You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
WHERE post_title LIKE '" . \esc_SQL( $foo ) . "';"
49
49
); // Ok.
50
50
51
51
$wpdb->query( $wpdb->prepare( "
@@ -142,3 +142,61 @@ echo $wpdb::CONSTANT_NAME;
142
142
143
143
// Not an identifiable method call.
144
144
$wpdb->{$methodName}('query');
145
+
146
+
/*
147
+
* Safeguard correct handling of all types of namespaced calls to the WPDB::prepare() method.
148
+
*
149
+
* Note that calling wpdb::prepare() statically will result in an error. Still, the tests are included here since the
150
+
* sniff handles those calls.
151
+
*
152
+
* Except for the fully qualified global call, the calls below are currently false positives. The sniff
153
+
* incorrectly identifies calls to a non-global class named `wpdb` preceded by a namespace separator as calls to the
154
+
* global `$wpdb` object. Related to: https://github.com/WordPress/WordPress-Coding-Standards/issues/2710.
155
+
*/
156
+
\WPDB::prepare( "SELECT * FROM $wpdb->posts WHERE post_title LIKE '" . foo() . "';" );
157
+
MyNamespace\WPDB::prepare( "SELECT * FROM $wpdb->posts WHERE post_title LIKE '" . foo() . "';" );
158
+
\MyNamespace\wpdb::prepare( "SELECT * FROM $wpdb->posts WHERE post_title LIKE '" . foo() . "';" );
159
+
namespace\wpdb::prepare( "SELECT * FROM $wpdb->posts WHERE post_title LIKE '" . foo() . "';" ); // False positive (see comment above). This should be flagged in the future once the sniff is able to resolve relative namespaces.
160
+
namespace\Sub\wpdb::prepare( "SELECT * FROM $wpdb->posts WHERE post_title LIKE '" . foo() . "';" );
161
+
162
+
/*
163
+
* Safeguard correct handling of all types of namespaced calls to PreparedSQLSniff::$SQLEscapingFunctions.
164
+
*
165
+
* Note: The sniff currently has a limitation in how it identifies and counts errors for namespaced function calls that
166
+
* match function names in $SQLEscapingFunctions, $SQLAutoEscapedFunctions, or
167
+
* FormattingFunctionsHelper::$formattingFunctions. When it encounters such a call, it treats the function name as if it
168
+
* were a global function call and skips checking the contents. For example, `MyNamespace\absint( $foo )` should trigger
169
+
* two errors (one for MyNamespace\absint, one for $foo), but currently only triggers one error for "MyNamespace"
170
+
* because the sniff incorrectly treats "absint" as a valid global escaping function and skips its contents.
171
+
* Additionally, multi-level namespace calls like `namespace\Sub\count( $foo )` generate multiple errors (one for
172
+
* "namespace", one for "Sub") instead of recognizing it as a single namespaced function call. This will be easier to
173
+
* fix once only PHPCS 4 is supported. Reported in https://github.com/WordPress/WordPress-Coding-Standards/issues/2648.
174
+
*/
175
+
$wpdb->query( "SELECT * FROM $wpdb->posts WHERE ID = " . \absint( $foo ) );
176
+
$wpdb->query( "SELECT * FROM $wpdb->posts WHERE ID = " . MyNamespace\esc_sql( $foo ) );
177
+
$wpdb->query( "SELECT * FROM $wpdb->posts WHERE ID = " . \MyNamespace\intval( $foo ) );
178
+
$wpdb->query( "SELECT * FROM $wpdb->posts WHERE ID = " . namespace\floatval( $foo ) ); // This should NOT be flagged in the future once the sniff is able to resolve relative namespaces.
179
+
$wpdb->query( "SELECT * FROM $wpdb->posts WHERE ID = " . namespace\Sub\like_escape( $foo ) );
180
+
181
+
/*
182
+
* Safeguard correct handling of all types of namespaced calls to PreparedSQLSniff::$SQLAutoEscapedFunctions.
183
+
*
184
+
* Note: See the comment above the $SQLEscapingFunctions tests for details about the sniff's current limitations.
185
+
*/
186
+
$wpdb->query( "SELECT * FROM $wpdb->posts WHERE ID = " . \count( $foo ) );
187
+
$wpdb->query( "SELECT * FROM $wpdb->posts WHERE ID = " . \Count( $foo ) );
188
+
$wpdb->query( "SELECT * FROM $wpdb->posts WHERE ID = " . MyNamespace\count( $foo ) );
189
+
$wpdb->query( "SELECT * FROM $wpdb->posts WHERE ID = " . \MyNamespace\count( $foo ) );
190
+
$wpdb->query( "SELECT * FROM $wpdb->posts WHERE ID = " . namespace\count( $foo ) ); // This should NOT be flagged in the future once the sniff is able to resolve relative namespaces.
191
+
$wpdb->query( "SELECT * FROM $wpdb->posts WHERE ID = " . namespace\Sub\count( $foo ) );
192
+
193
+
/*
194
+
* Safeguard correct handling of all types of namespaced calls to FormattingFunctionsHelper::$formattingFunctions.
195
+
*
196
+
* Note: See the comment above the $SQLEscapingFunctions tests for details about the sniff's current limitations.
197
+
*/
198
+
$wpdb->get_results( \sprintf( "SELECT * FROM $wpdb->posts WHERE ID = %s", intval( $id ) ) );
199
+
$wpdb->get_results( MyNamespace\wp_sprintf( "SELECT * FROM $wpdb->posts WHERE ID = %s", intval( $id ) ) );
200
+
$wpdb->get_results( \MyNamespace\sprintf( "SELECT * FROM $wpdb->posts WHERE ID = %s", intval( $id ) ) );
201
+
$wpdb->get_results( namespace\wp_sprintf( "SELECT * FROM $wpdb->posts WHERE ID = %s", intval( $id ) ) ); // This should NOT be flagged in the future once the sniff is able to resolve relative namespaces.
202
+
$wpdb->get_results( namespace\Sub\sprintf( "SELECT * FROM $wpdb->posts WHERE ID = %s", intval( $id ) ) );
0 commit comments