span><span class="cx">  $poster_details = $wpdb->get_results( "SELECT t.topic_id, t.topic_last_poster, u.user_login, u.user_nicename, u.user_email, u.display_name FROM {$wpdb->users} u, {$bbdb->topics} t WHERE u.ID = t.topic_last_poster AND t.topic_id IN ( {$topic_ids} )" );
</span><span class="lines">@@ -590,7 +590,7 @@
</span><span class="cx"> 
</span><span class="cx">  // Get the user ids
</span><span class="cx">  foreach ( (array) $posts as $post ) $user_ids[] = $post->poster_id;
</span><del>-       $user_ids = $wpdb->escape( join( ',', (array) $user_ids ) );
</del><ins>+        $user_ids = implode( ',', wp_parse_id_list( $user_ids ) );
</ins><span class="cx"> 
</span><span class="cx">  // Fetch the poster's user_email, user_nicename and user_login
</span><span class="cx">  $poster_details = $wpdb->get_results( "SELECT u.ID as user_id, u.user_login, u.user_nicename, u.user_email, u.display_name FROM {$wpdb->users} u WHERE u.ID IN ( {$user_ids} )" );
</span></span></pre></div>
<a id="branches18bpgroupsbpgroupsclassesphp"></a>
<div class="modfile"><h4>Modified: branches/1.8/bp-groups/bp-groups-classes.php (7336 => 7337)</h4>
<pre class="diff"><span>
<span class="info">--- branches/1.8/bp-groups/bp-groups-classes.php     2013-08-05 14:13:08 UTC (rev 7336)
+++ branches/1.8/bp-groups/bp-groups-classes.php        2013-08-05 14:41:51 UTC (rev 7337)
</span><span class="lines">@@ -392,14 +392,12 @@
</span><span class="cx">          }
</span><span class="cx"> 
</span><span class="cx">          if ( ! empty( $r['include'] ) ) {
</span><del>-                       $include        = wp_parse_id_list( $r['include'] );
-                       $include        = $wpdb->escape( implode( ',', $include ) );
</del><ins>+                        $include        = implode( ',', wp_parse_id_list( $r['include'] ) );
</ins><span class="cx">                   $sql['include'] = " AND g.id IN ({$include})";
</span><span class="cx">          }
</span><span class="cx"> 
</span><span class="cx">          if ( ! empty( $r['exclude'] ) ) {
</span><del>-                       $exclude        = wp_parse_id_list( $r['exclude'] );
-                       $exclude        = $wpdb->escape( implode( ',', $exclude ) );
</del><ins>+                        $exclude        = implode( ',', wp_parse_id_list( $r['exclude'] ) );
</ins><span class="cx">                   $sql['exclude'] = " AND g.id NOT IN ({$exclude})";
</span><span class="cx">          }
</span><span class="cx"> 
</span><span class="lines">@@ -506,7 +504,7 @@
</span><span class="cx"> 
</span><span class="cx">          // Populate some extra information instead of querying each time in the loop
</span><span class="cx">          if ( !empty( $r['populate_extras'] ) ) {
</span><del>-                       $group_ids = $wpdb->escape( join( ',', (array) $group_ids ) );
</del><ins>+                        $group_ids = implode( ',', wp_parse_id_list( $group_ids ) );
</ins><span class="cx">                   $paged_groups = BP_Groups_Group::get_group_extras( $paged_groups, $group_ids, $r['type'] );
</span><span class="cx">          }
</span><span class="cx"> 
</span><span class="lines">@@ -675,13 +673,12 @@
</span><span class="cx">          }
</span><span class="cx"> 
</span><span class="cx">          if ( !empty( $exclude ) ) {
</span><del>-                       $exclude     = wp_parse_id_list( $exclude );
-                       $exclude     = $wpdb->escape( implode( ',', $exclude ) );
</del><ins>+                        $exclude     = implode( ',', wp_parse_id_list( $exclude ) );
</ins><span class="cx">                   $exclude_sql = " AND g.id NOT IN ({$exclude})";
</span><span class="cx">          }
</span><span class="cx"> 
</span><span class="cx">          if ( !empty( $user_id ) ) {
</span><del>-                       $user_id      = absint( $wpdb->escape( $user_id ) );
</del><ins>+                        $user_id      = absint( esc_sql( $user_id ) );
</ins><span class="cx">                   $paged_groups = $wpdb->get_results( "SELECT DISTINCT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_groupmeta} gm3, {$bp->groups->table_name_members} m, {$bbdb->forums} f, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND g.id = gm3.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND (gm3.meta_key = 'forum_id' AND gm3.meta_value = f.forum_id) AND f.topics > 0 {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql} ORDER BY f.topics DESC {$pag_sql}" );
</span><span class="cx">                  $total_groups = $wpdb->get_var( "SELECT COUNT(DISTINCT g.id) FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_groupmeta} gm3, {$bbdb->forums} f, {$bp->groups->table_name} g WHERE g.id = gm1.group_id AND g.id = gm2.group_id AND g.id = gm3.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND (gm3.meta_key = 'forum_id' AND gm3.meta_value = f.forum_id) AND f.topics > 0 {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql}" );
</span><span class="cx">          } else {
</span><span class="lines">@@ -691,7 +688,7 @@
</span><span class="cx"> 
</span><span class="cx">          if ( !empty( $populate_extras ) ) {
</span><span class="cx">                  foreach ( (array) $paged_groups as $group ) $group_ids[] = $group->id;
</span><del>-                       $group_ids = $wpdb->escape( join( ',', (array) $group_ids ) );
</del><ins>+                        $group_ids = implode( ',', wp_parse_id_list( $group_ids ) );
</ins><span class="cx">                   $paged_groups = BP_Groups_Group::get_group_extras( $paged_groups, $group_ids, 'newest' );
</span><span class="cx">          }
</span><span class="cx"> 
</span><span class="lines">@@ -717,13 +714,12 @@
</span><span class="cx">          }
</span><span class="cx"> 
</span><span class="cx">          if ( !empty( $exclude ) ) {
</span><del>-                       $exclude     = wp_parse_id_list( $exclude );
-                       $exclude     = $wpdb->escape( implode( ',', $exclude ) );
</del><ins>+                        $exclude     = implode( ',', wp_parse_id_list( $exclude ) );
</ins><span class="cx">                   $exclude_sql = " AND g.id NOT IN ({$exclude})";
</span><span class="cx">          }
</span><span class="cx"> 
</span><span class="cx">          if ( !empty( $user_id ) ) {
</span><del>-                       $user_id = $wpdb->escape( $user_id );
</del><ins>+                        $user_id = esc_sql( $user_id );
</ins><span class="cx">                   $paged_groups = $wpdb->get_results( "SELECT DISTINCT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_groupmeta} gm3, {$bp->groups->table_name_members} m, {$bbdb->forums} f, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND g.id = gm3.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND (gm3.meta_key = 'forum_id' AND gm3.meta_value = f.forum_id) {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql} ORDER BY f.posts ASC {$pag_sql}" );
</span><span class="cx">                  $total_groups = $wpdb->get_results( "SELECT COUNT(DISTINCT g.id) FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_groupmeta} gm3, {$bp->groups->table_name_members} m, {$bbdb->forums} f, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND g.id = gm3.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND (gm3.meta_key = 'forum_id' AND gm3.meta_value = f.forum_id) AND f.posts > 0 {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql} " );
</span><span class="cx">          } else {
</span><span class="lines">@@ -733,7 +729,7 @@
</span><span class="cx"> 
</span><span class="cx">          if ( !empty( $populate_extras ) ) {
</span><span class="cx">                  foreach ( (array) $paged_groups as $group ) $group_ids[] = $group->id;
</span><del>-                       $group_ids = $wpdb->escape( join( ',', (array) $group_ids ) );
</del><ins>+                        $group_ids = implode( ',', wp_parse_id_list( $group_ids ) );
</ins><span class="cx">                   $paged_groups = BP_Groups_Group::get_group_extras( $paged_groups, $group_ids, 'newest' );
</span><span class="cx">          }
</span><span class="cx"> 
</span><span class="lines">@@ -755,8 +751,7 @@
</span><span class="cx">          }
</span><span class="cx"> 
</span><span class="cx">          if ( !empty( $exclude ) ) {
</span><del>-                       $exclude     = wp_parse_id_list( $exclude );
-                       $exclude     = $wpdb->escape( implode( ',', $exclude ) );
</del><ins>+                        $exclude     = implode( ',', wp_parse_id_list( $exclude ) );
</ins><span class="cx">                   $exclude_sql = " AND g.id NOT IN ({$exclude})";
</span><span class="cx">          }
</span><span class="cx"> 
</span><span class="lines">@@ -776,7 +771,7 @@
</span><span class="cx">                  foreach ( (array) $paged_groups as $group ) {
</span><span class="cx">                          $group_ids[] = $group->id;
</span><span class="cx">                  }
</span><del>-                       $group_ids    = $wpdb->escape( join( ',', (array) $group_ids ) );
</del><ins>+                        $group_ids    = implode( ',', wp_parse_id_list( $group_ids ) );
</ins><span class="cx">                   $paged_groups = BP_Groups_Group::get_group_extras( $paged_groups, $group_ids, 'newest' );
</span><span class="cx">          }
</span><span class="cx"> 
</span><span class="lines">@@ -801,12 +796,12 @@
</span><span class="cx"> 
</span><span class="cx">          if ( !empty( $exclude ) ) {
</span><span class="cx">                  $exclude     = wp_parse_id_list( $exclude );
</span><del>-                       $exclude     = $wpdb->escape( implode( ',', $exclude ) );
</del><ins>+                        $exclude     = esc_sql( implode( ',', $exclude ) );
</ins><span class="cx">                   $exclude_sql = " AND g.id NOT IN ({$exclude})";
</span><span class="cx">          }
</span><span class="cx"> 
</span><span class="cx">          if ( !empty( $user_id ) ) {
</span><del>-                       $user_id = $wpdb->escape( $user_id );
</del><ins>+                        $user_id = esc_sql( $user_id );
</ins><span class="cx">                   $paged_groups = $wpdb->get_results( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql} ORDER BY rand() {$pag_sql}" );
</span><span class="cx">                  $total_groups = $wpdb->get_var( "SELECT COUNT(DISTINCT m.group_id) FROM {$bp->groups->table_name_members} m LEFT JOIN {$bp->groups->table_name_groupmeta} gm ON m.group_id = gm.group_id INNER JOIN {$bp->groups->table_name} g ON m.group_id = g.id WHERE gm.meta_key = 'last_activity'{$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql}" );
</span><span class="cx">          } else {
</span><span class="lines">@@ -816,7 +811,7 @@
</span><span class="cx"> 
</span><span class="cx">          if ( !empty( $populate_extras ) ) {
</span><span class="cx">                  foreach ( (array) $paged_groups as $group ) $group_ids[] = $group->id;
</span><del>-                       $group_ids = $wpdb->escape( join( ',', (array) $group_ids ) );
</del><ins>+                        $group_ids = implode( ',', wp_parse_id_list( $group_ids ) );
</ins><span class="cx">                   $paged_groups = BP_Groups_Group::get_group_extras( $paged_groups, $group_ids, 'newest' );
</span><span class="cx">          }
</span><span class="cx"> 
</span><span class="lines">@@ -1511,8 +1506,7 @@
</span><span class="cx">          $pag_sql = ( !empty( $limit ) && !empty( $page ) ) ? $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) ) : '';
</span><span class="cx"> 
</span><span class="cx">          if ( !empty( $exclude ) ) {
</span><del>-                       $exclude     = wp_parse_id_list( $exclude );
-                       $exclude     = $wpdb->escape( implode( ',', $exclude ) );
</del><ins>+                        $exclude     = implode( ',', wp_parse_id_list( $exclude ) );
</ins><span class="cx">                   $exclude_sql = " AND g.id NOT IN ({$exclude})";
</span><span class="cx">          } else {
</span><span class="cx">                  $exclude_sql = '';
</span><span class="lines">@@ -1673,8 +1667,7 @@
</span><span class="cx"> 
</span><span class="cx">          $exclude_sql = '';
</span><span class="cx">          if ( !empty( $exclude ) ) {
</span><del>-                       $exclude     = wp_parse_id_list( $exclude );
-                       $exclude     = $wpdb->escape( implode( ',', $exclude ) );
</del><ins>+                        $exclude     = implode( ',', wp_parse_id_list( $exclude ) );
</ins><span class="cx">                   $exclude_sql = " AND m.user_id NOT IN ({$exclude})";
</span><span class="cx">          }
</span><span class="cx"> 
</span></span></pre></div>
<a id="branches18bpgroupsbpgroupsfunctionsphp"></a>
<div class="modfile"><h4>Modified: branches/1.8/bp-groups/bp-groups-functions.php (7336 => 7337)</h4>
<pre class="diff"><span>
<span class="info">--- branches/1.8/bp-groups/bp-groups-functions.php   2013-08-05 14:13:08 UTC (rev 7336)
+++ branches/1.8/bp-groups/bp-groups-functions.php      2013-08-05 14:41:51 UTC (rev 7337)
</span><span class="lines">@@ -1045,7 +1045,7 @@
</span><span class="cx">  $meta_key = preg_replace( '|[^a-z0-9_]|i', '', $meta_key );
</span><span class="cx"> 
</span><span class="cx">  if ( is_string( $meta_value ) )
</span><del>-               $meta_value = stripslashes( $wpdb->escape( $meta_value ) );
</del><ins>+                $meta_value = stripslashes( esc_sql( $meta_value ) );
</ins><span class="cx"> 
</span><span class="cx">  $meta_value = maybe_serialize( $meta_value );
</span><span class="cx"> 
</span></span></pre></div>
<a id="branches18bpmessagesbpmessagesclassesphp"></a>
<div class="modfile"><h4>Modified: branches/1.8/bp-messages/bp-messages-classes.php (7336 => 7337)</h4>
<pre class="diff"><span>
<span class="info">--- branches/1.8/bp-messages/bp-messages-classes.php 2013-08-05 14:13:08 UTC (rev 7336)
+++ branches/1.8/bp-messages/bp-messages-classes.php    2013-08-05 14:41:51 UTC (rev 7337)
</span><span class="lines">@@ -149,7 +149,7 @@
</span><span class="cx">                  $type_sql = " AND r.unread_count = 0 ";
</span><span class="cx"> 
</span><span class="cx">          if ( !empty( $search_terms ) ) {
</span><del>-                       $search_terms = like_escape( $wpdb->escape( $search_terms ) );
</del><ins>+                        $search_terms = like_escape( esc_sql( $search_terms ) );
</ins><span class="cx">                   $search_sql   = "AND ( subject LIKE '%%$search_terms%%' OR message LIKE '%%$search_terms%%' )";
</span><span class="cx">          }
</span><span class="cx"> 
</span></span></pre></div>
<a id="branches18bpxprofilebpxprofilefunctionsphp"></a>
<div class="modfile"><h4>Modified: branches/1.8/bp-xprofile/bp-xprofile-functions.php (7336 => 7337)</h4>
<pre class="diff"><span>
<span class="info">--- branches/1.8/bp-xprofile/bp-xprofile-functions.php       2013-08-05 14:13:08 UTC (rev 7336)
+++ branches/1.8/bp-xprofile/bp-xprofile-functions.php  2013-08-05 14:41:51 UTC (rev 7337)
</span><span class="lines">@@ -589,7 +589,7 @@
</span><span class="cx">  $meta_key = preg_replace( '|[^a-z0-9_]|i', '', $meta_key );
</span><span class="cx"> 
</span><span class="cx">  if ( is_string( $meta_value ) )
</span><del>-               $meta_value = stripslashes( $wpdb->escape( $meta_value ) );
</del><ins>+                $meta_value = stripslashes( esc_sql( $meta_value ) );
</ins><span class="cx"> 
</span><span class="cx">  $meta_value = maybe_serialize( $meta_value );
</span><span class="cx"> 
</span></span></pre></div>
<a id="branches18teststestcasescoreclassbpuserqueryphp"></a>
<div class="modfile"><h4>Modified: branches/1.8/tests/testcases/core/class-bp-user-query.php (7336 => 7337)</h4>
<pre class="diff"><span>
<span class="info">--- branches/1.8/tests/testcases/core/class-bp-user-query.php        2013-08-05 14:13:08 UTC (rev 7336)
+++ branches/1.8/tests/testcases/core/class-bp-user-query.php   2013-08-05 14:41:51 UTC (rev 7337)
</span><span class="lines">@@ -200,4 +200,26 @@
</span><span class="cx"> 
</span><span class="cx">          $this->assertEquals( $user_id, $found_user_id );
</span><span class="cx">  }
</span><ins>+
+       /**
+        * @group exclude
+        */
+       public function test_bp_user_query_with_exclude() {
+               // Grab list of existing users who should also be excluded
+               global $wpdb;
+               $existing_users = $wpdb->get_col( "SELECT ID FROM {$wpdb->users}" );
+
+               $u1 = $this->create_user();
+               $u2 = $this->create_user();
+
+               $exclude = array_merge( array( $u1 ), $existing_users );
+               $q = new BP_User_Query( array( 'exclude' => $exclude, ) );
+
+               $found_user_ids = null;
+               if ( ! empty( $q->results ) ) {
+                       $found_user_ids = array_values( wp_parse_id_list( wp_list_pluck( $q->results, 'ID' ) ) );
+               }
+
+               $this->assertEquals( array( $u2 ), $found_user_ids );
+       }
</ins><span class="cx"> }
</span></span></pre>
</div>
</div>

</body>
</html>