Refactor DB_Users_Command to extend DB_Command and improve security

Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>

Author: Copilot

src/DB_Users_Command.php

@@ -13,7 +13,7 @@
  *
  * @when after_wp_config_load
  */
-class DB_Users_Command extends WP_CLI_Command {
+class DB_Users_Command extends DB_Command {
 
 	/**
 	 * Creates a new database user with optional privileges.
@@ -76,17 +76,17 @@ public function create( $args, $assoc_args ) {
 		}
 		$create_query .= ';';
 
-		$this->run_query( $create_query, $assoc_args );
+		$this->run_user_query( $create_query, $assoc_args );
 
 		// Grant privileges if requested
 		if ( $grant_privileges ) {
 			$database         = DB_NAME;
 			$database_escaped = $this->esc_sql_ident( $database );
 			$grant_query      = "GRANT ALL PRIVILEGES ON {$database_escaped}.* TO {$user_identifier};";
-			$this->run_query( $grant_query, $assoc_args );
+			$this->run_user_query( $grant_query, $assoc_args );
 
 			// Flush privileges
-			$this->run_query( 'FLUSH PRIVILEGES;', $assoc_args );
+			$this->run_user_query( 'FLUSH PRIVILEGES;', $assoc_args );
 
 			WP_CLI::success( "Database user '{$username}'@'{$host}' created with privileges on database '{$database}'." );
 		} else {
@@ -97,111 +97,14 @@ public function create( $args, $assoc_args ) {
 	/**
 	 * Run a single query via the 'mysql' binary.
 	 *
+	 * This method adds SQL mode compatibility and delegates to the parent class.
+	 *
 	 * @param string $query      Query to execute.
 	 * @param array  $assoc_args Optional. Associative array of arguments.
 	 */
-	private function run_query( $query, $assoc_args = [] ) {
-		WP_CLI::debug( "Query: {$query}", 'db' );
-
-		$mysql_args = array_merge(
-			$this->get_dbuser_dbpass_args( $assoc_args ),
-			$this->get_mysql_args( $assoc_args )
-		);
-
-		$this->run(
-			sprintf(
-				'mysql%s --no-auto-rehash',
-				$this->get_defaults_flag_string( $assoc_args )
-			),
-			array_merge( [ 'execute' => $query ], $mysql_args )
-		);
-	}
-
-	/**
-	 * Run a MySQL command.
-	 *
-	 * @param string $cmd        Command to run.
-	 * @param array  $assoc_args Optional. Associative array of arguments to use.
-	 *
-	 * @return array {
-	 *     Associative array containing STDOUT and STDERR output.
-	 *
-	 *     @type string $stdout    Output that was sent to STDOUT.
-	 *     @type string $stderr    Output that was sent to STDERR.
-	 *     @type int    $exit_code Exit code of the process.
-	 * }
-	 */
-	private function run( $cmd, $assoc_args = [] ) {
-		$required = [
-			'host' => DB_HOST,
-			'user' => DB_USER,
-			'pass' => DB_PASSWORD,
-		];
-
-		if ( ! isset( $assoc_args['default-character-set'] )
-			&& defined( 'DB_CHARSET' ) && constant( 'DB_CHARSET' ) ) {
-			$required['default-character-set'] = constant( 'DB_CHARSET' );
-		}
-
-		// Using 'dbuser' as option name to workaround clash with WP-CLI's global WP 'user' parameter.
-		if ( isset( $assoc_args['dbuser'] ) ) {
-			$required['user'] = $assoc_args['dbuser'];
-			unset( $assoc_args['dbuser'] );
-		}
-		if ( isset( $assoc_args['dbpass'] ) ) {
-			$required['pass'] = $assoc_args['dbpass'];
-			unset( $assoc_args['dbpass'], $assoc_args['password'] );
-		}
-
-		$final_args = array_merge( $required, $assoc_args );
-
-		return Utils\run_mysql_command( $cmd, $final_args, null, true, false );
-	}
-
-	/**
-	 * Helper to pluck 'dbuser' and 'dbpass' from associative args array.
-	 *
-	 * @param array $assoc_args Associative args array.
-	 * @return array Array with 'dbuser' and 'dbpass' set if in passed-in associative args array.
-	 */
-	private function get_dbuser_dbpass_args( $assoc_args ) {
-		$mysql_args = [];
-		$dbuser     = Utils\get_flag_value( $assoc_args, 'dbuser' );
-		if ( null !== $dbuser ) {
-			$mysql_args['dbuser'] = $dbuser;
-		}
-		$dbpass = Utils\get_flag_value( $assoc_args, 'dbpass' );
-		if ( null !== $dbpass ) {
-			$mysql_args['dbpass'] = $dbpass;
-		}
-		return $mysql_args;
-	}
-
-	/**
-	 * Gets the MySQL args from the associative args array.
-	 *
-	 * @param array $assoc_args Associative args array.
-	 * @return array MySQL args.
-	 */
-	private function get_mysql_args( $assoc_args ) {
-		$mysql_args = [];
-
-		if ( isset( $assoc_args['host'] ) ) {
-			$mysql_args['host'] = $assoc_args['host'];
-		}
-
-		return $mysql_args;
-	}
-
-	/**
-	 * Gets the defaults flag string.
-	 *
-	 * @param array $assoc_args Associative args array.
-	 * @return string Defaults flag string.
-	 */
-	private function get_defaults_flag_string( $assoc_args ) {
-		$defaults = Utils\get_flag_value( $assoc_args, 'defaults', false );
-		return $defaults ? '' : ' --no-defaults';
+	private function run_user_query( $query, $assoc_args = [] ) {
+		// Use parent class's run_query method which handles SQL mode compatibility.
+		parent::run_query( $query, $assoc_args );
 	}
 
 	/**
@@ -211,8 +114,10 @@ private function get_defaults_flag_string( $assoc_args ) {
 	 * @return string Escaped string.
 	 */
 	private function esc_sql_string( $value ) {
-		// Use single quotes and escape single quotes by doubling them.
-		return "'" . str_replace( "'", "''", $value ) . "'";
+		// Escape backslashes first, then single quotes.
+		$value = str_replace( '\\', '\\\\', $value );
+		$value = str_replace( "'", "''", $value );
+		return "'" . $value . "'";
 	}
 
 	/**

test-output.txt

@@ -0,0 +1,45 @@
+WP_CLI_TEST_DBTYPE is set to 'sqlite', skipping database check.
+.F-------.F------.F-----.F-----
+
+--- Failed steps:
+
+001 Scenario: Create database user without privileges # features/db-users.feature:3
+      And WP files                                    # features/db-users.feature:5
+        $ curl -sSfL 'https://downloads.wordpress.org/plugin/sqlite-database-integration.zip' > '/tmp/wp-cli-test-sqlite-integration-cache/sqlite-database-integration.zip'
+        
+        curl: (6) Could not resolve host: downloads.wordpress.org
+        cwd: 
+        run time: 0.0067920684814453
+        exit status: 6 (RuntimeException)
+
+002 Scenario: Create database user with privileges # features/db-users.feature:26
+      And WP files                                 # features/db-users.feature:28
+        $ cp -r '/tmp/wp-cli-test-core-download-cache'/* '/tmp/wp-cli-test-run--696e307f102bc5.10488262/'
+        
+        cp: cannot stat '/tmp/wp-cli-test-core-download-cache/*': No such file or directory
+        cwd: 
+        run time: 0.0016000270843506
+        exit status: 1 (RuntimeException)
+
+003 Scenario: Create database user with custom host # features/db-users.feature:47
+      And WP files                                  # features/db-users.feature:49
+        $ cp -r '/tmp/wp-cli-test-core-download-cache'/* '/tmp/wp-cli-test-run--696e307f10e798.58842661/'
+        
+        cp: cannot stat '/tmp/wp-cli-test-core-download-cache/*': No such file or directory
+        cwd: 
+        run time: 0.001478910446167
+        exit status: 1 (RuntimeException)
+
+004 Scenario: Create database user with no password # features/db-users.feature:64
+      And WP files                                  # features/db-users.feature:66
+        $ cp -r '/tmp/wp-cli-test-core-download-cache'/* '/tmp/wp-cli-test-run--696e307f118931.57377979/'
+        
+        cp: cannot stat '/tmp/wp-cli-test-core-download-cache/*': No such file or directory
+        cwd: 
+        run time: 0.0014328956604004
+        exit status: 1 (RuntimeException)
+
+4 scenarios (4 failed)
+31 steps (4 passed, 4 failed, 23 skipped)
+0m0.21s (12.58Mb)
+Script run-behat-tests handling the behat event returned with error code 1