[Update] Documentation for sniff WordPress.PHP.DiscouragedPHPFunctions

WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml

@@ -0,0 +1,113 @@
+<?xml version="1.0"?>
+<documentation xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://phpcsstandards.github.io/PHPCSDevTools/phpcsdocs.xsd"
+    title="Discouraged PHP Functions"
+    >
+    <standard>
+    <![CDATA[
+Use JSON instead of serialized data, which has known vulnerability problems with object injection.
+    ]]>
+    </standard>
+    <code_comparison>
+        <code title="Valid: Using JSON for serialized data.">
+        <![CDATA[
+$serialized = <em>json_encode</em>( $array );
+$serialized = <em>wp_json_encode</em>( $array );
+$unserialized = <em>json_decode</em>( $array );
+        ]]>
+        </code>
+        <code title="Invalid: Using serialized data strings.">
+        <![CDATA[
+$serialized = <em>serialize</em>( $array );
+$unserialized = <em>unserialize</em>( $array );
+        ]]>
+        </code>
+    </code_comparison>
+    <standard>
+    <![CDATA[
+URLs should now be encoded using rawurlencode(). Only legacy applications should use urlencode().
+    ]]>
+    </standard>
+    <code_comparison>
+        <code title="Valid: Encoding a url using rawurlencode().">
+        <![CDATA[
+<em>rawurlencode</em>( get_site_url() );
+        ]]>
+        </code>
+        <code title="Invalid: Encoding a url using urlencode().">
+        <![CDATA[
+<em>urlencode</em>( get_site_url() );
+        ]]>
+        </code>
+    </code_comparison>
+    <standard>
+    <![CDATA[
+Avoid using functions which change configuration values at runtime.
+    ]]>
+    </standard>
+    <code_comparison>
+        <code title="Valid: Not changing configuration at runtime.">
+        <![CDATA[
+// Configuration not changed at runtime.
+        ]]>
+        </code>
+        <code title="Invalid: Changing configuration at runtime">
+        <![CDATA[
+error_reporting( 0 );
+ini_restore( $option );
+apache_setenv( $variable, $value );
+putenv( $assignment );
+set_include_path( $include_path );
+restore_include_path();
+magic_quotes_runtime( $new_setting );
+set_magic_quotes_runtime( $new_setting );
+dl( $extension_filename );
+        ]]>
+        </code>
+    </code_comparison>
+    <standard>
+    <![CDATA[
+Do not use PHP system calls. They are often disabled by server admins.
+    ]]>
+    </standard>
+    <code_comparison>
+        <code title="Valid: Not using PHP system calls.">
+        <![CDATA[
+// Avoiding using PHP system calls.
+        ]]>
+        </code>
+        <code title="Invalid: Using PHP system calls.">
+        <![CDATA[
+exec( $command );
+passthru( $command );
+proc_open( 'php', $desc, $pipes, $cwd, $env );
+shell_exec( $command );
+system( $command );
+popen( $command, $mode );
+        ]]>
+        </code>
+    </code_comparison>
+    <standard>
+    <![CDATA[
+Functions often used for obfuscating code are strongly discouraged. Make sure the function is used for benign reasons.
+    ]]>
+    </standard>
+    <code_comparison>
+        <code title="Valid: Using functions for benign reasons.">
+        <![CDATA[
+base64_encode( $string );
+base64_decode( $encrypted_string );
+convert_uuencode( $string );
+convert_uudecode( $encrypted_string );
+str_rot13( $string );
+        ]]>
+        </code>
+        <code title="Invalid: Using functions to obfuscate code.">
+        <![CDATA[
+<em>eval( </em>base64_decode( $code_str )<em> )</em>;
+<em>eval( </em>convert_uudecode( $uuencoded )<em> )</em>;
+<em>eval( </em>str_rot13( $rot13_encoded )<em> )</em>;
+        ]]>
+        </code>
+    </code_comparison>
+</documentation>