From da8fd2c8fc5010d5e8a8750fab908453f86d88e7 Mon Sep 17 00:00:00 2001 From: Alex Kirk Date: Sat, 22 Jun 2024 11:17:30 +0200 Subject: [PATCH 1/6] use filter_input --- .../class-feed-parser-activitypub.php | 41 ++++++++++--------- includes/class-access-control.php | 2 +- includes/class-admin.php | 8 ++-- 3 files changed, 26 insertions(+), 25 deletions(-) diff --git a/feed-parsers/class-feed-parser-activitypub.php b/feed-parsers/class-feed-parser-activitypub.php index c579186a..40fefcb5 100644 --- a/feed-parsers/class-feed-parser-activitypub.php +++ b/feed-parsers/class-feed-parser-activitypub.php @@ -823,7 +823,11 @@ public function handle_received_activity( $activity, $user_id, $type ) { if ( is_wp_error( $user_feed ) || ! Friends::check_url( $actor_url ) ) { $meta = $this->get_metadata( $actor_url ); if ( ! $meta || is_wp_error( $meta ) || ! isset( $meta['url'] ) ) { - $error = is_wp_error( $meta ) ? $meta->get_error_message() . ' ' . print_r( $meta->get_error_data(), true ) : 'No URL found'; // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_print_r + $error = 'No URL found'; + if ( is_wp_error( $meta ) ) { + $error = $meta->get_error_message(); + $error .= ' ' . print_r( $meta->get_error_data(), true ); // phpcs:ignore WordPress.PHP.DevelopmentFunctions.error_log_print_r + } $this->log( 'Received invalid meta for ' . $actor_url . ' ' . $error, $meta ); return false; } @@ -1447,20 +1451,16 @@ function () use ( $message, $error ) { public function cache_reply_to_boost() { $url = false; $append_to_redirect = ''; - // phpcs:disable WordPress.Security.NonceVerification.Recommended - if ( isset( $_GET['in_reply_to'] ) ) { - $url = sanitize_text_field( wp_unslash( $_GET['in_reply_to'] ) ); - if ( ! wp_parse_url( $url ) ) { - return; - } + + $in_reply_to = filter_input( INPUT_GET, 'in_reply_to', FILTER_SANITIZE_URL ); + $boost = filter_input( INPUT_GET, 'boost', FILTER_SANITIZE_URL ); + if ( $in_reply_to ) { + $url = $in_reply_to; $append_to_redirect .= '#comment'; - } elseif ( isset( $_GET['boost'] ) ) { - $url = sanitize_text_field( wp_unslash( $_GET['boost'] ) ); - if ( ! wp_parse_url( $url ) ) { - return; - } + } elseif ( $boost ) { + $url = $boost; } - // phpcs:enable WordPress.Security.NonceVerification.Recommended + if ( ! $url ) { return; } @@ -1572,13 +1572,14 @@ public function replace_with_links( array $result ) { } public function activitypub_save_settings( User $friend ) { - if ( isset( $_POST['_wpnonce'] ) && wp_verify_nonce( sanitize_key( $_POST['_wpnonce'] ), 'edit-friend-feeds-' . $friend->user_login ) ) { + if ( ! isset( $_POST['_wpnonce'] ) || wp_verify_nonce( sanitize_key( $_POST['_wpnonce'] ), 'edit-friend-feeds-' . $friend->user_login ) ) { + return; + } - if ( isset( $_POST['friends_show_replies'] ) && intval( $_POST['friends_show_replies'] ) ) { - $friend->update_user_option( 'activitypub_friends_show_replies', '1' ); - } else { - $friend->delete_user_option( 'activitypub_friends_show_replies' ); - } + if ( isset( $_POST['friends_show_replies'] ) && boolval( $_POST['friends_show_replies'] ) ) { + $friend->update_user_option( 'activitypub_friends_show_replies', '1' ); + } else { + $friend->delete_user_option( 'activitypub_friends_show_replies' ); } } @@ -2141,7 +2142,7 @@ public function activitypub_unannounce( $url, $user_id ) { * @return bool Whether the comment is approved. */ public function pre_comment_approved( $approved, $commentdata ) { - if ( ! $approved || ( is_string( $approved ) && 'activitypub' === $commentdata['comment_meta']['protocol'] ) ) { + if ( is_string( $approved ) && 'activitypub' === $commentdata['comment_meta']['protocol'] ) { // If the author is someone we already follow. $user_feed = User_Feed::get_by_url( $commentdata['comment_author_url'] ); if ( $user_feed instanceof User_Feed ) { diff --git a/includes/class-access-control.php b/includes/class-access-control.php index 6629a15b..2ad0ff79 100644 --- a/includes/class-access-control.php +++ b/includes/class-access-control.php @@ -86,7 +86,7 @@ public function get_authenticated_feed_user() { * @return bool The authentication status of the feed. */ public static function private_rss_is_authenticated() { - if ( isset( $_GET['auth'] ) && get_option( 'friends_private_rss_key' ) === $_GET['auth'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended + if ( filter_input( INPUT_GET, 'auth' ) === get_option( 'friends_private_rss_key' ) ) { return true; } diff --git a/includes/class-admin.php b/includes/class-admin.php index 31f581c2..dd3d3dbc 100644 --- a/includes/class-admin.php +++ b/includes/class-admin.php @@ -1328,11 +1328,11 @@ public function process_admin_edit_friend_feeds() { update_user_option( get_current_user_id(), 'friends_hide_from_friends_page', $hide_from_friends_page ); } - if ( $friend->set_retention_number_enabled( isset( $_POST['friends_enable_retention_number'] ) && intval( $_POST['friends_enable_retention_number'] ) ) && isset( $_POST['friends_retention_number'] ) ) { - $friend->set_retention_number( intval( $_POST['friends_retention_number'] ) ); + if ( $friend->set_retention_number_enabled( filter_input( INPUT_POST, 'friends_enable_retention_number', FILTER_VALIDATE_BOOL ) ) && isset( $_POST['friends_retention_number'] ) ) { + $friend->set_retention_number( filter_input( INPUT_POST, 'friends_retention_number', FILTER_SANITIZE_NUMBER_INT ) ); } - if ( $friend->set_retention_days_enabled( isset( $_POST['friends_enable_retention_days'] ) && intval( $_POST['friends_enable_retention_days'] ) ) && isset( $_POST['friends_retention_days'] ) ) { - $friend->set_retention_days( intval( $_POST['friends_retention_days'] ) ); + if ( $friend->set_retention_days_enabled( filter_input( INPUT_POST, 'friends_enable_retention_days', FILTER_VALIDATE_BOOL ) ) && isset( $_POST['friends_retention_days'] ) ) { + $friend->set_retention_days( filter_input( INPUT_POST, 'friends_retention_days', FILTER_SANITIZE_NUMBER_INT ) ); } $hide_from_friends_page = get_user_option( 'friends_hide_from_friends_page' ); From 3a13c4ced699eace70432e992f1716eb89b1a61e Mon Sep 17 00:00:00 2001 From: Alex Kirk Date: Sat, 22 Jun 2024 12:11:26 +0200 Subject: [PATCH 2/6] Remove some phpcs:disables by being more explicit and verbose --- includes/class-subscription.php | 141 +++++++++++++++++++++++--------- includes/class-user.php | 80 +++++++++++------- 2 files changed, 153 insertions(+), 68 deletions(-) diff --git a/includes/class-subscription.php b/includes/class-subscription.php index bc4e332f..e7e552d6 100644 --- a/includes/class-subscription.php +++ b/includes/class-subscription.php @@ -196,7 +196,8 @@ public function get_post_stats() { $post_types = apply_filters( 'friends_frontend_post_types', array() ); $post_stats = $wpdb->get_row( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery $wpdb->prepare( - 'SELECT SUM( + sprintf( + 'SELECT SUM( LENGTH( ID ) + LENGTH( post_author ) + LENGTH( post_date ) + @@ -222,7 +223,16 @@ public function get_post_stats() { LENGTH( comment_count ) ) AS total_size, COUNT(*) as post_count - FROM ' . $wpdb->posts . ' p, ' . $wpdb->term_taxonomy . ' t, ' . $wpdb->term_relationships . ' r WHERE r.object_id = p.ID AND r.term_taxonomy_id = t.term_taxonomy_id AND t.term_id = %d AND p.post_type IN ( ' . implode( ', ', array_fill( 0, count( $post_types ), '%s' ) ) . ' )', + FROM %s p, %s t, %s r + WHERE r.object_id = p.ID + AND r.term_taxonomy_id = t.term_taxonomy_id + AND t.term_id = %%d + AND p.post_type IN ( %s )', + $wpdb->posts, + $wpdb->term_taxonomy, + $wpdb->term_relationships, + implode( ', ', array_fill( 0, count( $post_types ), '%s' ) ) + ), array_merge( array( $this->get_term_id() ), $post_types ) ), ARRAY_A @@ -232,7 +242,19 @@ public function get_post_stats() { 'U', $wpdb->get_var( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery $wpdb->prepare( - "SELECT MIN(post_date) FROM $wpdb->posts p, $wpdb->term_taxonomy t, $wpdb->term_relationships r WHERE r.object_id = p.ID AND r.term_taxonomy_id = t.term_taxonomy_id AND t.term_id = %d AND p.post_status = 'publish' AND p.post_type IN ( " . implode( ', ', array_fill( 0, count( $post_types ), '%s' ) ) . ' )', + sprintf( + 'SELECT MIN(post_date) + FROM %s p, %s t, %s r + WHERE r.object_id = p.ID + AND r.term_taxonomy_id = t.term_taxonomy_id + AND t.term_id = %%d + AND p.post_status = "publish" + AND p.post_type IN ( %s )', + $wpdb->posts, + $wpdb->term_taxonomy, + $wpdb->term_relationships, + implode( ', ', array_fill( 0, count( $post_types ), '%s' ) ) + ), array_merge( array( $this->get_term_id() ), $post_types ) ) ) @@ -244,18 +266,32 @@ public function get_post_stats() { public function get_all_post_ids() { global $wpdb; - $post_types_to_delete = implode( "', '", apply_filters( 'friends_frontend_post_types', array() ) ); + $post_types = apply_filters( 'friends_frontend_post_types', array() ); - $cache_key = 'get_all_post_ids_' . $this->ID . '_' . $post_types_to_delete; + $cache_key = 'get_all_post_ids_' . $this->ID . '_' . implode( '_', $post_types ); $post_ids = wp_cache_get( $cache_key, 'friends' ); if ( false !== $post_ids ) { return $post_ids; } - // phpcs:disable WordPress.DB.DirectDatabaseQuery.DirectQuery - // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared - $post_ids = $wpdb->get_col( $wpdb->prepare( "SELECT p.ID FROM $wpdb->posts p, $wpdb->term_relationships r WHERE r.object_id = p.ID AND r.term_taxonomy_id = %d AND p.post_type IN ('$post_types_to_delete')", $this->get_term_id() ) ); - // phpcs:enable WordPress.DB.DirectDatabaseQuery.DirectQuery - // phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared + + $post_ids = $wpdb->get_col( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery + $wpdb->prepare( + sprintf( + 'SELECT p.ID + FROM %s p, %s r + WHERE r.object_id = p.ID + AND r.term_taxonomy_id = %%d + AND p.post_type IN ( %s )', + $wpdb->posts, + $wpdb->term_relationships, + implode( ', ', array_fill( 0, count( $post_types ), '%s' ) ) + ), + array_merge( + array( $this->get_term_id() ), + $post_types + ) + ) + ); wp_cache_set( $cache_key, $post_ids, 'friends', HOUR_IN_SECONDS - 60 ); @@ -291,8 +327,7 @@ public function get_post_count_by_post_format() { global $wpdb; $counts = array(); - // phpcs:disable WordPress.DB.DirectDatabaseQuery.DirectQuery - $counts['standard'] = $wpdb->get_var( + $counts['standard'] = $wpdb->get_var( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery $wpdb->prepare( sprintf( "SELECT COUNT(DISTINCT posts.ID) @@ -306,13 +341,12 @@ public function get_post_count_by_post_format() { AND relationships_post_format.object_id = posts.ID AND relationships_author.object_id = posts.ID AND taxonomy_author.term_taxonomy_id = relationships_author.term_taxonomy_id - AND taxonomy_author.term_id = %s", + AND taxonomy_author.term_id = %%d", $wpdb->posts, $wpdb->term_relationships, $wpdb->term_taxonomy, $wpdb->term_relationships, - implode( ',', array_fill( 0, count( $post_types ), '%s' ) ), - '%d' + implode( ',', array_fill( 0, count( $post_types ), '%s' ) ) ), array_merge( $post_types, @@ -322,7 +356,7 @@ public function get_post_count_by_post_format() { ); if ( ! empty( $post_formats_term_ids ) ) { - $post_format_counts = $wpdb->get_results( + $post_format_counts = $wpdb->get_results( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery $wpdb->prepare( sprintf( "SELECT relationships_post_format.term_taxonomy_id AS post_format_id, COUNT(relationships_post_format.term_taxonomy_id) AS count @@ -337,15 +371,14 @@ public function get_post_count_by_post_format() { AND relationships_post_format.term_taxonomy_id IN ( %s ) AND relationships_author.object_id = posts.ID AND taxonomy_author.term_taxonomy_id = relationships_author.term_taxonomy_id - AND taxonomy_author.term_id = %s + AND taxonomy_author.term_id = %%d GROUP BY relationships_post_format.term_taxonomy_id", $wpdb->posts, $wpdb->term_relationships, $wpdb->term_taxonomy, $wpdb->term_relationships, implode( ',', array_fill( 0, count( $post_types ), '%s' ) ), - implode( ',', array_fill( 0, count( $post_formats_term_ids ), '%d' ) ), - '%d' + implode( ',', array_fill( 0, count( $post_formats_term_ids ), '%d' ) ) ), array_merge( $post_types, @@ -354,7 +387,7 @@ public function get_post_count_by_post_format() { ) ) ); - // phpcs:enable WordPress.DB.DirectDatabaseQuery.DirectQuery + foreach ( $post_format_counts as $row ) { $counts[ $post_formats_term_ids[ $row->post_format_id ] ] = $row->count; $counts['standard'] -= $row->count; @@ -382,16 +415,25 @@ public function get_post_in_trash_count() { if ( false !== wp_cache_get( $cache_key, 'friends' ) ) { return wp_cache_get( $cache_key, 'friends' ); } - // phpcs:disable WordPress.DB.DirectDatabaseQuery.DirectQuery - // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared - $count = $wpdb->get_var( + + $count = $wpdb->get_var( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery $wpdb->prepare( - "SELECT COUNT(*) FROM $wpdb->posts p, $wpdb->term_taxonomy t, $wpdb->term_relationships r WHERE r.object_id = p.ID AND r.term_taxonomy_id = t.term_taxonomy_id AND t.term_id = %d AND post_type IN ( " . implode( ', ', array_fill( 0, count( $post_types ), '%s' ) ) . ' ) AND post_status = "trash"', + sprintf( + 'SELECT COUNT(*) + FROM %s p, %s t, %s r + WHERE r.object_id = p.ID + AND r.term_taxonomy_id = t.term_taxonomy_id + AND t.term_id = %%d + AND post_type IN ( %s ) + AND post_status = "trash"', + $wpdb->posts, + $wpdb->term_taxonomy, + $wpdb->term_relationships, + implode( ', ', array_fill( 0, count( $post_types ), '%s' ) ) + ), array_merge( array( $this->get_term_id() ), $post_types ) ) ); - // phpcs:enable WordPress.DB.DirectDatabaseQuery.DirectQuery - // phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared wp_cache_set( $cache_key, intval( $count ), 'friends', HOUR_IN_SECONDS - 60 ); return intval( $count ); @@ -484,12 +526,24 @@ public static function convert_from_user( User $user ) { global $wpdb; // Convert feeds. - - // phpcs:disable WordPress.DB.DirectDatabaseQuery.DirectQuery - // phpcs:disable WordPress.DB.DirectDatabaseQuery.NoCaching - $wpdb->query( $wpdb->prepare( "UPDATE $wpdb->term_relationships JOIN $wpdb->term_taxonomy ON $wpdb->term_relationships.term_taxonomy_id = $wpdb->term_taxonomy.term_taxonomy_id SET object_id = %d WHERE object_id = %d AND $wpdb->term_taxonomy.taxonomy = %s", $subscription->get_term_id(), $user->ID, User_Feed::TAXONOMY ) ); - // phpcs:enable WordPress.DB.DirectDatabaseQuery.DirectQuery - // phpcs:enable WordPress.DB.DirectDatabaseQuery.NoCaching + $wpdb->query( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching + $wpdb->prepare( + 'UPDATE %s + JOIN %s + ON %s.term_taxonomy_id = %s.term_taxonomy_id + SET object_id = %d + WHERE object_id = %d + AND %s.taxonomy = %s', + $wpdb->term_relationships, + $wpdb->term_taxonomy, + $wpdb->term_relationships, + $wpdb->term_taxonomy, + $subscription->get_term_id(), + $user->ID, + $wpdb->term_taxonomy, + User_Feed::TAXONOMY + ) + ); foreach ( self::MIGRATE_USER_OPTIONS as $option_name ) { $subscription->update_user_option( $option_name, $user->get_user_option( $option_name ) ); @@ -521,11 +575,24 @@ public static function convert_to_user( Subscription $subscription ) { global $wpdb; // Convert feeds. - // phpcs:disable WordPress.DB.DirectDatabaseQuery.DirectQuery - // phpcs:disable WordPress.DB.DirectDatabaseQuery.NoCaching - $wpdb->query( $wpdb->prepare( "UPDATE $wpdb->term_relationships JOIN $wpdb->term_taxonomy ON $wpdb->term_relationships.term_taxonomy_id = $wpdb->term_taxonomy.term_taxonomy_id SET object_id = %d WHERE object_id = %d AND $wpdb->term_taxonomy.taxonomy = %s", $user->ID, $subscription->get_term_id(), User_Feed::TAXONOMY ) ); - // phpcs:enable WordPress.DB.DirectDatabaseQuery.DirectQuery - // phpcs:enable WordPress.DB.DirectDatabaseQuery.NoCaching + $wpdb->query( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching + $wpdb->prepare( + 'UPDATE %s + JOIN %s + ON %s.term_taxonomy_id = %s.term_taxonomy_id + SET object_id = %d + WHERE object_id = %d + AND %s.taxonomy = %s', + $wpdb->term_relationships, + $wpdb->term_taxonomy, + $wpdb->term_relationships, + $wpdb->term_taxonomy, + $user->ID, + $subscription->get_term_id(), + $wpdb->term_taxonomy, + User_Feed::TAXONOMY + ) + ); foreach ( self::MIGRATE_USER_OPTIONS as $option_name ) { $user->update_user_option( $option_name, $subscription->get_user_option( $option_name ) ); diff --git a/includes/class-user.php b/includes/class-user.php index cd2a9082..d4cfeca6 100644 --- a/includes/class-user.php +++ b/includes/class-user.php @@ -715,22 +715,29 @@ public function get_post_in_trash_count() { global $wpdb; $post_types = apply_filters( 'friends_frontend_post_types', array() ); - $cache_key = 'get_post_in_trash_count_' . $this->get_term_id() . '_' . $post_types; + $cache_key = 'get_post_in_trash_count_' . $this->get_term_id() . '_' . implode( '_', $post_types ); if ( false !== wp_cache_get( $cache_key, 'friends' ) ) { return wp_cache_get( $cache_key, 'friends' ); } - // phpcs:disable WordPress.DB.DirectDatabaseQuery.DirectQuery - // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared - $count = $wpdb->get_var( + + $count = $wpdb->get_var( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery $wpdb->prepare( - "SELECT COUNT(*) FROM $wpdb->posts WHERE post_type IN ( " . implode( ', ', array_fill( 0, count( $post_types ), '%s' ) ) . ' ) AND post_status = "trash" AND post_author = %d', - array_merge( $post_types, array( $this->ID ) ) + sprintf( + 'SELECT COUNT(*) + FROM %s + WHERE post_author = %%d + AND post_type IN ( %s ) + AND post_status = "trash"', + $wpdb->posts, + implode( ',', array_fill( 0, count( $post_types ), '%s' ) ) + ), + array_merge( + array( $this->ID ), + $post_types + ) ) ); - // phpcs:enable WordPress.DB.DirectDatabaseQuery.DirectQuery - // phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared - wp_cache_set( $cache_key, intval( $count ), 'friends', HOUR_IN_SECONDS - 60 ); return intval( $count ); } @@ -764,21 +771,19 @@ public function get_post_count_by_post_format() { global $wpdb; $counts = array(); - // phpcs:disable WordPress.DB.DirectDatabaseQuery.DirectQuery - $counts['standard'] = $wpdb->get_var( + $counts['standard'] = $wpdb->get_var(// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery $wpdb->prepare( sprintf( "SELECT COUNT(DISTINCT posts.ID) FROM %s AS posts JOIN %s AS relationships_post_format - WHERE posts.post_author = %s + WHERE posts.post_author = %%d AND posts.post_status IN ( 'publish', 'private' ) AND posts.post_type IN ( %s ) AND relationships_post_format.object_id = posts.ID", $wpdb->posts, $wpdb->term_relationships, - '%d', implode( ',', array_fill( 0, count( $post_types ), '%s' ) ) ), array_merge( @@ -789,14 +794,14 @@ public function get_post_count_by_post_format() { ); if ( ! empty( $post_formats_term_ids ) ) { - $post_format_counts = $wpdb->get_results( + $post_format_counts = $wpdb->get_results( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery $wpdb->prepare( sprintf( "SELECT relationships_post_format.term_taxonomy_id AS post_format_id, COUNT(relationships_post_format.term_taxonomy_id) AS count FROM %s AS posts JOIN %s AS relationships_post_format - WHERE posts.post_author = %s + WHERE posts.post_author = %%d AND posts.post_status IN ( 'publish', 'private' ) AND posts.post_type IN ( %s ) AND relationships_post_format.object_id = posts.ID @@ -804,7 +809,6 @@ public function get_post_count_by_post_format() { GROUP BY relationships_post_format.term_taxonomy_id", $wpdb->posts, $wpdb->term_relationships, - '%d', implode( ',', array_fill( 0, count( $post_types ), '%s' ) ), implode( ',', array_fill( 0, count( $post_formats_term_ids ), '%d' ) ) ), @@ -815,7 +819,6 @@ public function get_post_count_by_post_format() { ) ) ); - // phpcs:enable WordPress.DB.DirectDatabaseQuery.DirectQuery foreach ( $post_format_counts as $row ) { $counts[ $post_formats_term_ids[ $row->post_format_id ] ] = $row->count; @@ -843,10 +846,10 @@ public function get_post_stats() { return $post_stats; } $post_types = apply_filters( 'friends_frontend_post_types', array() ); - // phpcs:disable WordPress.DB.DirectDatabaseQuery.DirectQuery - $post_stats = $wpdb->get_row( + $post_stats = $wpdb->get_row( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery $wpdb->prepare( - 'SELECT SUM( + sprintf( + 'SELECT SUM( LENGTH( ID ) + LENGTH( post_author ) + LENGTH( post_date ) + @@ -872,21 +875,27 @@ public function get_post_stats() { LENGTH( comment_count ) ) AS total_size, COUNT(*) as post_count - FROM ' . $wpdb->posts . ' WHERE post_author = %d AND post_type IN ( ' . implode( ', ', array_fill( 0, count( $post_types ), '%s' ) ) . ' )', + FROM %s WHERE post_author = %%d AND post_type IN ( %s )', + $wpdb->posts, + implode( ',', array_fill( 0, count( $post_types ), '%s' ) ) + ), array_merge( array( $this->ID ), $post_types ) ), ARRAY_A ); $post_stats['earliest_post_date'] = mysql2date( 'U', - $wpdb->get_var( + $wpdb->get_var( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery $wpdb->prepare( - "SELECT MIN(post_date) FROM $wpdb->posts WHERE post_author = %d AND post_status = 'publish' AND post_type IN ( " . implode( ', ', array_fill( 0, count( $post_types ), '%s' ) ) . ' )', + sprintf( + 'SELECT MIN(post_date) FROM %s WHERE post_author = %%d AND post_status = "publish" AND post_type IN ( %s )', + $wpdb->posts, + implode( ',', array_fill( 0, count( $post_types ), '%s' ) ) + ), array_merge( array( $this->ID ), $post_types ) ) ) ); - // phpcs:enable WordPress.DB.DirectDatabaseQuery.DirectQuery wp_cache_set( $cache_key, $post_stats, 'friends', HOUR_IN_SECONDS ); return $post_stats; @@ -894,18 +903,27 @@ public function get_post_stats() { public function get_all_post_ids() { global $wpdb; - $post_types_to_delete = implode( "', '", apply_filters( 'friends_frontend_post_types', array() ) ); + $post_types = apply_filters( 'friends_frontend_post_types', array() ); - $cache_key = 'get_all_post_ids_' . $this->ID . '_' . $post_types_to_delete; + $cache_key = 'get_all_post_ids_' . $this->ID . '_' . implode( '_', $post_types ); $post_ids = wp_cache_get( $cache_key, 'friends' ); if ( false !== $post_ids ) { return $post_ids; } - // phpcs:disable WordPress.DB.DirectDatabaseQuery.DirectQuery - // phpcs:disable WordPress.DB.PreparedSQL.InterpolatedNotPrepared - $post_ids = $wpdb->get_col( $wpdb->prepare( "SELECT ID FROM $wpdb->posts WHERE post_author = %d AND post_type IN ('$post_types_to_delete')", $this->ID ) ); // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared - // phpcs:enable WordPress.DB.DirectDatabaseQuery.DirectQuery - // phpcs:enable WordPress.DB.PreparedSQL.InterpolatedNotPrepared + + $post_ids = $wpdb->get_col( // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery + $wpdb->prepare( + sprintf( + 'SELECT ID FROM %s WHERE post_author = %%d AND post_type IN ( %s )', + $wpdb->posts, + implode( ',', array_fill( 0, count( $post_types ), '%s' ) ) + ), + array_merge( + array( $this->ID ), + $post_types + ) + ) + ); wp_cache_set( $cache_key, $post_ids, 'friends', HOUR_IN_SECONDS - 60 ); return $post_ids; From 1cf366e4d3120ee6692e097b01aa6f22791a9f0e Mon Sep 17 00:00:00 2001 From: Alex Kirk Date: Sat, 22 Jun 2024 12:11:37 +0200 Subject: [PATCH 3/6] Stronger condition --- includes/class-user.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/class-user.php b/includes/class-user.php index d4cfeca6..89984021 100644 --- a/includes/class-user.php +++ b/includes/class-user.php @@ -1168,7 +1168,7 @@ public function get_role_name( $group_subscriptions = false, $count = 1 ) { $name = apply_filters( 'friend_user_role_name', false, $this ); - if ( ! $name ) { + if ( empty( $name ) ) { $name = _x( 'Unknown', 'User role', 'friends' ); } From 540a85a64a6060c37dc4188b350708c4c78d6ebe Mon Sep 17 00:00:00 2001 From: Alex Kirk Date: Sat, 22 Jun 2024 12:18:57 +0200 Subject: [PATCH 4/6] Re-add phpcs:ignore --- feed-parsers/class-feed-parser-activitypub.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/feed-parsers/class-feed-parser-activitypub.php b/feed-parsers/class-feed-parser-activitypub.php index 40fefcb5..3d3306a6 100644 --- a/feed-parsers/class-feed-parser-activitypub.php +++ b/feed-parsers/class-feed-parser-activitypub.php @@ -1452,8 +1452,9 @@ public function cache_reply_to_boost() { $url = false; $append_to_redirect = ''; - $in_reply_to = filter_input( INPUT_GET, 'in_reply_to', FILTER_SANITIZE_URL ); - $boost = filter_input( INPUT_GET, 'boost', FILTER_SANITIZE_URL ); + // The ignores are not necessary now but when https://github.com/WordPress/WordPress-Coding-Standards/issues/2299 comes into effect. + $in_reply_to = filter_input( INPUT_GET, 'in_reply_to', FILTER_SANITIZE_URL ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended + $boost = filter_input( INPUT_GET, 'boost', FILTER_SANITIZE_URL ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended if ( $in_reply_to ) { $url = $in_reply_to; $append_to_redirect .= '#comment'; From 0740ea39192c0ed2f6dbbd3103df1b8c2a8bb38e Mon Sep 17 00:00:00 2001 From: Alex Kirk Date: Sat, 22 Jun 2024 12:20:38 +0200 Subject: [PATCH 5/6] Re-add phpcs:ignore --- includes/class-access-control.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/class-access-control.php b/includes/class-access-control.php index 2ad0ff79..8781298c 100644 --- a/includes/class-access-control.php +++ b/includes/class-access-control.php @@ -86,7 +86,7 @@ public function get_authenticated_feed_user() { * @return bool The authentication status of the feed. */ public static function private_rss_is_authenticated() { - if ( filter_input( INPUT_GET, 'auth' ) === get_option( 'friends_private_rss_key' ) ) { + if ( filter_input( INPUT_GET, 'auth' ) === get_option( 'friends_private_rss_key' ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended return true; } From 37f8a989f9bd2379c2f79c664df0216f3c9ef4f0 Mon Sep 17 00:00:00 2001 From: Alex Kirk Date: Sat, 22 Jun 2024 12:22:33 +0200 Subject: [PATCH 6/6] Add missing cache time --- includes/class-automatic-status-list-table.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/includes/class-automatic-status-list-table.php b/includes/class-automatic-status-list-table.php index 06c31d01..28bb2669 100644 --- a/includes/class-automatic-status-list-table.php +++ b/includes/class-automatic-status-list-table.php @@ -106,7 +106,7 @@ protected function get_post_status_counts( $post_type ) { $counts[ $row->post_status ] = $row->count; } $counts = (object) $counts; - wp_cache_set( $cache_key, $counts, 'friends' ); + wp_cache_set( $cache_key, $counts, 'friends', HOUR_IN_SECONDS ); return $counts; }