Skip to content

DB/PreparedSQL: fix false positives with case-insensitive function names #2570

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dingo-d merged 1 commit into from
Aug 8, 2025
Merged

DB/PreparedSQL: fix false positives with case-insensitive function names #2570

dingo-d merged 1 commit into from
Aug 8, 2025

Conversation

@rodrigoprimo
Copy link
Collaborator

@rodrigoprimo rodrigoprimo commented Aug 7, 2025

The sniff was incorrectly flagging valid SQL escaping functions when they were written with mixed or uppercase letters (e.g., 'Esc_Sql' instead of 'esc_sql'). This occurred because the function name comparison was case-sensitive when checking against the predefined list of safe SQL escaping functions.

This fix ensures that function names are properly normalized to lowercase before comparing them against the allowed escaping functions list, preventing false positives regardless of the function name's capitalization.

@rodrigoprimo
DB/PreparedSQL: fix false positives with case-insensitive function names
418cf1c 
The sniff was incorrectly flagging valid SQL escaping functions when they were
written with mixed or uppercase letters (e.g., 'Esc_Sql' instead of 'esc_sql').
This occurred because the function name comparison was case-sensitive when
checking against the predefined list of safe SQL escaping functions.

This fix ensures that function names are properly normalized to lowercase
before comparing them against the allowed escaping functions list, preventing
false positives regardless of the function name's capitalization.
@jrfnl jrfnl added this to the 3.2.x milestone Aug 8, 2025
jrfnl
jrfnl approved these changes Aug 8, 2025
View reviewed changes
Copy link
Member

@jrfnl jrfnl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense to me.

@dingo-d dingo-d merged commit ede46ef into WordPress:develop Aug 8, 2025
41 checks passed
@rodrigoprimo rodrigoprimo deleted the prepared-sql-fix-false-positive branch August 8, 2025 11:46
@jrfnl jrfnl modified the milestones: 3.2.x, 3.3.0 Sep 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@GaryJones GaryJones GaryJones approved these changes

@jrfnl jrfnl jrfnl approved these changes

@dingo-d dingo-d dingo-d approved these changes

Assignees

No one assigned

Labels

Component: Core Type: Bug

Projects

None yet

Milestone

3.3.0

Development

Successfully merging this pull request may close these issues.

4 participants

@rodrigoprimo @GaryJones @jrfnl @dingo-d