refactor: improve SQL query preparation in get_all_for_export

[guibranco]

📑 Description

Modify the get_all_for_export function to always use $wpdb->prepare for SQL query preparation, improving consistency and reducing the risk of SQL injection. Previously, the function used a conditional approach where $wpdb->prepare would not be called if no $values were present. This change ensures that query preparation is uniform, which enhances security and maintains best practices in database interaction.

✅ Checks

• My pull request adheres to the code style of this project
• My code requires changes to the documentation
• I have updated the documentation as required
• All the tests have passed

☢️ Does this introduce a breaking change?

• Yes
• No

---

Summary by Sourcery

Enhancements:

• Ensure get_all_for_export consistently uses $wpdb->prepare regardless of whether placeholder values are provided, improving security and alignment with WordPress best practices.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Refactors get_all_for_export to always use $wpdb->prepare for building the SQL query before execution, ensuring consistent prepared-statement usage regardless of whether there are bound values.

Sequence diagram for updated get_all_for_export query preparation

sequenceDiagram
    participant Caller
    participant Sva_DB as Sva_DB
    participant wpdb as wpdb

    Caller->>Sva_DB: get_all_for_export(args)
    Sva_DB->>Sva_DB: build $sql, $values
    alt values present
        Sva_DB->>wpdb: prepare(sql, values...)
        wpdb-->>Sva_DB: prepared
    else no values
        Sva_DB->>wpdb: prepare(sql)
        wpdb-->>Sva_DB: prepared
    end
    Sva_DB->>wpdb: get_results(prepared, ARRAY_A)
    wpdb-->>Sva_DB: rows
    Sva_DB-->>Caller: rows[]

Loading

File-Level Changes

Change	Details	Files
Standardize SQL preparation in get_all_for_export to always go through $wpdb->prepare before executing the query.	Replace conditional branch that sometimes executed the raw SQL with an unconditional preparation step that always calls $wpdb->prepare. Introduce a $prepared variable that holds the prepared SQL string, using a ternary to handle the presence or absence of $values. Update the $wpdb->get_results call to always use the prepared SQL, simplifying the control flow and keeping the return handling unchanged. Adjust phpcs ignore annotations to match the new call pattern and remove now-unnecessary suppression codes.	includes/class-sva-db.php

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

Warning

Review limit reached

@guibranco, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 11 minutes and 17 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: acfc7f46-9958-4a57-be6c-0d17bd103493

📥 Commits

Reviewing files that changed from the base of the PR and between f72187d and 9f2cecd.

📒 Files selected for processing (1)

• includes/class-sva-db.php

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/fix-warning

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• Calling $wpdb->prepare( $sql ) when there are no placeholders or values does not add any safety and may be misleading; consider either keeping the direct $wpdb->get_results( $sql, ARRAY_A ) path or refactoring the query to actually use placeholders for all dynamic parts.
• Since $table, $orderby, $order, and $where_sql are still interpolated directly into $sql, this refactor doesn't materially change the SQL injection surface; if the goal is improved safety, consider moving those interpolated pieces into prepared placeholders where possible.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Calling `$wpdb->prepare( $sql )` when there are no placeholders or values does not add any safety and may be misleading; consider either keeping the direct `$wpdb->get_results( $sql, ARRAY_A )` path or refactoring the query to actually use placeholders for all dynamic parts.
- Since `$table`, `$orderby`, `$order`, and `$where_sql` are still interpolated directly into `$sql`, this refactor doesn't materially change the SQL injection surface; if the goal is improved safety, consider moving those interpolated pieces into prepared placeholders where possible.

## Individual Comments

### Comment 1
<location path="includes/class-sva-db.php" line_range="396-398" />
<code_context>
-		} else {
-			$rows = $wpdb->get_results( $sql, ARRAY_A ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching,WordPress.DB.PreparedSQL.NotPrepared,WordPress.DB.PreparedSQL.InterpolatedNotPrepared
-		}
+		$prepared = $values
+			? $wpdb->prepare( $sql, ...$values ) // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+			: $wpdb->prepare( $sql ); // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
+		$rows = $wpdb->get_results( $prepared, ARRAY_A ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery,WordPress.DB.DirectDatabaseQuery.NoCaching

</code_context>
<issue_to_address>
**issue (bug_risk):** Calling `$wpdb->prepare( $sql )` with no placeholders/args can trigger `_doing_it_wrong()` and is unnecessary work.

This new `: $wpdb->prepare( $sql )` branch changes behavior from the previous version, which passed raw `$sql` when `$values` was empty. In WordPress, calling `prepare()` with only `$query` will:

- Trigger `_doing_it_wrong()` if the query contains any `%` (including in `LIKE '%foo%'` or column names), where previously there was no notice.
- Otherwise just return the query unchanged, adding overhead without added safety when there are no placeholders.

To preserve existing behavior and avoid `_doing_it_wrong()` while still centralizing `get_results()`, consider keeping `prepare()` conditional on `$values` being non-empty:

```php
$prepared = $values
    ? $wpdb->prepare( $sql, ...$values ) // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared
    : $sql; // phpcs:ignore WordPress.DB.PreparedSQL.NotPrepared,WordPress.DB.PreparedSQL.InterpolatedNotPrepared
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[github-actions]

🔍 WordPress Plugin Check Report

⚠️ Status: Passed with warnings

📊 Report

🎯 Total Issues	❌ Errors	⚠️ Warnings
2	0	2

---

⚠️ Warnings (2)

📁 includes/class-sva-db.php (2 warnings)

📍 Line	🔖 Check	💬 Message
397	PluginCheck.Security.DirectDB.UnescapedDBParameter	Unescaped parameter $sql used in $wpdb->get_results()\n$sql assigned unsafely at line 394.
399	PluginCheck.Security.DirectDB.UnescapedDBParameter	Unescaped parameter $sql used in $wpdb->get_results()\n$sql assigned unsafely at line 394.

---

🤖 Generated by WordPress Plugin Check Action • Learn more about Plugin Check

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud