[buddypress-trac] [BuddyPress Trac] #5796: Invalid or empty page_arg results in no-limit queries
buddypress-trac
noreply at wordpress.org
Tue Aug 5 05:57:16 UTC 2014
#5796: Invalid or empty page_arg results in no-limit queries
-------------------------------------+------------------
Reporter: johnjamesjacoby | Owner:
Type: defect (bug) | Status: new
Priority: high | Milestone: 2.1
Component: All Components | Version:
Severity: major | Resolution:
Keywords: needs-patch 2nd-opinion |
-------------------------------------+------------------
Comment (by johnjamesjacoby):
At a cursory, our `intval( $_REQUEST[$page_arg] )` checks are not enough
here. `intval()` sets an invalid result to `0`, and `0` assumes unlimited
results are being requested.
While I can think of reasons why this might be useful, it's problematic on
large sites where querying for all content will either lock up the
database or OOM PHP.
I recommend we put `empty()` checks in our `_Template` classes for our
`page_arg` values, and force them back to 1 (or the `$page` default
argument). This way our core functions and classes remain untouched and
querying for unlimited results is still possible, and we only prevent
users from passing invalid arguments around.
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/5796#comment:1>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list