[buddypress-trac] [BuddyPress Trac] #5508: improve filterability (sorting) of Activity loop

buddypress-trac noreply at wordpress.org
Sun Nov 13 03:26:11 UTC 2016

#5508: improve filterability (sorting) of Activity loop
 Reporter:  mpa4hu       |       Owner:
     Type:  enhancement  |      Status:  closed
 Priority:  normal       |   Milestone:
Component:  Activity     |     Version:  2.0
 Severity:  normal       |  Resolution:  wontfix
 Keywords:  has-patch    |
Changes (by boonebgorges):

 * keywords:  has-patch dev-feedback => has-patch
 * status:  new => closed
 * resolution:   => wontfix
 * milestone:  Future Release =>


 `$sort` is compared against a whitelist is for security. I don't think
 that BP allows you to pass `sort` or `orderby` in URL params by default,
 but if a plugin did so, you'd open yourself up for SQL injection. For this
 reason, as a general rule, it's not good practice to allow non-
 parameterized SQL values to be set via function parameter.

 The situation described by @mpa4hu is quite specific, so I think it's OK
 to suggest that this is the "proper" way to do it:

 function bp5508_filter_orderby( $sql, $r ) {
     if ( 'hottest' === $r['sort'] ) {
         $orderby = 'foo';
     } elseif ( 'recent' === $r['sort'] ) {
         $orderby = 'bar';

     $sql = preg_replace( 'ORDER BY a\.date_recorded (ASC|DESC), a\.id
 (ASC|DESC)', 'ORDER BY ' . $orderby, $sql );

     return $sql;
 add_filter( 'bp_activity_paged_activities_sql', 'bp5508_filter_orderby' );

Ticket URL: <https://buddypress.trac.wordpress.org/ticket/5508#comment:7>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac

More information about the buddypress-trac mailing list