[buddypress-trac] [BuddyPress] #4992: Sanitization improvements to BP_Core_User methods
buddypress-trac
noreply at wordpress.org
Wed May 8 20:22:55 UTC 2013
#4992: Sanitization improvements to BP_Core_User methods
-----------------------------+--------------------
Reporter: johnjamesjacoby | Owner:
Type: defect (bug) | Status: new
Priority: highest | Milestone: 1.7.2
Component: Core | Version: 1.2
Severity: critical | Resolution:
Keywords: has-patch |
-----------------------------+--------------------
Comment (by boonebgorges):
Thanks, guys. I've reviewed the two patches. There were one or two places
where each of you caught something that the other hadn't, so it's nice to
have many eyes.
For the sake of standardization, I've gone with the following strategy and
syntax for sanitizing integer lists for use in a query:
{{{
$include = implode( ',', wp_parse_id_list( $include ) );
}}}
- one line, easy to read
- No need to run through esc_sql(). All that does is addslashes()
(`wpdb::_weak_escape()`). The return value of `wp_parse_id_list()` will
always be an array of positive integers, so imploding them with commas
will never result in anything that needs to be slashed (single quotes,
double quotes, backslash, null character).
I'm also including, in the trunk commit, a number of tests for the more
delicate of the database classes.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/4992#comment:2>
BuddyPress <http://buddypress.org/>
BuddyPress
More information about the buddypress-trac
mailing list