PaystackOSS
diff --git a/‎admin/class-paystack-forms-admin.php‎
Lines changed: 8 additions & 7 deletions b/‎admin/class-paystack-forms-admin.php‎
Lines changed: 8 additions & 7 deletions
diff --git a/‎includes/class-paystack-forms-activator.php‎
Lines changed: 6 additions & 4 deletions b/‎includes/class-paystack-forms-activator.php‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎includes/paystack-invoice.php‎
Lines changed: 5 additions & 5 deletions b/‎includes/paystack-invoice.php‎
Lines changed: 5 additions & 5 deletions
@@ -239,7 +239,7 @@ function kkd_pff_paystack_dashboard_table_data($column, $post_id)
                     break;
                 case 'payments':
 
-                    $count_query = 'select count(*) from ' . $table . ' WHERE post_id = "' . $post_id . '" AND paid = "1"';
+                    $count_query = $wpdb->prepare("SELECT COUNT(*) FROM {$table} WHERE post_id = %d AND paid = '1'", $post_id);
                     $num = $wpdb->get_var($count_query);
 
                     echo '<u><a href="' . admin_url('admin.php?page=submissions&form=' . $post_id) . '">' . $num . '</a></u>';
@@ -292,7 +292,7 @@ function kkd_pff_paystack_editor_shortcode_details($post)
             <p class="description">
                 <label for="wpcf7-shortcode">Copy this shortcode and paste it into your post, page, or text widget content:</label>
                 <span class="shortcode wp-ui-highlight">
-                    <input type="text" id="wpcf7-shortcode" onfocus="this.select();" readonly="readonly" class="large-text code" value="[pff-paystack id=&quot;<?php echo $post->ID; ?>&quot;]"></span>
+                    <input type="text" id="wpcf7-shortcode" onfocus="this.select();" readonly="readonly" class="large-text code" value="[pff-paystack id=&quot;<?php echo esc_html($post->ID); ?>&quot;]"></span>
             </p>
 
         <?php
@@ -800,14 +800,14 @@ function kkd_pff_paystack_payment_submissions()
         $data = $exampleListTable->prepare_items(); ?>
         <div id="welcome-panel" class="welcome-panel">
             <div class="welcome-panel-content">
-                <h1 style="margin: 0px;"><?php echo $obj->post_title; ?> Payments </h1>
+            <h1 style="margin: 0px;"><?php echo esc_html($obj->post_title); ?> Payments </h1>
                 <p class="about-description">All payments made for this form</p>
                 <?php if ($data > 0) {
                 ?>
 
                     <form action="<?php echo admin_url('admin-post.php'); ?>" method="post">
                         <input type="hidden" name="action" value="kkd_pff_export_excel">
-                        <input type="hidden" name="form_id" value="<?php echo $id; ?>">
+                        <input type="hidden" name="form_id" value="<?php echo esc_html($id); ?>">
                         <button type="submit" class="button button-primary button-hero load-customize">Export Data to Excel</button>
                     </form>
                 <?php
@@ -843,7 +843,9 @@ function Kkd_pff_export_excel()
     }
     $table = $wpdb->prefix . KKD_PFF_PAYSTACK_TABLE;
     $data = array();
-    $alldbdata = $wpdb->get_results("SELECT * FROM $table WHERE (post_id = '" . $post_id . "' AND paid = '1')  ORDER BY `id` ASC");
+    $table = sanitize_text_field($table);
+
+    $alldbdata = $wpdb->get_results($wpdb->prepare("SELECT * FROM {$table} WHERE post_id = %d AND paid = '1' ORDER BY `id` ASC", $post_id));
     $i = 0;
 
     if (count($alldbdata) > 0) {
@@ -970,8 +972,7 @@ public function prepare_items()
 
         $table = $wpdb->prefix . KKD_PFF_PAYSTACK_TABLE;
         $data = array();
-        $alldbdata = $wpdb->get_results("SELECT * FROM $table WHERE (post_id = '" . $post_id . "' AND paid = '1')");
-
+        $alldbdata = $wpdb->get_results($wpdb->prepare("SELECT * FROM {$table} WHERE post_id = %d AND paid = '1'", $post_id));
         foreach ($alldbdata as $key => $dbdata) {
             $newkey = $key + 1;
             if ($dbdata->txn_code_2 != "") {
 
@@ -8,7 +8,7 @@ public static function activate()
 		global $wpdb;
 		$version = get_option('kkd_db_version', '1.0');
 		$table_name = $wpdb->prefix . KKD_PFF_PAYSTACK_TABLE;
-
+		$table_name = sanitize_text_field($table_name);
 		$charset_collate = $wpdb->get_charset_collate();
 
 		$sql = "CREATE TABLE IF NOT EXISTS `" . $table_name . "` (
@@ -59,10 +59,12 @@ public static function activate()
 		}
 
 
-		$row = $wpdb->get_results(
-			"SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS
-			WHERE table_name = '" . $table_name . "' AND column_name = 'plan'"
+		$query = $wpdb->prepare(
+			"SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name = %s AND column_name = 'plan'",
+			$table_name
 		);
+		
+		$row = $wpdb->get_results($query);
 		if (empty($row)) {
 			$wpdb->query("ALTER TABLE `" . $table_name . "` ADD `plan` VARCHAR(255) NOT NULL AFTER `paid`;");
 		}
 
@@ -40,7 +40,7 @@ function kkd_format_metadata($data)
 
     global $wpdb;
     $table = $wpdb->prefix.KKD_PFF_PAYSTACK_TABLE;
-    $record = $wpdb->get_results("SELECT * FROM $table WHERE (txn_code = '".$code."')");
+    $record = $wpdb->get_results($wpdb->prepare("SELECT * FROM %s WHERE txn_code = %s", $table, $code));
 
 if (array_key_exists("0", $record)) {
     get_header();
@@ -57,7 +57,7 @@ function kkd_format_metadata($data)
             <article class="post-4 page type-page status-publish hentry" id="post-4">
                 <form action="<?php echo admin_url('admin-ajax.php'); ?>" method="post"   enctype="multipart/form-data"  class="j-forms retry-form" id="pf-form" novalidate="">
                 <input type="hidden" name="action" value="kkd_pff_paystack_retry_action">
-                <input type="hidden" name="code" value="<?php echo $code; ?>" />
+                <input type="hidden" name="code" value="<?php echo esc_html($code);; ?>" />
     <div class="content">
 
      <div class="divider-text gap-top-20 gap-bottom-45">
@@ -67,17 +67,17 @@ function kkd_format_metadata($data)
      <div class="j-row">
       <div class="span12 unit">
        <label class="label inline">Email:</label>
-       <strong><a href="mailto:<?php echo $dbdata->email; ?>"><?php echo $dbdata->email; ?></a></strong>
+       <strong><a href="mailto:<?php echo esc_html($dbdata->email); ?>"><?php echo esc_html($dbdata->email); ?></a></strong>
       </div>
       <div class="span12 unit">
        <label class="label inline">Amount:</label>
-       <strong><?php echo $currency.number_format($dbdata->amount); ?></strong>
+       <strong><?php echo esc_html($currency.number_format($dbdata->amount)); ?></strong>
       </div>
         <?php echo kkd_format_metadata($dbdata->metadata); ?>
 
       <div class="span12 unit">
        <label class="label inline">Date:</label>
-       <strong><?php echo $dbdata->created_at; ?></strong>
+       <strong><?php echo esc_html($dbdata->created_at); ?></strong>
       </div>
         <?php if($dbdata->paid == 1) {?>
                             <div class="span12 unit">