From 234dbd3502d642484d6fdab853aa5cd5877db565 Mon Sep 17 00:00:00 2001 From: philcable Date: Thu, 21 Nov 2019 12:45:23 -0800 Subject: [PATCH 1/9] Add PHPCS configuration file --- phpcs.xml.dist | 365 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 365 insertions(+) create mode 100644 phpcs.xml.dist diff --git a/phpcs.xml.dist b/phpcs.xml.dist new file mode 100644 index 00000000..cb65d117 --- /dev/null +++ b/phpcs.xml.dist @@ -0,0 +1,365 @@ + + + Apply WordPress Coding Standards to all Core files + + + + + + + + + + + + ./ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + node_modules/* + vendor/* + + + + + + From 1c1eb736ee698b0aed53c880f485efc6b815542e Mon Sep 17 00:00:00 2001 From: philcable Date: Thu, 21 Nov 2019 12:46:45 -0800 Subject: [PATCH 2/9] Update SQL queries to avoid false positives for unprepared statments --- inc/migration-helpers.php | 3 +-- inc/upgrade.php | 14 ++------------ 2 files changed, 3 insertions(+), 14 deletions(-) diff --git a/inc/migration-helpers.php b/inc/migration-helpers.php index 569f7328..514a2911 100755 --- a/inc/migration-helpers.php +++ b/inc/migration-helpers.php @@ -249,8 +249,7 @@ function responsive_migrate_contact_form() { if ( class_exists( 'GFForms' ) && class_exists( 'GFAPI' ) ) { - $contact_query = sprintf( 'SELECT post_id FROM %s WHERE meta_key = "_wp_page_template" AND meta_value = "contact-us.php"', $wpdb->postmeta ); - $results = $wpdb->get_col( $contact_query ); + $results = $wpdb->get_col( 'SELECT post_id FROM $wpdb->postmeta WHERE meta_key = "_wp_page_template" AND meta_value = "contact-us.php"' ); if ( empty( $results ) ) { return; diff --git a/inc/upgrade.php b/inc/upgrade.php index b06ad8d9..99e21cd7 100644 --- a/inc/upgrade.php +++ b/inc/upgrade.php @@ -145,12 +145,7 @@ function responsive_upgrade_091( $verbose = true ) { ) ); - $banner_query = sprintf( - 'SELECT post_id, meta_value FROM %s WHERE meta_key = "_bu_banner"', - $wpdb->postmeta - ); - - $results = $wpdb->get_results( $banner_query ); + $results = $wpdb->get_results( 'SELECT post_id, meta_value FROM $wpdb->postmeta WHERE meta_key = "_bu_banner"' ); foreach ( $results as $result ) { $banner = maybe_unserialize( $result->meta_value ); @@ -271,12 +266,7 @@ function responsive_upgrade_banner( $verbose ) { ) ); - $results = $wpdb->get_results( - $wpdb->prepare( - "SELECT post_id, meta_value FROM $wpdb->postmeta WHERE meta_key = '_bu_banner'", - $wpdb->postmeta - ) - ); + $results = $wpdb->get_results( "SELECT post_id, meta_value FROM $wpdb->postmeta WHERE meta_key = '_bu_banner'" ); foreach ( $results as $result ) { $banner = maybe_unserialize( $result->meta_value ); From c270d9f288f316d332338402dabbbc8a37926ad5 Mon Sep 17 00:00:00 2001 From: philcable Date: Thu, 21 Nov 2019 14:14:04 -0800 Subject: [PATCH 3/9] Fix unprepared SQL statements --- inc/upgrade.php | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/inc/upgrade.php b/inc/upgrade.php index 99e21cd7..9f83af1e 100644 --- a/inc/upgrade.php +++ b/inc/upgrade.php @@ -115,14 +115,13 @@ function responsive_upgrade_091( $verbose = true ) { ) ); - $template_query = sprintf( - 'SELECT post_id, meta_value FROM %s WHERE meta_key = "_wp_page_template" AND meta_value IN ("%s")', - $wpdb->postmeta, - implode( '","', array_keys( $template_map ) ) + $results = $wpdb->get_results( + $wpdb->prepare( + 'SELECT post_id, meta_value FROM $wpdb->postmeta WHERE meta_key = "_wp_page_template" AND meta_value IN (%s)', + implode( "','", array_keys( $template_map ) ) + ) ); - $results = $wpdb->get_results( $template_query ); - if ( $verbose ) { error_log( __FUNCTION__ . ' - Posts to migrate: ' . count( $results ) ); } @@ -211,12 +210,12 @@ function responsive_upgrade_2_0( $verbose = true ) { ) ); - $template_query = sprintf( - 'SELECT post_id, meta_value FROM %s WHERE meta_key = "_wp_page_template" AND meta_value IN ("%s")', - $wpdb->postmeta, - implode( '","', array_keys( $template_map ) ) + $results = $wpdb->get_results( + $wpdb->prepare( + 'SELECT post_id, meta_value FROM $wpdb->postmeta WHERE meta_key = "_wp_page_template" AND meta_value IN (%s)', + implode( "','", array_keys( $template_map ) ) + ) ); - $results = $wpdb->get_results( $template_query ); if ( $verbose ) { error_log( __FUNCTION__ . ' - Posts to migrate: ' . count( $results ) ); From 3df05f363efcc7f415ae09e9686e4a0d95b656ce Mon Sep 17 00:00:00 2001 From: philcable Date: Wed, 27 Nov 2019 13:21:47 -0800 Subject: [PATCH 4/9] Update changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0d2671fd..80072b2e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,8 @@ ## Unreleased - Removes duplicate call to burf-base, which is a dependency of burf-theme. +- Adds PHPCS configuration file. +- Updates and prepares SQL queries per PHPCS. ## 2.3.61 From d1f7e653558931cfea24e5ef69a5aafb53cf01ed Mon Sep 17 00:00:00 2001 From: philcable Date: Tue, 3 Dec 2019 11:22:19 -0800 Subject: [PATCH 5/9] Improve SQL statement preparation --- inc/upgrade.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/inc/upgrade.php b/inc/upgrade.php index 9f83af1e..24eaf97c 100644 --- a/inc/upgrade.php +++ b/inc/upgrade.php @@ -210,10 +210,12 @@ function responsive_upgrade_2_0( $verbose = true ) { ) ); + $template_map_keys = array_keys( $template_map ); + $results = $wpdb->get_results( $wpdb->prepare( - 'SELECT post_id, meta_value FROM $wpdb->postmeta WHERE meta_key = "_wp_page_template" AND meta_value IN (%s)', - implode( "','", array_keys( $template_map ) ) + "SELECT post_id, meta_value FROM $wpdb->postmeta WHERE meta_key = '_wp_page_template' AND meta_value IN (" . substr( str_repeat( ',%s', count( $template_map_keys ) ), 1 ) . ")", // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared + $template_map_keys ) ); From 86d2ebecd426e0e5275f78fbe65fdcc591e64714 Mon Sep 17 00:00:00 2001 From: Jeremy Felt Date: Wed, 15 Jan 2020 15:53:02 -0800 Subject: [PATCH 6/9] Adjust page template query with proper preparation --- inc/upgrade.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/inc/upgrade.php b/inc/upgrade.php index 24eaf97c..e279c272 100644 --- a/inc/upgrade.php +++ b/inc/upgrade.php @@ -115,10 +115,14 @@ function responsive_upgrade_091( $verbose = true ) { ) ); + // Extract array keys for reuse when generating the query. + $template_map_keys = array_keys( $template_map ); + + // Prepare the query by adding a %s placeholder for each key of the passed array. $results = $wpdb->get_results( $wpdb->prepare( - 'SELECT post_id, meta_value FROM $wpdb->postmeta WHERE meta_key = "_wp_page_template" AND meta_value IN (%s)', - implode( "','", array_keys( $template_map ) ) + "SELECT post_id, meta_value FROM {$wpdb->postmeta} WHERE meta_key = '_wp_page_template' AND meta_value IN (" . substr( str_repeat( ',%s', count( $template_map_keys ) ), 1 ) . ")", // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared + esc_sql( $template_map_keys ) ) ); From 06d0969b5bd12c5507290ac76a693c46b9eeed26 Mon Sep 17 00:00:00 2001 From: Jeremy Felt Date: Wed, 15 Jan 2020 15:55:02 -0800 Subject: [PATCH 7/9] Add comments to explain query placeholders --- inc/upgrade.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/inc/upgrade.php b/inc/upgrade.php index e279c272..938060e9 100644 --- a/inc/upgrade.php +++ b/inc/upgrade.php @@ -214,8 +214,10 @@ function responsive_upgrade_2_0( $verbose = true ) { ) ); + // Extract array keys for reuse when generating the query. $template_map_keys = array_keys( $template_map ); + // Prepare the query by adding a %s placeholder for each key of the passed array. $results = $wpdb->get_results( $wpdb->prepare( "SELECT post_id, meta_value FROM $wpdb->postmeta WHERE meta_key = '_wp_page_template' AND meta_value IN (" . substr( str_repeat( ',%s', count( $template_map_keys ) ), 1 ) . ")", // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared From 95ddd4a750c9133584b612df718cf9acf7bc9a93 Mon Sep 17 00:00:00 2001 From: Jeremy Felt Date: Thu, 16 Jan 2020 13:02:53 -0800 Subject: [PATCH 8/9] Use double quotes around queries with interpolated variables --- inc/migration-helpers.php | 2 +- inc/upgrade.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/inc/migration-helpers.php b/inc/migration-helpers.php index 514a2911..f77d828d 100755 --- a/inc/migration-helpers.php +++ b/inc/migration-helpers.php @@ -249,7 +249,7 @@ function responsive_migrate_contact_form() { if ( class_exists( 'GFForms' ) && class_exists( 'GFAPI' ) ) { - $results = $wpdb->get_col( 'SELECT post_id FROM $wpdb->postmeta WHERE meta_key = "_wp_page_template" AND meta_value = "contact-us.php"' ); + $results = $wpdb->get_col( "SELECT post_id FROM $wpdb->postmeta WHERE meta_key = '_wp_page_template' AND meta_value = 'contact-us.php'" ); if ( empty( $results ) ) { return; diff --git a/inc/upgrade.php b/inc/upgrade.php index 938060e9..9cfb90fd 100644 --- a/inc/upgrade.php +++ b/inc/upgrade.php @@ -148,7 +148,7 @@ function responsive_upgrade_091( $verbose = true ) { ) ); - $results = $wpdb->get_results( 'SELECT post_id, meta_value FROM $wpdb->postmeta WHERE meta_key = "_bu_banner"' ); + $results = $wpdb->get_results( "SELECT post_id, meta_value FROM $wpdb->postmeta WHERE meta_key = '_bu_banner'" ); foreach ( $results as $result ) { $banner = maybe_unserialize( $result->meta_value ); From 8ddb4e517489ca1d9306c9ac4d1de8b082579bf5 Mon Sep 17 00:00:00 2001 From: Jeremy Felt Date: Thu, 16 Jan 2020 13:10:18 -0800 Subject: [PATCH 9/9] Remove phpunit checks for expected incorrect usage of `$wpdb->prepare` --- tests/test-upgrade-constants.php | 4 ---- tests/test-upgrade.php | 12 ------------ 2 files changed, 16 deletions(-) diff --git a/tests/test-upgrade-constants.php b/tests/test-upgrade-constants.php index 0b0e66e6..82e2a002 100644 --- a/tests/test-upgrade-constants.php +++ b/tests/test-upgrade-constants.php @@ -35,8 +35,6 @@ class Tests_Responsive_Framework_Upgrade_Constants extends WP_UnitTestCase { * Test Responsive 2.0 upgrade routine when a layout is saved and a constant * is set with a value that is an allowed layout and different than the saved * value. - * - * @expectedIncorrectUsage wpdb::prepare */ function test_responsive_upgrade_2_0_layout_valid_constant_overwrites_no_value() { define( 'BU_RESPONSIVE_LAYOUT', 'side-nav' ); @@ -50,8 +48,6 @@ function test_responsive_upgrade_2_0_layout_valid_constant_overwrites_no_value() * Test Responsive 2.0 upgrade routine when a layout is saved and a constant * is set with a value that is an allowed layout and different than the saved * value. - * - * @expectedIncorrectUsage wpdb::prepare */ function test_responsive_upgrade_2_0_layout_valid_constant_overwrites_value() { define( 'BU_RESPONSIVE_LAYOUT', 'side-nav' ); diff --git a/tests/test-upgrade.php b/tests/test-upgrade.php index 09ba3fb6..f88c4a97 100755 --- a/tests/test-upgrade.php +++ b/tests/test-upgrade.php @@ -14,8 +14,6 @@ class Tests_Responsive_Framework_Upgrades extends WP_UnitTestCase { /** * Test our theme is actually active. - * - * @expectedIncorrectUsage wpdb::prepare */ function test_responsive_framework_upgrade() { update_option( '_responsive_framework_version', '0.0' ); @@ -91,8 +89,6 @@ function test_responsive_upgrade_091() { /** * Test Responsive 2.0 upgrade routine for banner positions. - * - * @expectedIncorrectUsage wpdb::prepare */ function test_responsive_upgrade_2_0_banner_positions() { $test_page_id_1 = $this->factory->post->create( @@ -141,8 +137,6 @@ function test_responsive_upgrade_2_0_banner_positions() { /** * Test Responsive 2.0 upgrade routine for layout names. - * - * @expectedIncorrectUsage wpdb::prepare */ function test_responsive_upgrade_2_0_layout_names() { update_option( 'burf_setting_layout', 'topNav' ); @@ -160,8 +154,6 @@ function test_responsive_upgrade_2_0_layout_names() { /** * Test Responsive 2.0 upgrade routine when no layout is saved and no constant is set. - * - * @expectedIncorrectUsage wpdb::prepare */ function test_responsive_upgrade_2_0_layout_empty() { delete_option( 'burf_setting_layout' ); @@ -174,8 +166,6 @@ function test_responsive_upgrade_2_0_layout_empty() { /** * Test Responsive 2.0 upgrade routine when no layout is saved and a constant * is set with a value that is not an allowed layout. - * - * @expectedIncorrectUsage wpdb::prepare */ function test_responsive_upgrade_2_0_layout_invalid_constant() { update_option( 'burf_setting_layout', 'not-a-valid-layout' ); @@ -187,8 +177,6 @@ function test_responsive_upgrade_2_0_layout_invalid_constant() { /** * Test Responsive 2.0 upgrade routine for template names. - * - * @expectedIncorrectUsage wpdb::prepare */ function test_responsive_upgrade_2_0_templates() { $test_page_id = $this->factory->post->create(