Skip to content

Commit f583d19

Browse files
avonvilleavonville
authored
Merge pull request #222 from BoldGrid/pro-issue-149
fixes db calls with wpdb->prepare
2 parents 385a1e2 + e6a1750 commit f583d19

File tree

5 files changed

+99
-45
lines changed

5 files changed

+99
-45
lines changed

includes/admin/class-privacy.php

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -210,8 +210,7 @@ public static function erase_payment_data() {
210210
public static function get_form_payments( $user_id ) {
211211
global $wpdb;
212212

213-
$query = 'SELECT * FROM ' . $wpdb->prefix . 'weforms_payments' .
214-
' WHERE user_id = ' . $user_id;
213+
$query = $wpdb->prepare( 'SELECT * FROM ' . $wpdb->prefix . 'weforms_payments WHERE user_id = %d', $user_id );
215214

216215
$results = $wpdb->get_results( $query );
217216

includes/api/class-weforms-api-rest-controller.php

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -196,18 +196,28 @@ public function is_entry_exists( $param, $request, $key ) {
196196

197197
if ( is_array( $request['entry_id'] ) ) {
198198
$entry_id = implode( ',', $request['entry_id'] );
199-
$querystr = "
199+
$querystr = $wpdb->prepare(
200+
"
200201
SELECT $wpdb->weforms_entries.id
201202
FROM $wpdb->weforms_entries
202-
WHERE $wpdb->weforms_entries.ID IN ( $entry_id )
203-
";
203+
WHERE $wpdb->weforms_entries.ID IN ( %s )
204+
",
205+
array(
206+
$entry_id
207+
)
208+
);
204209
} else {
205210
$entry_id = (int) $request['entry_id'];
206-
$querystr = "
211+
$querystr = $wpdb->prepare(
212+
"
207213
SELECT $wpdb->weforms_entries.id
208214
FROM $wpdb->weforms_entries
209-
WHERE $wpdb->weforms_entries.ID = $entry_id
210-
";
215+
WHERE $wpdb->weforms_entries.ID = %d
216+
",
217+
array(
218+
$entry_id
219+
)
220+
);
211221
}
212222

213223
$result = $wpdb->get_results( $querystr );

includes/api/class-weforms-entries-controller.php

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -268,24 +268,32 @@ public function delete_items( $request ) {
268268
public function is_restore_exists( $param, $request, $key ) {
269269
global $wpdb;
270270

271-
// if( is_array( $param ) ) {
272271
if ( is_array( $request['entry_id'] ) ) {
273272
$entry_id = implode( ',', $param );
274-
$querystr = "
273+
$querystr = $wpdb->prepare(
274+
"
275275
SELECT $wpdb->weforms_entries.id
276276
FROM $wpdb->weforms_entries
277-
WHERE $wpdb->weforms_entries.ID IN ( $entry_id )
277+
WHERE $wpdb->weforms_entries.ID IN ( %s )
278278
AND $wpdb->weforms_entries.status = \"trash\"
279-
";
279+
",
280+
array(
281+
$entry_id
282+
)
283+
);
280284
} else {
281-
// $entry_id = (int) $param;
282285
$entry_id = (int) $request['entry_id'];
283-
$querystr = "
286+
$querystr = $wpdb->prepare(
287+
"
284288
SELECT $wpdb->weforms_entries.id
285289
FROM $wpdb->weforms_entries
286-
WHERE $wpdb->weforms_entries.ID = $entry_id
290+
WHERE $wpdb->weforms_entries.ID = %d
287291
AND $wpdb->weforms_entries.status = \"trash\"
288-
";
292+
",
293+
array(
294+
$entry_id
295+
)
296+
);
289297
}
290298

291299
$result = $wpdb->get_results( $querystr );

includes/class-form-entry.php

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -110,9 +110,14 @@ public function populate_entry_data() {
110110

111111
$values = [];
112112

113-
$query = "SELECT * FROM {$wpdb->weforms_entries} as entry
114-
LEFT JOIN {$wpdb->weforms_entrymeta} AS meta ON entry.id = meta.weforms_entry_id
115-
WHERE entry.id = {$this->id}";
113+
$query = $wpdb->prepare(
114+
"
115+
SELECT * FROM {$wpdb->weforms_entries} as entry
116+
LEFT JOIN {$wpdb->weforms_entrymeta} AS meta ON entry.id = meta.weforms_entry_id
117+
WHERE entry.id = %d
118+
",
119+
$this->id
120+
);
116121

117122
$results = $wpdb->get_results( $query );
118123

@@ -447,7 +452,7 @@ public static function get_form( $entry_id ) {
447452
public static function get_form_id( $entry_id ) {
448453
global $wpdb;
449454

450-
$results = $wpdb->get_results( "SELECT form_id FROM {$wpdb->prefix}weforms_entries WHERE id = {$entry_id} " );
455+
$results = $wpdb->get_results( $wpdb->prepare( "SELECT form_id FROM {$wpdb->prefix}weforms_entries WHERE id = %d ", $entry_id ) );
451456

452457
return ! empty( $results[0]->form_id ) ? $results[0]->form_id : null;
453458
}

includes/functions.php

Lines changed: 57 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -86,14 +86,23 @@ function weforms_get_form_entries( $form_id, $args = [] ) {
8686

8787
$r = wp_parse_args( $args, $defaults );
8888

89-
$query = 'SELECT id, form_id, user_id, INET_NTOA( user_ip ) as ip_address, created_at
90-
FROM ' . $wpdb->weforms_entries .
91-
' WHERE form_id = ' . $form_id . ' AND status = \'' . $r['status'] . '\'' .
92-
' ORDER BY ' . $r['orderby'] . ' ' . $r['order'];
93-
94-
if ( !empty( $r['offset'] ) && !empty( $r['number'] ) ) {
95-
$query .= ' LIMIT ' . $r['offset'] . ', ' . $r['number'];
96-
}
89+
$query = $wpdb->prepare(
90+
"
91+
SELECT id, form_id, user_id, INET_NTOA( user_ip ) as ip_address, created_at
92+
FROM $wpdb->weforms_entries
93+
WHERE form_id = %d AND status = %s
94+
ORDER BY %s %s
95+
LIMIT %d, %d
96+
",
97+
array(
98+
$form_id,
99+
$r['status'],
100+
$r['orderby'],
101+
$r['order'],
102+
$r['offset'],
103+
$r['number'],
104+
)
105+
);
97106

98107
$results = $wpdb->get_results( $query );
99108

@@ -111,23 +120,26 @@ function weforms_count_entries( $args = [] ) {
111120
global $wpdb;
112121

113122
$defaults = [
114-
'number' => -1,
115-
'offset' => 0,
116123
'orderby' => 'created_at',
117124
'status' => 'publish',
118125
'order' => 'DESC',
119126
];
120127

121128
$r = wp_parse_args( $args, $defaults );
122129

123-
$query = 'SELECT id, form_id, user_id, INET_NTOA( user_ip ) as ip_address, created_at
124-
FROM ' . $wpdb->weforms_entries .
125-
' WHERE status = \'' . $r['status'] . '\'' .
126-
' ORDER BY ' . $r['orderby'] . ' ' . $r['order'];
127-
128-
if ( !empty( $r['offset'] ) && !empty( $r['number'] ) ) {
129-
$query .= ' LIMIT ' . $r['offset'] . ', ' . $r['number'];
130-
}
130+
$query = $wpdb->prepare(
131+
"
132+
SELECT id, form_id, user_id, INET_NTOA( user_ip ) as ip_address, created_at
133+
FROM $wpdb->weforms_entries
134+
WHERE status = %s
135+
ORDER BY %s %s
136+
",
137+
array(
138+
$r['status'],
139+
$r['orderby'],
140+
$r['order'],
141+
)
142+
);
131143

132144
$results = $wpdb->get_results( $query );
133145

@@ -154,10 +166,22 @@ function weforms_get_form_payments( $form_id, $args = [] ) {
154166

155167
$r = wp_parse_args( $args, $defaults );
156168

157-
$query = 'SELECT * FROM ' . $wpdb->prefix . 'weforms_payments' .
158-
' WHERE form_id = ' . $form_id .
159-
' ORDER BY ' . $r['orderby'] . ' ' . $r['order'] .
160-
' LIMIT ' . $r['offset'] . ', ' . $r['number'];
169+
$query = $wpdb->prepare(
170+
"
171+
SELECT *
172+
FROM wp_weforms_payments
173+
WHERE form_id = %d
174+
ORDER BY %s %s
175+
LIMIT %d, %d
176+
",
177+
array(
178+
$form_id,
179+
$r['orderby'],
180+
$r['order'],
181+
$r['offset'],
182+
$r['number'],
183+
)
184+
);
161185

162186
$results = $wpdb->get_results( $query );
163187

@@ -174,9 +198,17 @@ function weforms_get_form_payments( $form_id, $args = [] ) {
174198
function weforms_get_entry_payment( $entry_id ) {
175199
global $wpdb;
176200

177-
$query = 'SELECT transaction_id FROM ' . $wpdb->prefix . 'weforms_payments' .
178-
' WHERE entry_id = ' . $entry_id;
179-
$payment = $wpdb->get_row( $query, $entry_id );
201+
$query = $wpdb->prepare(
202+
"
203+
SELECT transaction_id
204+
FROM $wpdb->prefix 'weforms_payments'
205+
WHERE entry_id = %d
206+
",
207+
array(
208+
$entry_id
209+
)
210+
);
211+
$payment = $wpdb->get_row( $query );
180212

181213
return $payment;
182214
}

0 commit comments

Comments
 (0)