DB/PreparedSQLPlaceholders: fix false negatives for namespaced and method calls to sprintf()

The sniff was incorrectly analyzing namespaced function calls and method calls to `sprintf()` as if they were calls to the global `sprintf()` function causing false negatives.

This commit introduces the `is_global_function_call()` helper method that properly distinguishes global function calls from method calls and namespaced function calls.

This issue only affected `sprintf()`. The detection of `implode()` and array_fill() was already correctly filtering out namespaced and method calls by checking the preceding token (excluding empty tokens and T_NS_SEPARATOR). That being said, the helper method is applied to all sprintf(), implode(), and array_fill() checks for consistency and future-proofing.

Author: rodrigoprimo

WordPress/Sniffs/DB/PreparedSQLPlaceholdersSniff.php

@@ -14,6 +14,7 @@
 use PHPCSUtils\Utils\Arrays;
 use PHPCSUtils\Utils\PassedParameters;
 use PHPCSUtils\Utils\TextStrings;
+use WordPressCS\WordPress\Helpers\ContextHelper;
 use WordPressCS\WordPress\Helpers\MinimumWPVersionTrait;
 use WordPressCS\WordPress\Helpers\WPDBTrait;
 use WordPressCS\WordPress\Sniff;
@@ -226,7 +227,7 @@ public function process_token( $stackPtr ) {
 				// Detect a specific pattern for variable replacements in combination with `IN`.
 				if ( \T_STRING === $this->tokens[ $i ]['code'] ) {
 
-					if ( 'sprintf' === strtolower( $this->tokens[ $i ]['content'] ) ) {
+					if ( $this->is_global_function_call( $i, 'sprintf' ) ) {
 						$sprintf_parameters = PassedParameters::getParameters( $this->phpcsFile, $i );
 
 						if ( ! empty( $sprintf_parameters ) ) {
@@ -265,7 +266,7 @@ public function process_token( $stackPtr ) {
 						}
 						unset( $sprintf_parameters, $valid_sprintf, $last_param );
 
-					} elseif ( 'implode' === strtolower( $this->tokens[ $i ]['content'] ) ) {
+					} elseif ( $this->is_global_function_call( $i, 'implode' ) ) {
 						$ignore_tokens = Tokens::$emptyTokens + array(
 							\T_STRING_CONCAT => \T_STRING_CONCAT,
 							\T_NS_SEPARATOR  => \T_NS_SEPARATOR,
@@ -679,9 +680,7 @@ protected function analyse_sprintf( $sprintf_params ) {
 				$sprintf_param['end'],
 				true
 			);
-			if ( \T_STRING === $this->tokens[ $implode ]['code']
-				&& 'implode' === strtolower( $this->tokens[ $implode ]['content'] )
-			) {
+			if ( $this->is_global_function_call( $implode, 'implode' ) ) {
 				if ( $this->analyse_implode( $implode ) === true ) {
 					++$found;
 				}
@@ -737,9 +736,7 @@ protected function analyse_implode( $implode_token ) {
 			true
 		);
 
-		if ( \T_STRING !== $this->tokens[ $array_fill ]['code']
-			|| 'array_fill' !== strtolower( $this->tokens[ $array_fill ]['content'] )
-		) {
+		if ( ! $this->is_global_function_call( $array_fill, 'array_fill' ) ) {
 			return false;
 		}
 
@@ -763,4 +760,42 @@ protected function analyse_implode( $implode_token ) {
 
 		return (bool) preg_match( '`^(["\'])%[dfFs]\1$`', $array_fill_value_param['clean'] );
 	}
+
+	/**
+	 * Check if a token represents a call to a global function with the specified name.
+	 *
+	 * Note: This is not a comprehensive global function call check. It was designed specifically
+	 * for this sniff's needs and may not handle all edge cases.
+	 *
+	 * @since 3.3.0
+	 *
+	 * @param int    $function_ptr   The position of the token to check.
+	 * @param string $function_name The function name to check for (case-insensitive).
+	 *
+	 * @return bool True if it's a call to the global function, false otherwise.
+	 */
+	protected function is_global_function_call( $function_ptr, $function_name ) {
+		if ( \T_STRING !== $this->tokens[ $function_ptr ]['code'] ) {
+			return false;
+		}
+
+		if ( strtolower( $this->tokens[ $function_ptr ]['content'] ) !== $function_name ) {
+			return false;
+		}
+
+		$next = $this->phpcsFile->findNext( Tokens::$emptyTokens, ( $function_ptr + 1 ), null, true );
+		if ( false === $next || \T_OPEN_PARENTHESIS !== $this->tokens[ $next ]['code'] ) {
+			return false;
+		}
+
+		if ( ContextHelper::has_object_operator_before( $this->phpcsFile, $function_ptr ) === true ) {
+			return false;
+		}
+
+		if ( ContextHelper::is_token_namespaced( $this->phpcsFile, $function_ptr ) === true ) {
+			return false;
+		}
+
+		return true;
+	}
 }

WordPress/Tests/DB/PreparedSQLPlaceholdersUnitTest.inc

@@ -653,3 +653,150 @@ $where = $wpdb->prepare(
 		. ')',
 	'publish'
 );
+
+/*
+ * Safeguard correct handling of all types of namespaced calls to sprintf() except fully qualified calls to the
+ * global sprintf() function, which is already handled above.
+ */
+$where = $wpdb->prepare(
+	MyNamespace\sprintf(
+		"{$wpdb->posts}.post_type IN (%s)",
+		implode( ',', array_fill( 0, count($post_types), '%s' ) )
+	),
+	$post_types
+);
+$where = $wpdb->prepare(
+	\MyNamespace\sprintf(
+		"{$wpdb->posts}.post_type IN (%s)",
+		implode( ',', array_fill( 0, count($post_types), '%s' ) )
+	),
+	$post_types
+);
+$where = $wpdb->prepare(
+	namespace\sprintf( // This should NOT be flagged in the future once the sniff is able to resolve relative namespaces.
+		"{$wpdb->posts}.post_type IN (%s)",
+		implode( ',', array_fill( 0, count($post_types), '%s' ) )
+	),
+	$post_types
+);
+$where = $wpdb->prepare(
+	namespace\Sub\sprintf(
+		"{$wpdb->posts}.post_type IN (%s)",
+		implode( ',', array_fill( 0, count($post_types), '%s' ) )
+	),
+	$post_types
+);
+
+/*
+ * Safeguard correct handling of method calls to methods named sprintf(), implode(), or array_fill().
+ * These should NOT be analyzed as global function calls.
+ */
+
+// sprintf() method calls.
+$where = $wpdb->prepare(
+	$obj->sprintf(
+		"{$wpdb->posts}.post_type IN (%s)",
+		implode( ',', array_fill( 0, count($post_types), '%s' ) )
+	),
+	$post_types
+);
+$where = $wpdb->prepare(
+	$obj?->sprintf(
+		"{$wpdb->posts}.post_type IN (%s)",
+		implode( ',', array_fill( 0, count($post_types), '%s' ) )
+	),
+	$post_types
+);
+$where = $wpdb->prepare(
+	MyClass::sprintf(
+		"{$wpdb->posts}.post_type IN (%s)",
+		implode( ',', array_fill( 0, count($post_types), '%s' ) )
+	),
+	$post_types
+);
+
+// implode() method calls nested inside sprintf().
+$where = $wpdb->prepare(
+	sprintf(
+		"{$wpdb->posts}.post_type IN (%s)",
+		$obj->implode( ',', array_fill( 0, count($post_types), '%s' ) )
+	),
+	$post_types
+);
+$where = $wpdb->prepare(
+	sprintf(
+		"{$wpdb->posts}.post_type IN (%s)",
+		$obj?->implode( ',', array_fill( 0, count($post_types), '%s' ) )
+	),
+	$post_types
+);
+$where = $wpdb->prepare(
+	sprintf(
+		"{$wpdb->posts}.post_type IN (%s)",
+		MyClass::implode( ',', array_fill( 0, count($post_types), '%s' ) )
+	),
+	$post_types
+);
+
+// implode() method calls in direct string concatenation.
+$where = $wpdb->prepare(
+	"post_status = %s AND post_type IN ("
+		. $obj->implode( ',', array_fill( 0, count($post_types), '%s' ) )
+		. ')',
+	'publish'
+);
+$where = $wpdb->prepare(
+	"post_status = %s AND post_type IN ("
+		. $obj?->implode( ',', array_fill( 0, count($post_types), '%s' ) )
+		. ')',
+	'publish'
+);
+$where = $wpdb->prepare(
+	"post_status = %s AND post_type IN ("
+		. MyClass::implode( ',', array_fill( 0, count($post_types), '%s' ) )
+		. ')',
+	'publish'
+);
+
+// array_fill() method calls nested inside implode() which is nested inside sprintf().
+$where = $wpdb->prepare(
+	sprintf(
+		"{$wpdb->posts}.post_type IN (%s)",
+		implode( ',', $obj->array_fill( 0, count($post_types), '%s' ) )
+	),
+	$post_types
+);
+$where = $wpdb->prepare(
+	sprintf(
+		"{$wpdb->posts}.post_type IN (%s)",
+		implode( ',', $obj?->array_fill( 0, count($post_types), '%s' ) )
+	),
+	$post_types
+);
+$where = $wpdb->prepare(
+	sprintf(
+		"{$wpdb->posts}.post_type IN (%s)",
+		implode( ',', MyClass::array_fill( 0, count($post_types), '%s' ) )
+	),
+	$post_types
+);
+
+// array_fill() method calls nested inside implode() in direct string concatenation.
+$where = $wpdb->prepare(
+	"post_status = %s AND post_type IN ("
+		. implode( ',', $obj->array_fill( 0, count($post_types), '%s' ) )
+		. ')',
+	'publish'
+);
+$where = $wpdb->prepare(
+	"post_status = %s AND post_type IN ("
+		. implode( ',', $obj?->array_fill( 0, count($post_types), '%s' ) )
+		. ')',
+	'publish'
+);
+$where = $wpdb->prepare(
+	"post_status = %s AND post_type IN ("
+		. implode( ',', MyClass::array_fill( 0, count($post_types), '%s' ) )
+		. ')',
+	'publish'
+);

WordPress/Tests/DB/PreparedSQLPlaceholdersUnitTest.php

@@ -184,6 +184,27 @@ public function getWarningList() {
 			639 => 1,
 			644 => 1,
 			650 => 1,
+			661 => 1,
+			668 => 1,
+			675 => 1,
+			682 => 1,
+
+			// Method sprintf/implode/array_fill calls.
+			696 => 1,
+			703 => 1,
+			710 => 1,
+			719 => 1,
+			726 => 1,
+			733 => 1,
+			742 => 1,
+			748 => 1,
+			754 => 1,
+			762 => 1,
+			769 => 1,
+			776 => 1,
+			785 => 1,
+			791 => 1,
+			797 => 1,
 		);
 	}
 }