Skip to content

Commit c291c6b

Browse files
schlesseraschlessera
committed
Verify and whitelist SQL escaping
1 parent fce17b2 commit c291c6b

File tree

1 file changed

+14
-1
lines changed

1 file changed

+14
-1
lines changed

src/Search_Replace_Command.php

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -321,6 +321,7 @@ public function __invoke( $args, $assoc_args ) {
321321

322322
if ( $this->export_handle ) {
323323
fwrite( $this->export_handle, "\nDROP TABLE IF EXISTS $table_sql;\n" );
324+
// phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- escaped through self::esc_sql_ident
324325
$row = $wpdb->get_row( "SHOW CREATE TABLE $table_sql", ARRAY_N );
325326
fwrite( $this->export_handle, $row[1] . ";\n" );
326327
list( $table_report, $total_rows ) = $this->php_export_table( $table, $old, $new );
@@ -367,6 +368,7 @@ public function __invoke( $args, $assoc_args ) {
367368
if ( ! $php_only && ! $this->regex ) {
368369
$col_sql = self::esc_sql_ident( $col );
369370
$wpdb->last_error = '';
371+
// phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- escaped through self::esc_sql_ident
370372
$serial_row = $wpdb->get_row( "SELECT * FROM $table_sql WHERE $col_sql REGEXP '^[aiO]:[1-9]' LIMIT 1" );
371373
// When the regex triggers an error, we should fall back to PHP
372374
if ( false !== strpos( $wpdb->last_error, 'ERROR 1139' ) ) {
@@ -492,12 +494,14 @@ private function sql_handle_col( $col, $primary_keys, $table, $old, $new ) {
492494
if ( $this->log_handle ) {
493495
$count = $this->log_sql_diff( $col, $primary_keys, $table, $old, $new );
494496
} else {
497+
// phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- escaped through self::esc_sql_ident
495498
$count = $wpdb->get_var( $wpdb->prepare( "SELECT COUNT($col_sql) FROM $table_sql WHERE $col_sql LIKE BINARY %s;", '%' . self::esc_like( $old ) . '%' ) );
496499
}
497500
} else {
498501
if ( $this->log_handle ) {
499502
$this->log_sql_diff( $col, $primary_keys, $table, $old, $new );
500503
}
504+
// phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- escaped through self::esc_sql_ident
501505
$count = $wpdb->query( $wpdb->prepare( "UPDATE $table_sql SET $col_sql = REPLACE($col_sql, %s, %s);", $old, $new ) );
502506
}
503507

@@ -518,6 +522,7 @@ private function php_handle_col( $col, $primary_keys, $table, $old, $new ) {
518522
$col_sql = self::esc_sql_ident( $col );
519523
$where = $this->regex ? '' : " WHERE $col_sql" . $wpdb->prepare( ' LIKE BINARY %s', '%' . self::esc_like( $old ) . '%' );
520524
$primary_keys_sql = implode( ',', self::esc_sql_ident( $primary_keys ) );
525+
// phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- escaped through self::esc_sql_ident
521526
$rows = $wpdb->get_results( "SELECT {$primary_keys_sql} FROM {$table_sql} {$where}" );
522527
foreach ( $rows as $keys ) {
523528
$where_sql = '';
@@ -527,6 +532,7 @@ private function php_handle_col( $col, $primary_keys, $table, $old, $new ) {
527532
}
528533
$where_sql .= self::esc_sql_ident( $k ) . ' = ' . self::esc_sql_value( $v );
529534
}
535+
// phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- escaped through self::esc_sql_ident
530536
$col_value = $wpdb->get_var( "SELECT {$col_sql} FROM {$table_sql} WHERE {$where_sql}" );
531537
if ( '' === $col_value ) {
532538
continue;
@@ -611,9 +617,11 @@ private function write_sql_row_fields( $table, $rows ) {
611617

612618
if ( method_exists( $wpdb, 'remove_placeholder_escape' ) ) {
613619
// since 4.8.3
620+
// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared -- verified inputs above
614621
$sql = $wpdb->remove_placeholder_escape( $wpdb->prepare( $sql, array_values( $values ) ) );
615622
} else {
616623
// 4.8.2 or less
624+
// phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared -- verified inputs above
617625
$sql = $wpdb->prepare( $sql, array_values( $values ) );
618626
}
619627

@@ -640,6 +648,7 @@ private static function get_columns( $table ) {
640648
$text_columns = array();
641649
$all_columns = array();
642650
$suppress_errors = $wpdb->suppress_errors();
651+
// phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- escaped through self::esc_sql_ident
643652
$results = $wpdb->get_results( "DESCRIBE $table_sql" );
644653
if ( ! empty( $results ) ) {
645654
foreach ( $results as $col ) {
@@ -777,7 +786,11 @@ private function log_sql_diff( $col, $primary_keys, $table, $old, $new ) {
777786
$primary_keys_sql = '';
778787
}
779788

780-
$results = $wpdb->get_results( $wpdb->prepare( "SELECT {$primary_keys_sql}`$col` FROM `$table` WHERE `$col` LIKE BINARY %s", '%' . self::esc_like( $old ) . '%' ), ARRAY_N );
789+
$table_sql = self::esc_sql_ident( $table );
790+
$col_sql = self::esc_sql_ident( $col );
791+
792+
// phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared -- escaped through self::esc_sql_ident
793+
$results = $wpdb->get_results( $wpdb->prepare( "SELECT {$primary_keys_sql}{$col_sql} FROM {$table_sql} WHERE {$col_sql} LIKE BINARY %s", '%' . self::esc_like( $old ) . '%' ), ARRAY_N );
781794
if ( empty( $results ) ) {
782795
return 0;
783796
}

0 commit comments

Comments
 (0)