hi @jigesh
yes you’re right also @nacin says in his post “You should instead the query directly, as there are no inputs”.
So as long as you don’t have user inputs to sanitize, you’re safe.
Btw the latest version 1.0.4 of the plugin already solved this, keeping prepare and correctly passing at least 1 argument on both cases (there are 2 query with $wpdb->prepare).
Note the plugin still passes $list_ids directly in the first case and “1” in the second case so that it’s just a workaround to avoid the PHP warning.
If you want to keep $wpdb->prepare just to be super-safe, and pass all parameters to prepare, it’s doable with something like this:
remove brackets from:
$list_ids="(".join(",", $notification_ids).")";
and change it in
$list_ids = join( ",", $notification_ids);
so the first query become:
$wpdb->get_results( $wpdb->prepare( "SELECT * FROM {$bp->core->table_name_notifications} WHERE id in (%s) AND is_new = %d", $list_ids, 1) );
and change the second query:
$wpdb->get_col( $wpdb->prepare( "SELECT id FROM {$bp->core->table_name_notifications} WHERE user_id = %d AND is_new = %d", $user_id, 1 ) );
@jigesh hi
you should never remove $wpdb->prepare, is there for a reason 🙂
The reason why the plugin doesn’t work with wordpress 3.6, 3.7 and later, it’s clearly explained here: https://codex.wordpress.org/Class_Reference/wpdb
see where they wrote:
“Please note: As of 3.5, wpdb::prepare() enforces a minimum of 2 arguments.”
more details here:
and the plugin code provides just 1 parameter, generating a PHP warning.
Basically, the json returned doesn’t contain a valid json but contains the error message:
<br /><b>Warning</b>: Missing argument 2 for wpdb::prepare()
being not valid json, it can’t be rendered in the “Bubble”.
The correct solution is to keep $wpdb->prepare but change the query in order to pass “1” as second argument:
instead of
AND is_new = 1″
do:
AND is_new = %d”, 1
that’s because you *have* to pass a minimum of 2 arguments. So you have to re-factor the query in order to pass at least 1 second argument: first argument is the query, where you use placeholder %d (digit) instead of 1:
“SELECT * FROM {$bp->core->table_name_notifications} WHERE id IN {$list_ids} AND is_new = %d”
second argument is: 1
If you have to pass a string instead of a digit, you would use %s as placeholder.
regards
Andrea
@jigesh
sorry I was wrong, I was focused on the admin bar notifications and they work for me, but the “growl style” notifications… no no, they don’t :\
