chore: use word boundries for regex

Author: preda-bogdan

classes/Visualizer/Source/Query.php

@@ -80,7 +80,7 @@ public function fetch( $as_html = false, $results_as_numeric_array = false, $raw
 		}
 
 		// only select queries allowed.
-		if ( preg_match( '/\s*(insert|delete|update|replace|create|alter|drop|truncate)\s/i', $this->_query ) ) {
+		if ( preg_match( '/\s*(\binsert\b|\bdelete\b|\bupdate\b|\breplace\b|\bcreate\b|\balter\b|\bdrop\b|\btruncate\b)\s/i', $this->_query ) ) {
 			$this->_error = __( 'Only SELECT queries are allowed', 'visualizer' );
 			return false;
 		}

tests/test-ajax.php

@@ -87,6 +87,32 @@ public function test_ajax_response_get_query_data_invalid_query() {
 		$this->assertFalse( $response->success );
 	}
 
+	/**
+	 * Test the AJAX response for fetching the database data with a valid query that uses columns that might get filtered.
+	 */
+	public function test_ajax_response_get_query_data_valid_query_with_filtered_columns() {
+		$this->_setRole( 'administrator' );
+
+		$_GET['security'] = wp_create_nonce( Visualizer_Plugin::ACTION_FETCH_DB_DATA . Visualizer_Plugin::VERSION );
+
+		$_POST['params'] = array(
+			'query' => 'select date_create from wp_insert;',
+			'chart_id' => 1,
+		);
+		try {
+			// Trigger the AJAX action
+			$this->_handleAjax( Visualizer_Plugin::ACTION_FETCH_DB_DATA );
+		} catch ( WPAjaxDieContinueException $e ) {
+			// We expected this, do nothing.
+		}
+
+		$response = json_decode( $this->_last_response );
+		$this->assertIsObject( $response );
+		$this->assertObjectHasAttribute( 'success', $response );
+		$this->assertObjectHasAttribute( 'data', $response );
+		$this->assertTrue( $response->success );
+	}
+
 	/**
 	 * Test the AJAX response for fetching the database data with user capability.
 	 */