Fix SQL injection vulnerability in posts_clauses method (#7)

* Fix SQL injection vulnerability in posts_clauses method

- Sanitize post_parent parameter using absint() before use in SQL
- Use $wpdb->prepare() with %d placeholder for post_parent value
- Fix logic for unattached attachments (string '0' from request now works)
- Harden taxonomy join by using sanitize_key() and $wpdb->prepare()

Security: Prevents time-based SQL injection via query[post_parent] parameter
that was exploitable by authenticated users (Author role and above).

Co-Authored-By: yoren@shikadigital.co.jp <yorenchang@gmail.com>

* Use $wpdb->prepare() for post_parent = 0 case for consistency

Address review feedback: use prepared statement for the hardcoded 0 value
to maintain consistency with the rest of the codebase.

Co-Authored-By: yoren@shikadigital.co.jp <yorenchang@gmail.com>

* Bump version to 0.9.2 and update changelog

- Security enhancements

Co-Authored-By: yoren@shikadigital.co.jp <yorenchang@gmail.com>

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Co-authored-by: yoren@shikadigital.co.jp <yorenchang@gmail.com>

Author: devin-ai-integration[bot]

README.txt

@@ -5,7 +5,7 @@ Donate link: https://1fix.io/
 Tags: media library, media, attachment
 Requires at least: 3.5
 Tested up to: 6.8.3
-Stable tag: 0.9.1
+Stable tag: 0.9.2
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -65,6 +65,9 @@ Please add the following code to the `functions.php` in your theme:
 
 == Changelog ==
 
+= 0.9.2 =
+* Security enhancements.
+
 = 0.9.1 =
 * Fix: Prevent "Not unique table/alias: wp_postmeta" SQL error by aliasing the postmeta JOIN. Props [@mikemeinz](https://wordpress.org/support/users/mikemeinz/). See https://wordpress.org/support/topic/sql-syntax-error-26/
 

media-search-enhanced.php

@@ -14,7 +14,7 @@
  * Plugin Name:       Media Search Enhanced
  * Plugin URI:        https://1fix.io/media-search-enhanced
  * Description:       Search through all fields in Media Library.
- * Version:           0.9.1
+ * Version:           0.9.2
  * Author:            1fixdotio
  * Author URI:        https://1fix.io
  * Text Domain:       media-search-enhanced

public/class-media-search-enhanced.php

@@ -28,7 +28,7 @@ class Media_Search_Enhanced {
 	 *
 	 * @var     string
 	 */
-	const VERSION = '0.9.1';
+	const VERSION = '0.9.2';
 
 	/**
 	 *
@@ -153,11 +153,14 @@ public static function posts_clauses( $pieces ) {
 				$pieces['where'] .= $wpdb->prepare( " AND t.element_type='post_attachment' AND t.language_code = %s", $lang );
 			}
 
-			if ( ! empty( $vars['post_parent'] ) ) {
-				$pieces['where'] .= " AND $wpdb->posts.post_parent = " . $vars['post_parent'];
-			} elseif ( isset( $vars['post_parent'] ) && 0 === $vars['post_parent'] ) {
-				// Get unattached attachments
-				$pieces['where'] .= " AND $wpdb->posts.post_parent = 0";
+			if ( isset( $vars['post_parent'] ) ) {
+				$post_parent = absint( $vars['post_parent'] );
+				if ( $post_parent > 0 ) {
+					$pieces['where'] .= $wpdb->prepare( " AND $wpdb->posts.post_parent = %d", $post_parent );
+				} elseif ( 0 === $post_parent ) {
+					// Get unattached attachments
+					$pieces['where'] .= $wpdb->prepare( " AND $wpdb->posts.post_parent = %d", 0 );
+				}
 			}
 
 			if ( ! empty( $vars['post_mime_type'] ) ) {
@@ -207,7 +210,8 @@ public static function posts_clauses( $pieces ) {
 			if ( ! empty( $taxes ) ) {
 				$on = array();
 				foreach ( $taxes as $tax ) {
-					$on[] = "ttax.taxonomy = '$tax'";
+					$tax = sanitize_key( $tax );
+					$on[] = $wpdb->prepare( "ttax.taxonomy = %s", $tax );
 				}
 				$on = '( ' . implode( ' OR ', $on ) . ' )';