Fix. Code. Removed psalm warnings.

composer.json

@@ -17,7 +17,8 @@
         "phpunit/phpunit": "^7.5",
         "squizlabs/php_codesniffer": "3.*",
         "phpcompatibility/php-compatibility": "@dev",
-        "yoast/phpunit-polyfills": "^1.0"
+        "yoast/phpunit-polyfills": "^1.0",
+        "glomberg/wpdb-unsafe-methods": "^1.0"
     },
     "scripts": {
         "test": [

inc/spbc-backups.php

@@ -7,16 +7,16 @@ function spbc_backup__rotate($type = 'signatures', $out = array('success' => tru
     global $wpdb;
     $result = $wpdb->get_row('SELECT COUNT(*) as cnt FROM ' . SPBC_TBL_BACKUPS . ' WHERE type = ' . Helper::prepareParamForSQLQuery(strtoupper($type)), OBJECT);
     if ($result->cnt > 10) {
-        $result = $wpdb->get_results(
-            'SELECT backup_id'
-            . ' FROM ' . SPBC_TBL_BACKUPS
-            . ' WHERE datetime < ('
-            . 'SELECT datetime'
-            . ' FROM ' . SPBC_TBL_BACKUPS
-            . ' WHERE type = ' . Helper::prepareParamForSQLQuery(strtoupper($type))
-            . ' ORDER BY datetime DESC'
-            . ' LIMIT 9,1)'
-        );
+        $sql = 'SELECT backup_id'
+        . ' FROM ' . SPBC_TBL_BACKUPS
+        . ' WHERE datetime < ('
+        . 'SELECT datetime'
+        . ' FROM ' . SPBC_TBL_BACKUPS
+        . ' WHERE type = %s'
+        . ' ORDER BY datetime DESC'
+        . ' LIMIT 9,1)';
+
+        $result = $wpdb->get_results($wpdb->prepare($sql, Helper::prepareParamForSQLQuery(strtoupper($type))));
         if ($result && count($result)) {
             foreach ($result as $backup) {
                 $result = spbc_backup__delete(true, $backup->backup_id);
@@ -90,9 +90,7 @@ function spbc_backup__files_with_signatures($direct_call = false)
     $files_to_backup = $wpdb->get_results('SELECT path, weak_spots FROM ' . SPBC_TBL_SCAN_FILES . ' WHERE weak_spots LIKE "%\"SIGNATURES\":%";', ARRAY_A);
 
     if (is_array($files_to_backup) && count($files_to_backup)) {
-        $sql_query = 'INSERT INTO ' . SPBC_TBL_BACKUPED_FILES . ' (backup_id, real_path, back_path) VALUES';
         $sql_data  = array();
-
         foreach ($files_to_backup as $file) {
             $weak_spots = json_decode($file['weak_spots'], true);
 
@@ -104,8 +102,9 @@ function spbc_backup__files_with_signatures($direct_call = false)
                 $signtures_in_file = implode(',', $signtures_in_file);
             }
 
+            $sql = 'SELECT * FROM %s WHERE id IN (%s) AND cci IS NOT NULL';
             $signatures_with_cci = ! empty($signtures_in_file)
-                ? $wpdb->get_results('SELECT * FROM ' . SPBC_TBL_SCAN_SIGNATURES . ' WHERE id IN (' . $signtures_in_file . ') AND cci IS NOT NULL')
+                ? $wpdb->get_results($wpdb->prepare($sql, SPBC_TBL_SCAN_SIGNATURES, $signtures_in_file))
                 : null;
 
             // Backup only files which will be cured
@@ -146,7 +145,7 @@ function spbc_backup__files_with_signatures($direct_call = false)
 
         // Writing backuped files to DB
         if ( ! empty($sql_data) && ! isset($output['error'])) {
-            if ($wpdb->query($sql_query . implode(',', $sql_data) . ';') !== false) {
+            if ($wpdb->query($wpdb->prepare('INSERT INTO %s (backup_id, real_path, back_path) VALUES %s;', SPBC_TBL_BACKUPED_FILES, implode(',', $sql_data))) !== false) {
                 // Updating current backup status
                 if ($wpdb->update(SPBC_TBL_BACKUPS, array('status' => 'BACKUPED'), array('backup_id' => $backup_id)) !== false) {
                     $result = spbc_backup__rotate('signatures');

inc/spbc-scanner.php

@@ -358,11 +358,12 @@ function spbc_scanner_file_send_handler($file_id = null, $do_rescan = true)
         if ($api_response['error'] === 'QUEUE_FULL') {
             //do something with not queued files
             $sql_result = $wpdb->query(
-                'UPDATE ' . SPBC_TBL_SCAN_FILES
-                . ' SET'
-                . ' last_sent = ' . current_time('timestamp') . ','
-                . ' pscan_pending_queue = 1'
-                . ' WHERE fast_hash = "' . $file_id . '"'
+                $wpdb->prepare(
+                    'UPDATE %s SET' . ' last_sent = %d,' . ' pscan_pending_queue = 1' . ' WHERE fast_hash = %s',
+                    SPBC_TBL_SCAN_FILES,
+                    current_time('timestamp'),
+                    $file_id
+                )
             );
 
             if ($sql_result === false) {
@@ -390,13 +391,14 @@ function spbc_scanner_file_send_handler($file_id = null, $do_rescan = true)
 
     // Updating "last_sent"
     $sql_result = $wpdb->query(
-        'UPDATE ' . SPBC_TBL_SCAN_FILES
-        . ' SET'
-        . ' last_sent = ' . current_time('timestamp') . ','
-        . ' pscan_processing_status = "NEW",'
-        . ' pscan_pending_queue = 0,'
-        . ' pscan_file_id = "' . $api_response["file_id"] . '"'
-        . ' WHERE fast_hash = "' . $file_id . '"'
+        $wpdb->prepare(
+            'UPDATE %s SET last_sent = %d, pscan_processing_status = "NEW", pscan_pending_queue = 0,'
+            . ' pscan_file_id = %s' . ' WHERE fast_hash = %s',
+            SPBC_TBL_SCAN_FILES,
+            current_time('timestamp'),
+            $api_response['file_id'],
+            $file_id
+        )
     );
 
     if ($sql_result === false) {
@@ -584,7 +586,7 @@ function spbc_scanner_file_delete($direct_call = false, $file_id = null)
                                 $output['error'] .= $result === false ? ' REVERT_FAILED' : ' REVERT_OK';
                             } else {
                                 // Deleting row from DB
-                                if ($wpdb->query('DELETE FROM ' . SPBC_TBL_SCAN_FILES . ' WHERE fast_hash = "' . $file_id . '"') !== false) {
+                                if ($wpdb->query($wpdb->prepare('DELETE FROM %s WHERE fast_hash = %s', SPBC_TBL_SCAN_FILES, $file_id)) !== false) {
                                     $output = array('success' => true);
                                 } else {
                                     $output = array('error' => 'DB_COULDNT_DELETE_ROW');
@@ -835,12 +837,14 @@ function spbc_scanner_pscan_check_analysis_status($direct_call = false, $file_id
             * If file process is not finished, update data
             */
             $update_result = $wpdb->query(
-                'UPDATE ' . SPBC_TBL_SCAN_FILES
-                . ' SET '
-                . ' pscan_pending_queue = 0, '
-                . ' pscan_processing_status  = "' . $api_response['processing_status'] . '",'
-                . ' pscan_estimated_execution_time  = "' . $api_response['estimated_execution_time'] . '"'
-                . ' WHERE pscan_file_id = "' . $file_info['pscan_file_id'] . '"'
+                $wpdb->prepare(
+                    'UPDATE %s SET pscan_pending_queue = 0, pscan_processing_status = %s,'
+                    . ' pscan_estimated_execution_time = %s WHERE pscan_file_id = %s',
+                    SPBC_TBL_SCAN_FILES,
+                    $api_response['processing_status'],
+                    $api_response['estimated_execution_time'],
+                    $file_info['pscan_file_id']
+                )
             );
         } else {
             if ( $api_response['file_status'] === 'SAFE' ) {
@@ -1274,9 +1278,9 @@ function spbc_scanner_get_files_by_category($category)
 
     $ids = array();
 
-    $query = 'SELECT fast_hash from ' . SPBC_TBL_SCAN_FILES . spbc_get_sql_where_addiction_for_table_of_category($category);
+    $query = 'SELECT fast_hash from %s $s';
 
-    $res = $wpdb->get_results($query);
+    $res = $wpdb->get_results($wpdb->prepare($query, SPBC_TBL_SCAN_FILES, spbc_get_sql_where_addiction_for_table_of_category($category)));
 
     foreach ($res as $tmp) {
         $ids[] = $tmp->fast_hash;
@@ -1723,8 +1727,11 @@ function spbc_scanner_file_replace($direct_call = false, $file_id = null, $_plat
                                 fclose($file_desc);
 
                                 $db_result = $wpdb->query(
-                                    'DELETE FROM ' . SPBC_TBL_SCAN_FILES
-                                    . ' WHERE fast_hash = "' . $file_id . '";'
+                                    $wpdb->prepare(
+                                        'DELETE FROM ' . SPBC_TBL_SCAN_FILES
+                                        . ' WHERE fast_hash = %s;',
+                                        $file_id
+                                    )
                                 );
 
                                 if ($db_result) {
@@ -2020,14 +2027,17 @@ function spbc_scanner_analysis_log_delete_from_log($direct_call = false)
         foreach ( $file_ids_clean as $id ) {
             $file_ids_string .= '"' . $id . '",';
         }
-        $query = "UPDATE " . SPBC_TBL_SCAN_FILES . " SET 
+        $query = $wpdb->prepare(
+            "UPDATE " . SPBC_TBL_SCAN_FILES . " SET 
             last_sent = null,
             pscan_status = null,
             pscan_processing_status = null,
             pscan_pending_queue = null,
             pscan_balls = null,
             pscan_file_id = null 
-            WHERE fast_hash IN (" . trim($file_ids_string, ',') . ")";
+            WHERE fast_hash IN (%s)",
+            trim($file_ids_string, ',')
+        );
         $updated_rows = $wpdb->query($query);
 
         if ( ! $updated_rows) {

inc/spbc-settings.php

@@ -3005,12 +3005,11 @@ function spbc_field_scanner__prepare_data__frontend(&$table)
 function spbc_field_scanner__get_data__frontend_malware($offset = 1, $limit = 20, $order_direction = "DESC", $order = "page_id")
 {
     global $wpdb;
-    return $wpdb->get_results(
-        'SELECT * FROM ' . SPBC_TBL_SCAN_FRONTEND . '
+    $sql = 'SELECT * FROM ' . SPBC_TBL_SCAN_FRONTEND . '
         WHERE approved IS NULL OR approved <> 1
-		ORDER BY ' . $order . ' ' . $order_direction . '
-		LIMIT ' . $offset . ',' . $limit . ';'
-    );
+		ORDER BY %s %s
+		LIMIT %s, %s;';
+    return $wpdb->get_results($wpdb->prepare($sql, $order, $order_direction, $offset, $limit));
 }
 
 /**
@@ -3022,12 +3021,11 @@ function spbc_field_scanner__get_data__frontend_malware($offset = 1, $limit = 20
 function spbc_field_scanner__get_data__frontend_approved($offset = 0, $limit = 20)
 {
     global $wpdb;
-    return $wpdb->get_results(
-        'SELECT * FROM ' . SPBC_TBL_SCAN_FRONTEND . '
+    $sql = 'SELECT * FROM ' . SPBC_TBL_SCAN_FRONTEND . '
         WHERE approved = 1
 		ORDER BY page_id DESC
-		LIMIT ' . $offset . ',' . $limit . ';'
-    );
+		LIMIT %d, %d;';
+    return $wpdb->get_results($wpdb->prepare($sql, $offset, $limit));
 }
 
 /**
@@ -4345,14 +4343,12 @@ function spbc_list_table__get_args_by_type($table_type)
 function spbc_field_backups__get_data($offset = 0, $limit = 20)
 {
     global $wpdb;
-
-    return $wpdb->get_results(
-        'SELECT ' . SPBC_TBL_BACKUPS . '.backup_id, ' . SPBC_TBL_BACKUPS . '.datetime, ' . SPBC_TBL_BACKUPS . '.type, ' . SPBC_TBL_BACKUPED_FILES . '.real_path
-		FROM ' . SPBC_TBL_BACKUPS . '
-		RIGHT JOIN ' . SPBC_TBL_BACKUPED_FILES . ' ON ' . SPBC_TBL_BACKUPS . '.backup_id = ' . SPBC_TBL_BACKUPED_FILES . '.backup_id
-		ORDER BY DATETIME DESC
-		LIMIT ' . $offset . ',' . $limit . ';'
-    );
+    $sql = 'SELECT ' . SPBC_TBL_BACKUPS . '.backup_id, ' . SPBC_TBL_BACKUPS . '.datetime, ' . SPBC_TBL_BACKUPS . '.type, ' . SPBC_TBL_BACKUPED_FILES . '.real_path
+    FROM ' . SPBC_TBL_BACKUPS . '
+    RIGHT JOIN ' . SPBC_TBL_BACKUPED_FILES . ' ON ' . SPBC_TBL_BACKUPS . '.backup_id = ' . SPBC_TBL_BACKUPED_FILES . '.backup_id
+    ORDER BY DATETIME DESC
+    LIMIT %d, %d;';
+    return $wpdb->get_results($wpdb->prepare($sql, $offset, $limit));
 }
 
 function spbc_field_backups()

lib/CleantalkSP/SpbctWP/Deactivator.php

@@ -263,19 +263,20 @@ private static function deleteFrontendMeta()
     public static function deleteBlogTables() //ok
     {
         global $wpdb;
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_auth_logs');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_monitoring_users');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_firewall__personal_ips_v4');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_firewall__personal_ips_v6');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_firewall__personal_countries');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_firewall__personal_ips_v4_temp');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_firewall__personal_ips_v6_temp');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_firewall__personal_countries_temp');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_firewall_logs');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_traffic_control_logs');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_traffic_control_logs');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_bfp_blocked');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->prefix . 'spbc_sessions');
+
+        $prefix = $wpdb->base_prefix;
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_auth_logs'));
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_monitoring_users'));
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_firewall__personal_ips_v4'));
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_firewall__personal_ips_v6'));
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_firewall__personal_countries'));
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_firewall__personal_ips_v4_temp'));
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_firewall__personal_ips_v6_temp'));
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_firewall__personal_countries_temp'));
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_firewall_logs'));
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_traffic_control_logs'));
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_bfp_blocked'));
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_sessions'));
     }
 
     /**
@@ -285,18 +286,20 @@ public static function deleteBlogTables() //ok
     public static function deleteCommonTables() //ok
     {
         global $wpdb;
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_scan_results');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_firewall_data_v4');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_firewall_data_v6');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_firewall_data_v4_temp');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_firewall_data_v6_temp');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_scan_links_logs');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_scan_signatures');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_scan_frontend');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_backups');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_backuped_files');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_scan_results_log');
-        $wpdb->query('DROP TABLE IF EXISTS ' . $wpdb->base_prefix . 'spbc_cure_log');
+
+        $prefix = $wpdb->base_prefix;
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_scan_results'));
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_firewall_data_v4'));
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_firewall_data_v6'));
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_firewall_data_v4_temp'));
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_firewall_data_v6_temp'));
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_scan_links_logs'));
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_scan_signatures'));
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_scan_frontend'));
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_backups'));
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_backuped_files'));
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_scan_results_log'));
+        $wpdb->query($wpdb->prepare('DROP TABLE IF EXISTS %s', $prefix . 'spbc_cure_log'));
     }
 
     /**
@@ -320,10 +323,10 @@ public static function deleteBlogOptions() //APBCT
         global $wpdb;
         // Deleting all data from wp_options
         $wpdb->query(
-            'DELETE FROM ' . $wpdb->options
-            . ' WHERE'
-            . ' option_name LIKE "spbc_%" AND'
-            . ' option_name <> "spbc_deactivation_in_process"'
+            $wpdb->prepare(
+                'DELETE FROM %s WHERE option_name LIKE "spbc_%" AND option_name <> "spbc_deactivation_in_process"',
+                $wpdb->options
+            )
         );
     }
 

lib/CleantalkSP/SpbctWP/Scanner/Frontend.php

@@ -390,7 +390,7 @@ public static function resetCheckResult()
         global $wpdb;
         $wpdb->query("DELETE FROM {$wpdb->postmeta} WHERE meta_key = '_spbc_frontend__last_checked' OR meta_key = 'spbc_frontend__last_checked';");
 
-        return $wpdb->query('DELETE FROM ' . SPBC_TBL_SCAN_FRONTEND . ';');
+        return $wpdb->query($wpdb->prepare('DELETE FROM %s;', SPBC_TBL_SCAN_FRONTEND));
     }
 
     /**

lib/CleantalkSP/SpbctWP/Scanner/Links.php

@@ -278,8 +278,9 @@ public function postMarkAsChecked()
     public static function resetCheckResult()
     {
         global $wpdb;
-        $wpdb->query("DELETE FROM {$wpdb->postmeta} WHERE meta_key = '_spbc_links_checked';");
 
-        return $wpdb->query('DELETE FROM ' . SPBC_TBL_SCAN_LINKS . ';');
+        $wpdb->query($wpdb->prepare("DELETE FROM %s WHERE meta_key = %s;", $wpdb->postmeta, '_spbc_links_checked'));
+
+        return $wpdb->query($wpdb->prepare('DELETE FROM %s;', SPBC_TBL_SCAN_LINKS));
     }
 }