[buddypress-trac] [BuddyPress] #4758: bp_forums_reply_exists misses to escape in db query

buddypress-trac noreply at wordpress.org
Wed Jan 9 13:44:38 UTC 2013


#4758: bp_forums_reply_exists misses to escape in db query
--------------------------+-----------------------------
 Reporter:  wpdennis      |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Forums        |    Version:  1.6.1
 Severity:  major         |   Keywords:  dev-feedback
--------------------------+-----------------------------
 The function ''bp_forums_reply_exists'' adds a filter to
 ''get_posts_where'' without escaping the specified value:

 {{{
 // BB_Query's post_text parameter does a MATCH, while we need exact
 matches
 add_filter( 'get_posts_where', create_function( '$q', 'return $q . " AND
 p.post_text = \'' . $text . '\'";' ) );
 }}}

 In http://buddypress.trac.wordpress.org/browser/trunk/bp-forums/bp-forums-
 functions.php on line 366.

 Since it´s a public function it seems to be a security risk. I found it,
 because a post ending with the smiley ":\" will throw a mysql error (the
 backslash escapes the ' in the query).

 Suggestion for escaping:

 {{{
 global $wpdb;
 add_filter( 'get_posts_where', create_function( '$q', 'return $q . " AND
 p.post_text = \'' . $wpdb->escape($text) . '\'";' ) );
 }}}

-- 
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/4758>
BuddyPress <http://buddypress.org/>
BuddyPress


More information about the buddypress-trac mailing list