From 49df879abfccda9052c370a99946f2f8aa9bbd1b Mon Sep 17 00:00:00 2001 From: Glomberg Date: Wed, 28 Aug 2024 08:31:00 +0300 Subject: [PATCH 1/6] Fix. Code. Psalm config updated - disallow calling `$wpdb->query()`. --- composer.json | 3 ++- psalm.xml | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/composer.json b/composer.json index 485633e90..b39305840 100644 --- a/composer.json +++ b/composer.json @@ -17,7 +17,8 @@ "phpunit/phpunit": "^7.5", "squizlabs/php_codesniffer": "3.*", "phpcompatibility/php-compatibility": "@dev", - "yoast/phpunit-polyfills": "^1.0" + "yoast/phpunit-polyfills": "^1.0", + "glomberg/wpdb-unsafe-methods": "^1.0" }, "scripts": { "test": [ diff --git a/psalm.xml b/psalm.xml index 812bc59bd..f81e5d3af 100644 --- a/psalm.xml +++ b/psalm.xml @@ -29,6 +29,12 @@ + + + query + + + From 5cf184f5714ded36a0aa752dee3a2680d00de14f Mon Sep 17 00:00:00 2001 From: Glomberg Date: Fri, 6 Sep 2024 13:58:32 +0300 Subject: [PATCH 2/6] Fix. Code. Refactored query in `spbc_security_log_clear()`. --- security-malware-firewall.php | 11 +-- .../Common/Functions/SecurityLogClearTest.php | 79 +++++++++++++++++++ 2 files changed, 85 insertions(+), 5 deletions(-) create mode 100644 tests/Common/Functions/SecurityLogClearTest.php diff --git a/security-malware-firewall.php b/security-malware-firewall.php index 909b80689..5794e0268 100644 --- a/security-malware-firewall.php +++ b/security-malware-firewall.php @@ -1959,12 +1959,13 @@ function spbc_security_log_clear() . ";" ); } else { + $placeholders = rtrim(str_repeat('%s,', count($remain_ids)), ','); + $query = "DELETE FROM " . SPBC_TBL_SECURITY_LOG . " WHERE sent = 1 AND id NOT IN ($placeholders);"; $wpdb->query( - "DELETE FROM " . SPBC_TBL_SECURITY_LOG - . " WHERE sent = 1 - AND id NOT IN (" - . implode(',', $remain_ids) . - ");" + $wpdb->prepare( + $query, + implode(',', $remain_ids) + ) ); } diff --git a/tests/Common/Functions/SecurityLogClearTest.php b/tests/Common/Functions/SecurityLogClearTest.php new file mode 100644 index 000000000..32635104e --- /dev/null +++ b/tests/Common/Functions/SecurityLogClearTest.php @@ -0,0 +1,79 @@ +createTable(SPBC_TBL_SECURITY_LOG); + $this->wpdb = $this->createMock(\wpdb::class); + } + + protected function tearDown(): void + { + // Tear down the test environment + $this->wpdb->query("DROP TABLE IF EXISTS " . SPBC_TBL_SECURITY_LOG); + unset($this->wpdb); + } + + public function testSecurityLogClearRemovesOldEntries() + { + // Mock the database interactions + $this->wpdb->expects($this->exactly(60)) + ->method('insert') + ->with(SPBC_TBL_SECURITY_LOG, $this->anything()); + + $this->wpdb->expects($this->once()) + ->method('get_var') + ->with("SELECT COUNT(*) FROM " . SPBC_TBL_SECURITY_LOG) + ->willReturn(50); + + // Act: Call the function + spbc_security_log_clear(); + + // Assert: Only 50 entries should remain + $remaining_entries = $this->wpdb->get_var("SELECT COUNT(*) FROM " . SPBC_TBL_SECURITY_LOG); + $this->assertEquals(50, $remaining_entries); + } + + public function testSecurityLogClearHandlesEmptyTable() + { + // Mock the database interactions + $this->wpdb->expects($this->once()) + ->method('get_var') + ->with("SELECT COUNT(*) FROM " . SPBC_TBL_SECURITY_LOG) + ->willReturn(0); + + // Act: Call the function + spbc_security_log_clear(); + + // Assert: Table should still be empty + $remaining_entries = $this->wpdb->get_var("SELECT COUNT(*) FROM " . SPBC_TBL_SECURITY_LOG); + $this->assertEquals(0, $remaining_entries); + } + + public function testSecurityLogClearHandlesLessThan50Entries() + { + // Mock the database interactions + $this->wpdb->expects($this->exactly(30)) + ->method('insert') + ->with(SPBC_TBL_SECURITY_LOG, $this->anything()); + + $this->wpdb->expects($this->once()) + ->method('get_var') + ->with("SELECT COUNT(*) FROM " . SPBC_TBL_SECURITY_LOG) + ->willReturn(30); + + // Act: Call the function + spbc_security_log_clear(); + + // Assert: All 30 entries should remain + $remaining_entries = $this->wpdb->get_var("SELECT COUNT(*) FROM " . SPBC_TBL_SECURITY_LOG); + $this->assertEquals(30, $remaining_entries); + } +} From 0e7618838f47b7b8bde5b07f670b2f1714551354 Mon Sep 17 00:00:00 2001 From: Glomberg Date: Sun, 8 Sep 2024 17:25:32 +0300 Subject: [PATCH 3/6] Fix. Code. Refactored query in `spbc_security_log_clear()` #2. --- security-malware-firewall.php | 32 +++++++++++++------------------- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/security-malware-firewall.php b/security-malware-firewall.php index aabbbb51d..9ed78511a 100644 --- a/security-malware-firewall.php +++ b/security-malware-firewall.php @@ -1950,27 +1950,21 @@ function spbc_security_log_clear() return false; } - if ( SPBC_WPMS ) { - $wpdb->query( - "DELETE FROM " . SPBC_TBL_SECURITY_LOG - . " WHERE sent = 1 - AND id NOT IN (" - . implode(',', $remain_ids) . - ")" - . ( $spbc->ms__work_mode == 2 ? '' : ' AND blog_id = ' . get_current_blog_id() ) - . ";" - ); - } else { - $placeholders = rtrim(str_repeat('%s,', count($remain_ids)), ','); - $query = "DELETE FROM " . SPBC_TBL_SECURITY_LOG . " WHERE sent = 1 AND id NOT IN ($placeholders);"; - $wpdb->query( - $wpdb->prepare( - $query, - implode(',', $remain_ids) - ) - ); + $wpms_query_part = ''; + if ( SPBC_WPMS && $spbc->ms__work_mode == 2 ) { + $wpms_query_part = ' AND blog_id = ' . get_current_blog_id(); } + $placeholders = rtrim(str_repeat('%s,', count($remain_ids)), ','); + $query = "DELETE FROM " . SPBC_TBL_SECURITY_LOG . " WHERE sent = 1 AND id NOT IN ($placeholders) " . $wpms_query_part . ";"; + + $wpdb->query( + $wpdb->prepare( + $query, + $remain_ids + ) + ); + return true; } From a4b8e0f8d62ca29501204151229df7542b85fae1 Mon Sep 17 00:00:00 2001 From: Glomberg Date: Sun, 8 Sep 2024 17:26:02 +0300 Subject: [PATCH 4/6] Fix. Code. Added unit test for `spbc_security_log_clear()`. --- .../Common/Functions/SecurityLogClearTest.php | 63 ++++++++++++------- 1 file changed, 39 insertions(+), 24 deletions(-) diff --git a/tests/Common/Functions/SecurityLogClearTest.php b/tests/Common/Functions/SecurityLogClearTest.php index 32635104e..a9822adb5 100644 --- a/tests/Common/Functions/SecurityLogClearTest.php +++ b/tests/Common/Functions/SecurityLogClearTest.php @@ -8,10 +8,13 @@ class SecurityLogClearTest extends TestCase protected function setUp(): void { + global $wpdb; + // Set up the test environment $db_tables_creator = new \CleantalkSP\SpbctWP\DB\TablesCreator(); $db_tables_creator->createTable(SPBC_TBL_SECURITY_LOG); - $this->wpdb = $this->createMock(\wpdb::class); + $this->wpdb = $wpdb; + $this->clearMockData(); } protected function tearDown(): void @@ -21,33 +24,49 @@ protected function tearDown(): void unset($this->wpdb); } + protected function insertMockData($count = 60) + { + // Insert mock data into SPBC_TBL_SECURITY_LOG + for ($i = 1; $i <= $count; $i++) { + $this->wpdb->insert( + SPBC_TBL_SECURITY_LOG, + array( + 'datetime' => current_time('mysql'), + 'event' => 'mock_event_' . $i, + 'sent' => 1 + ) + ); + } + } + + protected function clearMockData() + { + $this->wpdb->query("DELETE FROM " . SPBC_TBL_SECURITY_LOG); + } + public function testSecurityLogClearRemovesOldEntries() { - // Mock the database interactions - $this->wpdb->expects($this->exactly(60)) - ->method('insert') - ->with(SPBC_TBL_SECURITY_LOG, $this->anything()); + $this->insertMockData(); - $this->wpdb->expects($this->once()) - ->method('get_var') - ->with("SELECT COUNT(*) FROM " . SPBC_TBL_SECURITY_LOG) - ->willReturn(50); + $query = "SELECT COUNT(*) FROM " . SPBC_TBL_SECURITY_LOG; + $initial_entries = $this->wpdb->get_var($query); + $this->assertEquals(60, $initial_entries); // Act: Call the function spbc_security_log_clear(); // Assert: Only 50 entries should remain - $remaining_entries = $this->wpdb->get_var("SELECT COUNT(*) FROM " . SPBC_TBL_SECURITY_LOG); + $remaining_entries = $this->wpdb->get_var($query); $this->assertEquals(50, $remaining_entries); + + $this->clearMockData(); } public function testSecurityLogClearHandlesEmptyTable() { - // Mock the database interactions - $this->wpdb->expects($this->once()) - ->method('get_var') - ->with("SELECT COUNT(*) FROM " . SPBC_TBL_SECURITY_LOG) - ->willReturn(0); + $query = "SELECT COUNT(*) FROM " . SPBC_TBL_SECURITY_LOG; + $initial_entries = $this->wpdb->get_var($query); + $this->assertEquals(0, $initial_entries); // Act: Call the function spbc_security_log_clear(); @@ -59,15 +78,11 @@ public function testSecurityLogClearHandlesEmptyTable() public function testSecurityLogClearHandlesLessThan50Entries() { - // Mock the database interactions - $this->wpdb->expects($this->exactly(30)) - ->method('insert') - ->with(SPBC_TBL_SECURITY_LOG, $this->anything()); - - $this->wpdb->expects($this->once()) - ->method('get_var') - ->with("SELECT COUNT(*) FROM " . SPBC_TBL_SECURITY_LOG) - ->willReturn(30); + $this->insertMockData(30); + + $query = "SELECT COUNT(*) FROM " . SPBC_TBL_SECURITY_LOG; + $initial_entries = $this->wpdb->get_var($query); + $this->assertEquals(30, $initial_entries); // Act: Call the function spbc_security_log_clear(); From 3572f6d4b218538777e9488c5e2e03ffd593056d Mon Sep 17 00:00:00 2001 From: svfcode Date: Mon, 23 Sep 2024 10:06:52 +0300 Subject: [PATCH 5/6] Fix. Code. Removed psalm warnings. --- inc/spbc-backups.php | 4 +- inc/spbc-scanner.php | 56 +++++++++------- lib/CleantalkSP/SpbctWP/Deactivator.php | 61 +++++++++-------- lib/CleantalkSP/SpbctWP/Scanner/Frontend.php | 2 +- lib/CleantalkSP/SpbctWP/Scanner/Links.php | 5 +- .../Stages/SignatureAnalysis/Repository.php | 52 +++++++-------- lib/CleantalkSP/SpbctWP/Scanner/Surface.php | 6 +- .../SpbctWP/Variables/AltSessions.php | 12 ++-- lib/CleantalkSP/Updater/UpdaterScripts.php | 66 +++++++++---------- security-malware-firewall.php | 35 +++------- 10 files changed, 141 insertions(+), 158 deletions(-) diff --git a/inc/spbc-backups.php b/inc/spbc-backups.php index 177eca714..58704e624 100644 --- a/inc/spbc-backups.php +++ b/inc/spbc-backups.php @@ -90,9 +90,7 @@ function spbc_backup__files_with_signatures($direct_call = false) $files_to_backup = $wpdb->get_results('SELECT path, weak_spots FROM ' . SPBC_TBL_SCAN_FILES . ' WHERE weak_spots LIKE "%\"SIGNATURES\":%";', ARRAY_A); if (is_array($files_to_backup) && count($files_to_backup)) { - $sql_query = 'INSERT INTO ' . SPBC_TBL_BACKUPED_FILES . ' (backup_id, real_path, back_path) VALUES'; $sql_data = array(); - foreach ($files_to_backup as $file) { $weak_spots = json_decode($file['weak_spots'], true); @@ -146,7 +144,7 @@ function spbc_backup__files_with_signatures($direct_call = false) // Writing backuped files to DB if ( ! empty($sql_data) && ! isset($output['error'])) { - if ($wpdb->query($sql_query . implode(',', $sql_data) . ';') !== false) { + if ($wpdb->query($wpdb->prepare('INSERT INTO %s (backup_id, real_path, back_path) VALUES %s;', SPBC_TBL_BACKUPED_FILES, implode(',', $sql_data))) !== false) { // Updating current backup status if ($wpdb->update(SPBC_TBL_BACKUPS, array('status' => 'BACKUPED'), array('backup_id' => $backup_id)) !== false) { $result = spbc_backup__rotate('signatures'); diff --git a/inc/spbc-scanner.php b/inc/spbc-scanner.php index 5aeaa60c9..fbe7ed547 100644 --- a/inc/spbc-scanner.php +++ b/inc/spbc-scanner.php @@ -358,11 +358,12 @@ function spbc_scanner_file_send_handler($file_id = null, $do_rescan = true) if ($api_response['error'] === 'QUEUE_FULL') { //do something with not queued files $sql_result = $wpdb->query( - 'UPDATE ' . SPBC_TBL_SCAN_FILES - . ' SET' - . ' last_sent = ' . current_time('timestamp') . ',' - . ' pscan_pending_queue = 1' - . ' WHERE fast_hash = "' . $file_id . '"' + $wpdb->prepare( + 'UPDATE %s SET' . ' last_sent = %d,' . ' pscan_pending_queue = 1' . ' WHERE fast_hash = %s', + SPBC_TBL_SCAN_FILES, + current_time('timestamp'), + $file_id + ) ); if ($sql_result === false) { @@ -390,13 +391,14 @@ function spbc_scanner_file_send_handler($file_id = null, $do_rescan = true) // Updating "last_sent" $sql_result = $wpdb->query( - 'UPDATE ' . SPBC_TBL_SCAN_FILES - . ' SET' - . ' last_sent = ' . current_time('timestamp') . ',' - . ' pscan_processing_status = "NEW",' - . ' pscan_pending_queue = 0,' - . ' pscan_file_id = "' . $api_response["file_id"] . '"' - . ' WHERE fast_hash = "' . $file_id . '"' + $wpdb->prepare( + 'UPDATE %s SET last_sent = %d, pscan_processing_status = "NEW", pscan_pending_queue = 0,' + . ' pscan_file_id = %s' . ' WHERE fast_hash = %s', + SPBC_TBL_SCAN_FILES, + current_time('timestamp'), + $api_response['file_id'], + $file_id + ) ); if ($sql_result === false) { @@ -584,7 +586,7 @@ function spbc_scanner_file_delete($direct_call = false, $file_id = null) $output['error'] .= $result === false ? ' REVERT_FAILED' : ' REVERT_OK'; } else { // Deleting row from DB - if ($wpdb->query('DELETE FROM ' . SPBC_TBL_SCAN_FILES . ' WHERE fast_hash = "' . $file_id . '"') !== false) { + if ($wpdb->query($wpdb->prepare('DELETE FROM %s WHERE fast_hash = %s', SPBC_TBL_SCAN_FILES, $file_id)) !== false) { $output = array('success' => true); } else { $output = array('error' => 'DB_COULDNT_DELETE_ROW'); @@ -831,12 +833,14 @@ function spbc_scanner_pscan_check_analysis_status($direct_call = false, $file_id * If file process is not finished, update data */ $update_result = $wpdb->query( - 'UPDATE ' . SPBC_TBL_SCAN_FILES - . ' SET ' - . ' pscan_pending_queue = 0, ' - . ' pscan_processing_status = "' . $api_response['processing_status'] . '",' - . ' pscan_estimated_execution_time = "' . $api_response['estimated_execution_time'] . '"' - . ' WHERE pscan_file_id = "' . $file_info['pscan_file_id'] . '"' + $wpdb->prepare( + 'UPDATE %s SET pscan_pending_queue = 0, pscan_processing_status = %s,' + . ' pscan_estimated_execution_time = %s WHERE pscan_file_id = %s', + SPBC_TBL_SCAN_FILES, + $api_response['processing_status'], + $api_response['estimated_execution_time'], + $file_info['pscan_file_id'] + ) ); } else { if ( $api_response['file_status'] === 'SAFE' ) { @@ -1709,8 +1713,11 @@ function spbc_scanner_file_replace($direct_call = false, $file_id = null, $_plat fclose($file_desc); $db_result = $wpdb->query( - 'DELETE FROM ' . SPBC_TBL_SCAN_FILES - . ' WHERE fast_hash = "' . $file_id . '";' + $wpdb->prepare( + 'DELETE FROM ' . SPBC_TBL_SCAN_FILES + . ' WHERE fast_hash = %s;', + $file_id + ) ); if ($db_result) { @@ -2006,14 +2013,17 @@ function spbc_scanner_analysis_log_delete_from_log($direct_call = false) foreach ( $file_ids_clean as $id ) { $file_ids_string .= '"' . $id . '",'; } - $query = "UPDATE " . SPBC_TBL_SCAN_FILES . " SET + $query = $wpdb->prepare( + "UPDATE " . SPBC_TBL_SCAN_FILES . " SET last_sent = null, pscan_status = null, pscan_processing_status = null, pscan_pending_queue = null, pscan_balls = null, pscan_file_id = null - WHERE fast_hash IN (" . trim($file_ids_string, ',') . ")"; + WHERE fast_hash IN (%s)", + trim($file_ids_string, ',') + ); $updated_rows = $wpdb->query($query); if ( ! $updated_rows) { diff --git a/lib/CleantalkSP/SpbctWP/Deactivator.php b/lib/CleantalkSP/SpbctWP/Deactivator.php index 3d8a33781..5db1e4f60 100644 --- a/lib/CleantalkSP/SpbctWP/Deactivator.php +++ b/lib/CleantalkSP/SpbctWP/Deactivator.php @@ -263,19 +263,20 @@ private static function deleteFrontendMeta() public static function deleteBlogTables() //ok { global $wpdb; - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_auth_logs'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_monitoring_users'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_firewall__personal_ips_v4'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_firewall__personal_ips_v6'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_firewall__personal_countries'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_firewall__personal_ips_v4_temp'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_firewall__personal_ips_v6_temp'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_firewall__personal_countries_temp'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_firewall_logs'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_traffic_control_logs'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_traffic_control_logs'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_bfp_blocked'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_sessions'); + + $prefix = $wpdb->base_prefix; + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_auth_logs')); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_monitoring_users')); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_firewall__personal_ips_v4')); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_firewall__personal_ips_v6')); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_firewall__personal_countries')); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_firewall__personal_ips_v4_temp')); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_firewall__personal_ips_v6_temp')); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_firewall__personal_countries_temp')); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_firewall_logs')); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_traffic_control_logs')); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_bfp_blocked')); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_sessions')); } /** @@ -285,18 +286,20 @@ public static function deleteBlogTables() //ok public static function deleteCommonTables() //ok { global $wpdb; - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_scan_results'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_firewall_data_v4'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_firewall_data_v6'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_firewall_data_v4_temp'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_firewall_data_v6_temp'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_scan_links_logs'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_scan_signatures'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_scan_frontend'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_backups'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_backuped_files'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_scan_results_log'); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_cure_log'); + + $prefix = $wpdb->base_prefix; + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_scan_results')); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_firewall_data_v4')); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_firewall_data_v6')); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_firewall_data_v4_temp')); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_firewall_data_v6_temp')); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_scan_links_logs')); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_scan_signatures')); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_scan_frontend')); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_backups')); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_backuped_files')); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_scan_results_log')); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_cure_log')); } /** @@ -320,10 +323,10 @@ public static function deleteBlogOptions() //APBCT global $wpdb; // Deleting all data from wp_options $wpdb->query( - 'DELETE FROM ' . $wpdb->options - . ' WHERE' - . ' option_name LIKE "spbc_%" AND' - . ' option_name <> "spbc_deactivation_in_process"' + $wpdb->prepare( + 'DELETE FROM %s WHERE option_name LIKE "spbc_%" AND option_name <> "spbc_deactivation_in_process"', + $wpdb->options + ) ); } diff --git a/lib/CleantalkSP/SpbctWP/Scanner/Frontend.php b/lib/CleantalkSP/SpbctWP/Scanner/Frontend.php index 87882e5f8..d3ab83376 100644 --- a/lib/CleantalkSP/SpbctWP/Scanner/Frontend.php +++ b/lib/CleantalkSP/SpbctWP/Scanner/Frontend.php @@ -390,7 +390,7 @@ public static function resetCheckResult() global $wpdb; $wpdb->query("DELETE FROM {$wpdb->postmeta} WHERE meta_key = '_spbc_frontend__last_checked' OR meta_key = 'spbc_frontend__last_checked';"); - return $wpdb->query('DELETE FROM ' . SPBC_TBL_SCAN_FRONTEND . ';'); + return $wpdb->query($wpdb->prepare('DELETE FROM %s;', SPBC_TBL_SCAN_FRONTEND)); } /** diff --git a/lib/CleantalkSP/SpbctWP/Scanner/Links.php b/lib/CleantalkSP/SpbctWP/Scanner/Links.php index 39365ec2c..4747bc652 100644 --- a/lib/CleantalkSP/SpbctWP/Scanner/Links.php +++ b/lib/CleantalkSP/SpbctWP/Scanner/Links.php @@ -278,8 +278,9 @@ public function postMarkAsChecked() public static function resetCheckResult() { global $wpdb; - $wpdb->query("DELETE FROM {$wpdb->postmeta} WHERE meta_key = '_spbc_links_checked';"); - return $wpdb->query('DELETE FROM ' . SPBC_TBL_SCAN_LINKS . ';'); + $wpdb->query($wpdb->prepare("DELETE FROM %s WHERE meta_key = %s;", $wpdb->postmeta, '_spbc_links_checked')); + + return $wpdb->query($wpdb->prepare('DELETE FROM %s;', SPBC_TBL_SCAN_LINKS)); } } diff --git a/lib/CleantalkSP/SpbctWP/Scanner/Stages/SignatureAnalysis/Repository.php b/lib/CleantalkSP/SpbctWP/Scanner/Stages/SignatureAnalysis/Repository.php index b37446c85..35de10dec 100644 --- a/lib/CleantalkSP/SpbctWP/Scanner/Stages/SignatureAnalysis/Repository.php +++ b/lib/CleantalkSP/SpbctWP/Scanner/Stages/SignatureAnalysis/Repository.php @@ -81,18 +81,14 @@ public static function getSignaturesFromCloud($latest_signature_local) public static function clearSignaturesTable() { global $wpdb; - $wpdb->query('DELETE FROM ' . SPBC_TBL_SCAN_SIGNATURES . ' WHERE 1;'); + $wpdb->query($wpdb->prepare('DELETE FROM %s WHERE 1;', SPBC_TBL_SCAN_SIGNATURES)); } public static function addSignaturesToDb($map, $signatures) { global $wpdb; - $sql_head = 'INSERT INTO ' . SPBC_TBL_SCAN_SIGNATURES - . ' (' . implode(',', $map) . ')' - . ' VALUES '; + $sql_data = array(); - $sql_tail = ' ON DUPLICATE KEY UPDATE ' - . 'submitted = submitted;'; foreach ( $signatures as $signature ) { /** @psalm-suppress InvalidArgument */ $tmp = implode( @@ -108,10 +104,12 @@ function ($elem) { $sql_data[] = "($tmp)"; } - $query = - $sql_head - . implode(',', $sql_data) - . $sql_tail; + $query = $wpdb->prepare( + 'INSERT INTO %s (%s) VALUES %s ON DUPLICATE KEY UPDATE submitted = submitted;', + SPBC_TBL_SCAN_SIGNATURES, + implode(',', $map), + implode(',', $sql_data) + ); return $wpdb->query($query); } @@ -130,31 +128,25 @@ public static function thereAreSignaturesInDb() public static function addSignaturesToDbOneByOne($map, $signatures) { global $wpdb; - $sql_head = 'INSERT INTO ' . SPBC_TBL_SCAN_SIGNATURES - . ' (' . implode(',', $map) . ')' - . ' VALUES '; - $sql_tail = ' ON DUPLICATE KEY UPDATE ' - . 'submitted = submitted;'; + + $prepared_map = implode(',', $map); + $bad_signatures = array(); foreach ( $signatures as $signature ) { /** @psalm-suppress InvalidArgument */ - $tmp = implode( - ',', - array_map( - function ($elem) { - return Helper::prepareParamForSQLQuery(stripslashes($elem ?: 'null')); - }, - $signature - ) + $tmp = implode(',', array_map( + function ($elem) { + return Helper::prepareParamForSQLQuery(stripslashes($elem ?: 'null')); + }, + $signature + )); + + $query = $wpdb->prepare( + 'INSERT INTO ' . SPBC_TBL_SCAN_SIGNATURES . ' (%s) VALUES (%s) ON DUPLICATE KEY UPDATE submitted = submitted;', + $prepared_map, + $tmp ); - $sql_data = "($tmp)"; - - $query = - $sql_head - . $sql_data - . $sql_tail; - $signature_added = $wpdb->query($query); if (!$signature_added) { diff --git a/lib/CleantalkSP/SpbctWP/Scanner/Surface.php b/lib/CleantalkSP/SpbctWP/Scanner/Surface.php index fd3c0631b..257774e47 100644 --- a/lib/CleantalkSP/SpbctWP/Scanner/Surface.php +++ b/lib/CleantalkSP/SpbctWP/Scanner/Surface.php @@ -336,7 +336,7 @@ private function saveIteratorCompletedDirs($iterator_result) return false; } - $insert_query = 'INSERT INTO ' . self::$completed_dirs_table_name . ' (dir_path, running_due_stage) VALUES ' . $completed_dirs_string ; + $insert_query = $wpdb->prepare('INSERT INTO %s (dir_path, running_due_stage) VALUES %s;', self::$completed_dirs_table_name, $completed_dirs_string); $insert_result = $wpdb->query($insert_query); return (bool)$insert_result; @@ -372,7 +372,7 @@ private function clearIteratorCompletedDirs($reset_increment = false) global $wpdb; // run query - $delete_query = 'DELETE FROM ' . self::$completed_dirs_table_name . ' WHERE running_due_stage = ' . (int)$this->running_due_stage . ';'; + $delete_query = $wpdb->prepare('DELETE FROM %s WHERE running_due_stage = %d;', self::$completed_dirs_table_name, $this->running_due_stage); $delete_result = $wpdb->query($delete_query); if ($delete_result === false) { return false; @@ -381,7 +381,7 @@ private function clearIteratorCompletedDirs($reset_increment = false) if ($reset_increment) { $count = $wpdb->get_var('SELECT COUNT(*) FROM ' . self::$completed_dirs_table_name); if ($count === '0') { - $wpdb->query('ALTER TABLE ' . self::$completed_dirs_table_name . ' AUTO_INCREMENT = 1;'); + $wpdb->query($wpdb->prepare('ALTER TABLE %s AUTO_INCREMENT = 1;', self::$completed_dirs_table_name)); } } diff --git a/lib/CleantalkSP/SpbctWP/Variables/AltSessions.php b/lib/CleantalkSP/SpbctWP/Variables/AltSessions.php index 5b31b3b8a..b71108503 100644 --- a/lib/CleantalkSP/SpbctWP/Variables/AltSessions.php +++ b/lib/CleantalkSP/SpbctWP/Variables/AltSessions.php @@ -141,10 +141,10 @@ public static function cleanFromOld() self::$sessions_already_cleaned = true; $wpdb->query( - 'DELETE - FROM `' . SPBC_TBL_SESSIONS . '` - WHERE last_update < NOW() - INTERVAL ' . self::SESSION__LIVE_TIME . ' SECOND - LIMIT 100000;' + $wpdb->prepare( + 'DELETE FROM `' . SPBC_TBL_SESSIONS . '` WHERE last_update < NOW() - INTERVAL %d SECOND LIMIT 100000;', + self::SESSION__LIVE_TIME + ) ); } } @@ -159,8 +159,6 @@ public static function wipe() { global $wpdb; - return $wpdb->query( - 'TRUNCATE TABLE ' . SPBC_TBL_SESSIONS . ';' - ); + return $wpdb->query($wpdb->prepare('TRUNCATE TABLE ' . SPBC_TBL_SESSIONS . ';')); } } diff --git a/lib/CleantalkSP/Updater/UpdaterScripts.php b/lib/CleantalkSP/Updater/UpdaterScripts.php index 50f95dc1e..010555f36 100644 --- a/lib/CleantalkSP/Updater/UpdaterScripts.php +++ b/lib/CleantalkSP/Updater/UpdaterScripts.php @@ -181,16 +181,17 @@ public static function updateTo_2_22_0() //phpcs:ignore PSR1.Methods.CamelCapsMe // Set source_type = null for custom files $wpdb->query( - "UPDATE `" . SPBC_TBL_SCAN_FILES . "` SET source_type = NULL - WHERE source_type = 'CORE' && real_full_hash IS NULL;" + $wpdb->prepare( + "UPDATE `" . SPBC_TBL_SCAN_FILES . "` SET source_type = NULL WHERE source_type = 'CORE' && real_full_hash IS NULL;" + ) ); // Set source = wordpress and version for core files $wpdb->query( - "UPDATE `" . SPBC_TBL_SCAN_FILES . "` - SET source = 'wordpress', - version = '$wp_version' - WHERE source_type = 'CORE' && real_full_hash IS NOT NULL;" + $wpdb->prepare( + "UPDATE " . SPBC_TBL_SCAN_FILES . " SET source = 'wordpress', version = %s WHERE source_type = 'CORE' && real_full_hash IS NOT NULL;", + $wp_version + ) ); // Updating version and source of plugins @@ -200,10 +201,12 @@ public static function updateTo_2_22_0() //phpcs:ignore PSR1.Methods.CamelCapsMe foreach ( $spbc->plugins as $name => $version ) { $wpdb->query( - "UPDATE `" . SPBC_TBL_SCAN_FILES . "` - SET source = '$name', - version = '$version' - WHERE path LIKE '%$name%' && real_full_hash IS NOT NULL;" + $wpdb->prepare( + "UPDATE " . SPBC_TBL_SCAN_FILES . " SET source = %s, version = %s WHERE path LIKE %s && real_full_hash IS NOT NULL;", + $name, + $version, + '%' . $name . '%' + ) ); } @@ -214,18 +217,16 @@ public static function updateTo_2_22_0() //phpcs:ignore PSR1.Methods.CamelCapsMe foreach ( $spbc->themes as $name => $version ) { $wpdb->query( - "UPDATE `" . SPBC_TBL_SCAN_FILES . "` - SET source_type = 'THEME', - source = '$name', - version = '$version' - WHERE path LIKE '%$name%' && real_full_hash IS NOT NULL;" + $wpdb->prepare( + "UPDATE `" . SPBC_TBL_SCAN_FILES . "` + SET source_type = 'THEME', source = %s, version = %s WHERE path LIKE %s && real_full_hash IS NOT NULL;", + $name, + $version, + '%' . $name . '%' + ) ); } - $wpdb->query( - "UPDATE `" . SPBC_TBL_SCAN_FILES . "` - SET checked = 'YES_HEURISTIC' - WHERE checked = 'YES' AND real_full_hash <> full_hash;" - ); + $wpdb->query($wpdb->prepare("UPDATE " . SPBC_TBL_SCAN_FILES . " SET checked = 'YES_HEURISTIC' WHERE checked = 'YES' AND real_full_hash <> full_hash;")); // Cron fix $spbc->data['cron']['running'] = false; @@ -238,12 +239,7 @@ public static function updateTo_2_24_0() //phpcs:ignore PSR1.Methods.CamelCapsMe { global $wpdb; - $wpdb->query( - "UPDATE `" . SPBC_TBL_SCAN_FILES . "` - SET weak_spots = NULL, - checked = 'NO' - WHERE weak_spots IS NOT NULL;" - ); + $wpdb->query($wpdb->prepare("UPDATE " . SPBC_TBL_SCAN_FILES . " SET weak_spots = NULL, checked = 'NO' WHERE weak_spots IS NOT NULL;")); } public static function updateTo_2_25_0() //phpcs:ignore PSR1.Methods.CamelCapsMethodName.NotCamelCaps @@ -1248,13 +1244,13 @@ public static function updateTo_2_126_0() //phpcs:ignore PSR1.Methods.CamelCapsM // Deleting data from each blog foreach ( $blogs as $blog ) { switch_to_blog($blog); - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_firewall__personal_ips'); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_firewall__personal_ips')); } switch_to_blog($initial_blog); } else { - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_firewall__personal_ips'); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_firewall__personal_ips')); } - $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_firewall_data'); + $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_firewall_data')); } public static function updateTo_2_126_1() //phpcs:ignore PSR1.Methods.CamelCapsMethodName.NotCamelCaps @@ -1307,22 +1303,22 @@ public static function migrateDbData_2_128_1() //phpcs:ignore PSR1.Methods.Camel foreach ( $blogs as $blog ) { switch_to_blog($blog); $table_name = $wpdb->prefix . 'spbc_scan_results'; - $exist = $wpdb->query("SHOW TABLES LIKE '" . $table_name . "';"); + $exist = $wpdb->query($wpdb->prepare("SHOW TABLES LIKE %s", $table_name)); if (!empty($exist)) { - $field_exist = $wpdb->query("SHOW COLUMNS FROM " . $table_name . " LIKE 'analysis_status';"); + $field_exist = $wpdb->query($wpdb->prepare("SHOW COLUMNS FROM " . $table_name . " LIKE 'analysis_status';")); if (!empty($field_exist)) { - $wpdb->query(sprintf($sql, $table_name)); + $wpdb->query($wpdb->prepare($sql, $table_name)); } } } switch_to_blog($initial_blog); } else { $table_name = $wpdb->prefix . 'spbc_scan_results'; - $exist = $wpdb->query("SHOW TABLES LIKE '" . $table_name . "';"); + $exist = $wpdb->query($wpdb->prepare("SHOW TABLES LIKE %s", $table_name)); if (!empty($exist)) { - $field_exist = $wpdb->query("SHOW COLUMNS FROM " . $table_name . " LIKE 'analysis_status';"); + $field_exist = $wpdb->query($wpdb->prepare("SHOW COLUMNS FROM " . $table_name . " LIKE 'analysis_status';")); if (!empty($field_exist)) { - $wpdb->query(sprintf($sql, $table_name)); + $wpdb->query($wpdb->prepare($sql, $table_name)); } } } diff --git a/security-malware-firewall.php b/security-malware-firewall.php index 9ed78511a..6a72b393f 100644 --- a/security-malware-firewall.php +++ b/security-malware-firewall.php @@ -762,7 +762,7 @@ function spbc_security_firewall_drop() { global $wpdb; - $result = $wpdb->query('DELETE FROM `' . SPBC_TBL_FIREWALL_DATA . '`;'); + $result = $wpdb->query($wpdb->prepare('DELETE FROM ' . SPBC_TBL_FIREWALL_DATA . ';')); if ( $result !== false ) { return true; @@ -1020,25 +1020,14 @@ function spbc_send_logs($api_key = null) foreach ($data as $item) { $updated_ids[] = $item['log_id']; } - if ( SPBC_WPMS ) { - $wpdb->query( - "UPDATE " . SPBC_TBL_SECURITY_LOG - . " SET sent = 1 - WHERE id IN (" - . implode(',', $updated_ids) . - ")" - . ( $spbc->ms__work_mode == 2 ? '' : ' AND blog_id = ' . get_current_blog_id() ) - . ";" - ); - } else { - $wpdb->query( - "UPDATE " . SPBC_TBL_SECURITY_LOG - . " SET sent = 1 - WHERE id IN (" - . implode(',', $updated_ids) . - ");" - ); + + $query = "UPDATE " . SPBC_TBL_SECURITY_LOG . " SET sent = 1 WHERE id IN (%s)"; + if (SPBC_WPMS && $spbc->ms__work_mode == 2) { + $query .= ' AND blog_id = ' . get_current_blog_id() . ";"; } + + $wpdb->query($wpdb->prepare($query, implode(',', $updated_ids))); + $result = $rows_count; } else { $result = array( @@ -1792,12 +1781,8 @@ function spbc_scanner_resend_pscan_files($do_rescan = true) foreach ( $unqueued_files_list as $file ) { //fix for files sent to manual analysis if ( !empty($file['status']) && $file['status'] === 'APPROVED_BY_CT') { - $update_sql = - 'UPDATE ' . SPBC_TBL_SCAN_FILES - . ' SET ' - . 'pscan_pending_queue = 0 ' - . 'WHERE fast_hash = "' . $file['fast_hash'] . '"'; - $wpdb->query($update_sql); + $query = 'UPDATE ' . SPBC_TBL_SCAN_FILES . ' SET pscan_pending_queue = 0 WHERE fast_hash = "%s"'; + $wpdb->query($wpdb->prepare($query, $file['fast_hash'])); continue; } spbc_scanner_file_send(true, $file['fast_hash'], $do_rescan); From 4a2795a1357a35890c715db2e5656b852066ef88 Mon Sep 17 00:00:00 2001 From: AntonV1211 Date: Mon, 21 Oct 2024 22:08:35 +0700 Subject: [PATCH 6/6] Fix. Code. 'Prepare' for get_results --- inc/spbc-backups.php | 23 ++++++++++++----------- inc/spbc-scanner.php | 4 ++-- inc/spbc-settings.php | 30 +++++++++++++----------------- psalm.xml | 1 + security-malware-firewall.php | 14 ++++++-------- 5 files changed, 34 insertions(+), 38 deletions(-) diff --git a/inc/spbc-backups.php b/inc/spbc-backups.php index 58704e624..6fcea05be 100644 --- a/inc/spbc-backups.php +++ b/inc/spbc-backups.php @@ -7,16 +7,16 @@ function spbc_backup__rotate($type = 'signatures', $out = array('success' => tru global $wpdb; $result = $wpdb->get_row('SELECT COUNT(*) as cnt FROM ' . SPBC_TBL_BACKUPS . ' WHERE type = ' . Helper::prepareParamForSQLQuery(strtoupper($type)), OBJECT); if ($result->cnt > 10) { - $result = $wpdb->get_results( - 'SELECT backup_id' - . ' FROM ' . SPBC_TBL_BACKUPS - . ' WHERE datetime < (' - . 'SELECT datetime' - . ' FROM ' . SPBC_TBL_BACKUPS - . ' WHERE type = ' . Helper::prepareParamForSQLQuery(strtoupper($type)) - . ' ORDER BY datetime DESC' - . ' LIMIT 9,1)' - ); + $sql = 'SELECT backup_id' + . ' FROM ' . SPBC_TBL_BACKUPS + . ' WHERE datetime < (' + . 'SELECT datetime' + . ' FROM ' . SPBC_TBL_BACKUPS + . ' WHERE type = %s' + . ' ORDER BY datetime DESC' + . ' LIMIT 9,1)'; + + $result = $wpdb->get_results($wpdb->prepare($sql, Helper::prepareParamForSQLQuery(strtoupper($type)))); if ($result && count($result)) { foreach ($result as $backup) { $result = spbc_backup__delete(true, $backup->backup_id); @@ -102,8 +102,9 @@ function spbc_backup__files_with_signatures($direct_call = false) $signtures_in_file = implode(',', $signtures_in_file); } + $sql = 'SELECT * FROM %s WHERE id IN (%s) AND cci IS NOT NULL'; $signatures_with_cci = ! empty($signtures_in_file) - ? $wpdb->get_results('SELECT * FROM ' . SPBC_TBL_SCAN_SIGNATURES . ' WHERE id IN (' . $signtures_in_file . ') AND cci IS NOT NULL') + ? $wpdb->get_results($wpdb->prepare($sql, SPBC_TBL_SCAN_SIGNATURES, $signtures_in_file)) : null; // Backup only files which will be cured diff --git a/inc/spbc-scanner.php b/inc/spbc-scanner.php index 8b8663050..63b6b4a86 100644 --- a/inc/spbc-scanner.php +++ b/inc/spbc-scanner.php @@ -1278,9 +1278,9 @@ function spbc_scanner_get_files_by_category($category) $ids = array(); - $query = 'SELECT fast_hash from ' . SPBC_TBL_SCAN_FILES . spbc_get_sql_where_addiction_for_table_of_category($category); + $query = 'SELECT fast_hash from %s $s'; - $res = $wpdb->get_results($query); + $res = $wpdb->get_results($wpdb->prepare($query, SPBC_TBL_SCAN_FILES, spbc_get_sql_where_addiction_for_table_of_category($category))); foreach ($res as $tmp) { $ids[] = $tmp->fast_hash; diff --git a/inc/spbc-settings.php b/inc/spbc-settings.php index 6d8c8600b..ea2538a52 100644 --- a/inc/spbc-settings.php +++ b/inc/spbc-settings.php @@ -3005,12 +3005,11 @@ function spbc_field_scanner__prepare_data__frontend(&$table) function spbc_field_scanner__get_data__frontend_malware($offset = 1, $limit = 20, $order_direction = "DESC", $order = "page_id") { global $wpdb; - return $wpdb->get_results( - 'SELECT * FROM ' . SPBC_TBL_SCAN_FRONTEND . ' + $sql = 'SELECT * FROM ' . SPBC_TBL_SCAN_FRONTEND . ' WHERE approved IS NULL OR approved <> 1 - ORDER BY ' . $order . ' ' . $order_direction . ' - LIMIT ' . $offset . ',' . $limit . ';' - ); + ORDER BY %s %s + LIMIT %s, %s;'; + return $wpdb->get_results($wpdb->prepare($sql, $order, $order_direction, $offset, $limit)); } /** @@ -3022,12 +3021,11 @@ function spbc_field_scanner__get_data__frontend_malware($offset = 1, $limit = 20 function spbc_field_scanner__get_data__frontend_approved($offset = 0, $limit = 20) { global $wpdb; - return $wpdb->get_results( - 'SELECT * FROM ' . SPBC_TBL_SCAN_FRONTEND . ' + $sql = 'SELECT * FROM ' . SPBC_TBL_SCAN_FRONTEND . ' WHERE approved = 1 ORDER BY page_id DESC - LIMIT ' . $offset . ',' . $limit . ';' - ); + LIMIT %d, %d;'; + return $wpdb->get_results($wpdb->prepare($sql, $offset, $limit)); } /** @@ -4345,14 +4343,12 @@ function spbc_list_table__get_args_by_type($table_type) function spbc_field_backups__get_data($offset = 0, $limit = 20) { global $wpdb; - - return $wpdb->get_results( - 'SELECT ' . SPBC_TBL_BACKUPS . '.backup_id, ' . SPBC_TBL_BACKUPS . '.datetime, ' . SPBC_TBL_BACKUPS . '.type, ' . SPBC_TBL_BACKUPED_FILES . '.real_path - FROM ' . SPBC_TBL_BACKUPS . ' - RIGHT JOIN ' . SPBC_TBL_BACKUPED_FILES . ' ON ' . SPBC_TBL_BACKUPS . '.backup_id = ' . SPBC_TBL_BACKUPED_FILES . '.backup_id - ORDER BY DATETIME DESC - LIMIT ' . $offset . ',' . $limit . ';' - ); + $sql = 'SELECT ' . SPBC_TBL_BACKUPS . '.backup_id, ' . SPBC_TBL_BACKUPS . '.datetime, ' . SPBC_TBL_BACKUPS . '.type, ' . SPBC_TBL_BACKUPED_FILES . '.real_path + FROM ' . SPBC_TBL_BACKUPS . ' + RIGHT JOIN ' . SPBC_TBL_BACKUPED_FILES . ' ON ' . SPBC_TBL_BACKUPS . '.backup_id = ' . SPBC_TBL_BACKUPED_FILES . '.backup_id + ORDER BY DATETIME DESC + LIMIT %d, %d;'; + return $wpdb->get_results($wpdb->prepare($sql, $offset, $limit)); } function spbc_field_backups() diff --git a/psalm.xml b/psalm.xml index f81e5d3af..1d608f7d5 100644 --- a/psalm.xml +++ b/psalm.xml @@ -32,6 +32,7 @@ query + get_results diff --git a/security-malware-firewall.php b/security-malware-firewall.php index e10f3ae49..950e686c9 100644 --- a/security-malware-firewall.php +++ b/security-malware-firewall.php @@ -977,14 +977,12 @@ function spbc_send_logs($api_key = null) ? (" WHERE blog_id = " . get_current_blog_id() . ' AND ') : " WHERE "; - $rows = $wpdb->get_results( - "SELECT id, datetime, timestamp_gmt, user_login, page, page_time, event, auth_ip, role, user_agent, browser_sign - FROM " . SPBC_TBL_SECURITY_LOG - . $wpms_snippet - . " sent <> 1" - . " ORDER BY datetime DESC" - . " LIMIT " . SPBC_SELECT_LIMIT . ";" - ); + $sql = "SELECT id, datetime, timestamp_gmt, user_login, page, page_time, event, auth_ip, role, user_agent, browser_sign + FROM " . SPBC_TBL_SECURITY_LOG + . " %s sent <> 1" + . " ORDER BY datetime DESC" + . " LIMIT %d;"; + $rows = $wpdb->get_results($wpdb->prepare($sql, $wpms_snippet, SPBC_SELECT_LIMIT)); $rows_count = count($rows);